Talk:IDPS: Difference between revisions
Littlebalup (talk | contribs) (added CECHP04 test results in IDPS vs minimum version test table) |
CelesteBlue (talk | contribs) |
||
Line 320: | Line 320: | ||
* there are 12 sections on PSP, unlike the 11 ones on PS3 EID0. | * there are 12 sections on PSP, unlike the 11 ones on PS3 EID0. | ||
===IDPS bytes 7-8 ( | === IDPS bytes 7-8 (Product Sub Code) and relationship with minimun firmware version === | ||
*Read the talk [http://www.psx-place.com/threads/where-is-stored-the-minimum-version-given-by-minverchk-pup.19393/page-3#post-134263 here] | |||
*This table was originated from [[TemplateTest#Generic Tables]]. | *Read the talk [http://www.psx-place.com/threads/where-is-stored-the-minimum-version-given-by-minverchk-pup.19393/page-3#post-134263 here]. | ||
*This table was originated from [[TemplateTest#Generic Tables]]. Sadly there is not enough info in wiki yet to know accurately which motherboard belongs to every PS3 superslim model. For more info about motherboard models see:[[Motherboard Revisions]]. | |||
*The PS3 model type value inside the superslim tables on [[SKU Models]] seems to be wrong and outdated !!! (but dont change it yet, lets take some time to review this before doing a change so important in wiki) | *The PS3 model type value inside the superslim tables on [[SKU Models]] seems to be wrong and outdated !!! (but dont change it yet, lets take some time to review this before doing a change so important in wiki) | ||
Revision as of 18:08, 31 January 2019
IDPS Examples
The examples are ordered based in priority: first "PS3 model" (byte 8), second "chassis check" (byte 9), and third "target id" (byte 6).
The reason of why ordering the examples this way is because "PS3 model" is known, and "Chasis Check" is the only thing left we can deduce from the examples...
IDPS | 6th byte |
Target ID | 8th byte |
PS3 Model | Chassis Check | Notes |
---|---|---|---|---|---|---|
00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D |
0x81 | TOOL Reference Tool or SD System Debugger / DECR | 0x01 | DECR-1000(A/J) / DEH-Z1010 (TMU-520) | 03 FF | Static Dummy IDPS |
00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | 04 00 (1) | |
00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2 |
0x8A | CEX Retail or SHOP Kiosk - South Asia / CECH | 0x01 | CECHA (COK-001) | 10 00 (4) | |
00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | 10 19 (4) | |
00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x01 | CECHA (COK-001) | 10 1B (4) | |
00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x02 | CECHB (COK-001) | 10 01 (4) | |
00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x03 | CECHC (COK-002) | 10 00 (4) | |
00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x03 | CECHC (COK-002) | 10 11 (4) | |
00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25 |
0xA0 | ARC Arcade / GECR | 0x04 | GECR-1100 (COK-002) | 04 00 (1) | (COK-002 without Bluetooth/Wifi) |
00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ?? |
? | ? | 0x04 | CECHE | ?? | |
00 00 00 01 00 85 00 05 04 00 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 04 00 (1) | |
00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 04 00 (1) | |
00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x05 | CECHG (SEM-001) | 10 00 (4) | |
00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 10 01 (4) | |
00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | 10 02 (4) | |
00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | 10 0A (4) | (original label stated CECHC model!) |
00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 14 02 (5) | |
00 00 00 01 00 85 00 05 14 09 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 14 09 (5) | |
00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x05 | CECHG (SEM-001) | 14 0E (5) | |
00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x05 | CECHG (SEM-001) | F4 00 (0) | |
00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x05 | CECHG (SEM-001) | F4 01 (0) | |
00 00 00 01 00 85 00 06 04 00 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x06 | CECHH/CECHH (DIA-001) | 04 00 (1) | |
00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ?? |
? | ? | 0x06 | CECHH/CECHH (DIA-001) | ||
00 00 00 01 00 85 00 07 04 00 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x07 | CECHJ/CECHK (DIA-002) | 04 00 (1) | |
00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x07 | CECHJ/CECHK (DIA-002) | 10 00 (4) | |
00 00 00 01 00 85 00 07 14 02 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x07 | CECHJ/CECHK (DIA-002) | 14 02 (5) | |
00 00 00 01 00 85 00 07 14 03 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x07 | CECHJ/CECHK (DIA-002) | 14 03 (5) | |
00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80 |
0xA0 | ARC Arcade / GECR | 0x08 | GECR-1500 (VER-001) | 04 00 (1) | (VER-001 without Bluetooth/Wifi) |
00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 10 05 (4) | |
00 00 00 01 00 85 00 08 10 07 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 10 07 (4) | |
00 00 00 01 00 85 00 08 10 0C XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 10 0C (4) | |
00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 14 01 (5) | |
00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 14 01 (5) | |
00 00 00 01 00 85 00 08 14 08 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 14 08 (5) | |
00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 14 0B (5) | |
00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | 14 11 (5) | |
00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x08 | CECHL/CECHM/CECHP/CECHQ (VER-001) | F4 01 (0) | |
00 00 00 01 00 85 00 09 10 01 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 01 (4) | |
00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 0A (4) | |
00 00 00 01 00 85 00 09 10 0B XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 0B (4) | |
00 00 00 01 00 85 00 09 10 0D XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 0D (4) | |
00 00 00 01 00 85 00 09 10 14 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 14 (4) | |
00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 1B (4) | |
00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x09 | CECH20xx (DYN-001) | 10 1C (4) | |
00 00 00 01 00 85 00 09 10 1D XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 1D (4) | |
00 00 00 01 00 85 00 09 10 22 4D 7A 32 A4 11 F4 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 10 22 (4) | |
00 00 00 01 00 85 00 09 14 0C XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 14 0C (5) | |
00 00 00 01 00 85 00 09 14 12 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | 14 12 (5) | |
00 00 00 01 00 85 00 09 F4 02 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x09 | CECH20xx (DYN-001) | F4 02 (0) | Refurbished |
00 00 00 01 00 85 00 0A 14 03 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0A | CECH21xx (SUR-001) | 14 03 (5) | |
00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17 |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0A | CECH21xx (SUR-001) | 14 05 (5) | |
00 00 00 01 00 A0 00 0B 04 00 XX XX XX XX XX XX |
0xA0 | ARC Arcade / GECR | 0x0B | GECR-2500 (JTP-001/JSD-001) | 04 00 (1) | |
00 00 00 01 00 85 00 0B 10 07 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 10 07 (4) | |
00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 10 18 (4) | |
00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65 |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 00 (5) | used by PS-Unban |
00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 00 (5) | |
00 00 00 01 00 85 00 0B 14 02 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 02 (5) | |
00 00 00 01 00 85 00 0B 14 05 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 05 (5) | |
00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 05 (5) | |
00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 0C (5) | |
00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 0E (5) | |
00 00 00 01 00 85 00 0B 14 15 XX XX XX XX XX XX |
0x85 | CEX Retail or SHOP Kiosk - Europe / CECH | 0x0B | CECH25xx (JTP-001/JSD-001) | 14 15 (5) | |
00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10 |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | 10 11 (4) | used by PS-Unban |
00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | 10 19 (4) | used by PS-Unban |
00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB |
0x84 | CEX Retail or SHOP Kiosk - USA / CECH | 0x0C | CECH30xx (KTE-001) | 10 22 (4) | |
00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18 |
0x87 | CEX Retail or SHOP Kiosk - United Kingdom / CECH | 0x0C | CECH30xx (KTE-001) | 14 06 (5) | |
00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F |
0x8C | CEX Retail or SHOP Kiosk - Russia / CECH | 0x0C | CECH30xx (KTE-001) | 14 0E (5) | |
00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96 |
0x89 | CEX Retail or SHOP Kiosk - Australia & New Zealand / CECH | 0x0D | CECH40xx (MPX-001/MSX-001) | 14 00 (5) |
- Chasis check speculation (bytes 9th and 10th):
- 9th byte (most common: 0x04, 0x10, 0x14, 0xF4), 0x03 in the "Dummy IDPS"
- 10th byte (seems to be a counter, biggest value found 0x22), 0xFF in the "Dummy IDPS"
- Next 6 bytes speculation
- 11th and 12th: (FF in the "Dummy IDPS")
- 13th, 14th, 15th, 16th: per console identifyer ? a hash / encryption of previous bytes ?
IDPS | 6th byte |
Target ID | 8th byte |
PS3 Model | Notes |
---|---|---|---|---|---|
00 00 00 01 00 80 00 01 xx xx xx xx xx xx xx xx |
0x80 | NOT IN USE | 0x01 | DECHSA00A/J (COK-001) | - |
00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx |
0x82 | DEX AV TEST DTCP-IP Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS | 0x01 | DECHSA00A/J (COK-001) |
AV Testing Tool labeled as DECHSA00A |
00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx |
0x82 | DEX AV TEST DTCP-IP Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS | 0x01 | DECHA00A/J (COK-001) | - |
00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx |
0x8A | CEX Retail or SHOP Kiosk - South Asia / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx |
0x8B | CEX Retail or SHOP Kiosk - Taiwan / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx |
0x83 | CEX Retail or SHOP Kiosk - Japan / CECH | 0x01 | CECHA (COK-001) | - |
00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx |
0x86 | CEX Retail or SHOP Kiosk - Korea / CECH | 0x04 | CECHE (COK-002/COK-002W) | - |
00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx |
0x88 | CEX Retail or SHOP Kiosk - Mexico / CECH | 0x04 | CECHE (COK-002/COK-002W) | - |
00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx |
0x8D | CEX Retail or SHOP Kiosk - China / CECH | 0x0C | CECH30xx (KTE-001) | - |
00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx |
0x8F | CEX Retail or SHOP Kiosk - Brazil / CECH | 0x0E | non existant | - |
IDPS Regex
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF]
Based on 300+ dumps
IDPS rms blogtext
You’re probably wondering: “What the hell is this sequence of bytes?”. This is the IDPS, a sequence of bytes which is used as a unical per console ID. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now.
The IDPS contains the console's Target ID, motherboard revision and another chassis revision. The first IDPS shown at the beginning of this article is the dummy IDPS, the one that’s used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.
Source: http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/
Note: The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.
Change HWID
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20xx/DYN-001, because CECH-21xx/SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (of course you can use OtherOS++).
[Homebrew-App] PS3 Model Detection
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/
Dumping PS3 Model Data: - PS3 System Target ID: 0x85 (Retail - Europe) - PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1) - PS3 BD-Laser Revision: 0x04 (KES-400, SACD supported) Probable Model: CECH-2504A Raw Model Data: Byte 0: 0x00 Byte 1: 0x01 Byte 2: 0x00 Byte 3: 0x85 Byte 4: 0x00 Byte 5: 0x0B Byte 6: 0x00 Byte 7: 0x04
footnotes:
- '7th byte of IDPS' is not Bluray Drive (it was misunderstood at that time). You can see it in the example where it names incorrectly a CECH-25xx as Super Audio CD compatible with a KES-400 laserslide (which in real life has either KES-460A or KES-470A without daughterboard (swap can be done without remarry).
- also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.
[Homebrew-App] IDPS Viewer
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer
- Displays the IDPS
- Shows Target ID
- Displays Motherboard revision
- Save IDPS (16 bytes from EID) in dev_hdd0/IDPS.bin file
hypothesis
the way I see it:
00 00 00 01 <- magic
00 89 <- target id
00 0B <- model revision
14 <- chassis check
00 <- unk0, FF in the dummy IDPS
EF DD <- unk1, FF FF in the dummy IDPS
CA 25 <- unk2
52 66 <- unk3
Chassis Check
The Chassis Check seems to be still a secret, or at least it's not 100% clear what it represents.
so my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "Chassis Check" at all? where does this information come from?
answer: according to the analysis of many different models of PSP, PS3 and PS3, it is clear that the only possible values are 0x3 0x4, 0xC, 0x10, 0x14 and 0xF4.
- Doing right shift by 2 results in:
- 0x3 >> 2 gives 0
- 0x4 >> 2 gives 1
- 0xC >> 2 gives 3
- 0x10 >> 2 gives 4
- 0x14 >> 2 gives 5
- the exception is 0xF4 >> 2 gives 61...
we clearly see that most of models released at the same period have the same Chassis Check, and we can see that the more the console is released late, so more it has a high Chassis Check
and second: how is the current state (or former experience) with bruteforcing the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). I mean most of the information is known so in the best case you chose your region and model and only have to bruteforce the last six bytes (if the Chassis Check was known better).
if the scene could establish some kind of standard or BF blueprint, like a blank PARAM.SFO of the PS3 singstar app, which should look the same on every console, someone could even work on a rainbow table for IDPS.
just some thoughts from someone who just entered the PS3 dev scene, so don't be too harsh please ;)
- You can verify the IDPS of a PS3 console through 2 ways : param.sfo of savedata or HDD backup from PS3.
- wasn't there also the possibility to read some deviceid file from the PS Store app (given you got root access to the hdd, thanks to ps3xploit) ?
- the easiest would be of course param.sfo of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with idps as key. you'd need to bruteforce at least 8 bytes (or almost 8 bytes, if you could take care of all the possibilities for Chassis Check)
- exactly, i was just looking into that and did a small PoC in c#, which BFs my IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it isn't really THAT fast. Moreover, I even cheated and only bruteforced the last six bytes of my (known) IDPS. It's currently still running xD.
- using openCL would help, because graphic cards are naturally faster than CPUs
- my idea, too. currently looking into that, but I never worked with openCL before and can't even find a hmac/sha1 kernel for openCL. like nobody every did that before ... ;) edit: https://searchcode.com/codesearch/view/45893397/ ?
but surely someone from the scene was or is already working on something like that? i basically search for people to share experiences or even try to build something together. anyone, bueller?
- nobody is working on it but I had the idea once. Btw, if you're thinking into profitting from this, I assure you I won't help you further xD. I guess you'll have to learn some openCL on the way :P
- wanted to look into opencl for quite some time now, anyways. there were more than one or two occasions where it would've come in handy down the road. oh and i'm absolutely not planning on making profit in any way with this, honest! perhaps we could continue this discussion somewhere more fitting? another dev from the scene told me, that the efnet channel would be a good place?
- i'm zecoxao on skype, notzecoxao on Twitter. Contact me if you wish :)
- Is this something that's still being looked into? My old PS3 received the YLOD, however I have a hard drive backup of it, but not longer have the actual unit, but I do have a new PS3. I want to recover all my data to my new PS3, but need to be able to dump all the data from archive2.dat to create a fresh backup with all the data to restore to the new unit. Anyone have any suggestions or know of a way I could crack the IDPS used to encrypt my backup ?
PSP FallBack IDPS
00000001008100010C4000B10E696978
Found into the emulator_drm.sprx (iso self inside)
IDPS Generation on PSP
- some PSP JigKick files contain information on how to (re)generate idstorage leaves
- DespertarDelCementerio v7 also contains information about idstorage (re)generation.
- the most significant module used by DCv7 used to do this is idsregeneration.prx
(see DCv7 src code https://github.com/mathieulh/Despertar-Del-Cementerio/tree/master/idsregeneration).
- you can see a plethora of "templates" which are used for the generation of the idstorage sections.
- the idstorage regeneration requires 2, probably more parameters -> Region, MAC Address, and likely a timestamp of sorts.
- on ps3 the generation method wasn't found on the JigKick firmware files (and selfs). however, it seems that factory still does this, but by accessing a server, so the information cannot be deduced anymore unless there's access to the server.
- together with the idps (called PSID on PSP), the openPSID is also generated on PSP (written to IdStorage).
- there are 12 sections on PSP, unlike the 11 ones on PS3 EID0.
IDPS bytes 7-8 (Product Sub Code) and relationship with minimun firmware version
- Read the talk here.
- This table was originated from TemplateTest#Generic Tables. Sadly there is not enough info in wiki yet to know accurately which motherboard belongs to every PS3 superslim model. For more info about motherboard models see:Motherboard Revisions.
- The PS3 model type value inside the superslim tables on SKU Models seems to be wrong and outdated !!! (but dont change it yet, lets take some time to review this before doing a change so important in wiki)
PS3 Model | Mother Board | PS3 model type (IDPS bytes 7 & 8) |
Minimal firmware reported by minverchk.pup when changing IDPS bytes 7 & 8 in EID0 (spoofing LV2 has no influences) | |||
---|---|---|---|---|---|---|
CECHC04 4.82 | CECHP04 4.82 | CECH-2004B 3.55 | CECH-2004B 4.82 | |||
CECHAxx | COK-001 | 0x0001 | 1.00 | 1.97 (mismatch) | 1.97 (mismatch) | 1.97 (mismatch) |
CECHBxx | 0x0002 | 1.00 | 1.97 (mismatch) | 1.97 (mismatch) | 1.97 (mismatch) | |
CECHCxx | COK-002 | 0x0003 | 1.00 (original) | 1.97 (mismatch) | 1.97 (mismatch) | 1.97 (mismatch) |
CECHExx | 0x0004 | 1.00 | 1.97 (mismatch) | 1.97 (mismatch) | 1.97 (mismatch) | |
CECHGxx | SEM-001 | 0x0005 | 1.90 | 1.97 (mismatch) | 1.97 (mismatch) | 1.97 (mismatch) |
CECHHxx | DIA-001 | 0x0006 | 1.97 | 1.97 | 1.97 | 1.97 |
CECHJxx | DIA-002 | 0x0007 | 2.16 | 2.16 | 2.16 | 2.16 |
CECHKxx | ||||||
CECHLxx | VER-001 | 0x0008 | 2.45 | 2.45 (original) | 2.45 | 2.45 |
CECHMxx | ||||||
CECHPxx | ||||||
CECHQxx | ||||||
CECH-20xxA/B | DYN-001 | 0x0009 | 2.70 | 2.70 | 2.70 (original) | 2.70 (original) |
CECH-21xxA/B | SUR-001 | 0x000A | 3.20 | 3.20 | 3.20 | 3.20 |
CECH-25xxA/B | JTP-001 | 0x000B | 3.40 | 3.40 | 3.40 | 3.40 |
JSD-001 | ||||||
CECH-30xxA/B | KTE-001 | 0x000C | 3.65 | 3.65 | 3.55 (actual) | 3.65 |
CECH-40xxB/C v1 | ? | 0x000D | 4.15 | 4.15 | 3.55 (actual) | 4.15 |
CECH-40xxA v1 | ? | 0x000E | 4.20 | 4.20 | 3.55 (actual) | 4.20 |
CECH-40xxB/C v2 | ? | 0x000F | 4.20 | 4.20 | 3.55 (actual) | 4.20 |
CECH-40xxA v2 | ? | 0x0010 | 4.20 | 4.20 | 3.55 (actual) | 4.20 |
CECH-42xxB/C | ? | 0x0011 | 4.40 | 4.40 | 3.55 (actual) | 4.40 |
CECH-42xxA | ? | 0x0012 | 4.40 | 4.40 | 3.55 (actual) | 4.40 |
CECH-43xxB/C | ? | 0x0013 | 4.50 | 4.50 | 3.55 (actual) | 4.50 |
CECH-43xxA | ? | 0x0014 | 4.50 | 4.50 | 3.55 (actual) | 4.50 |
N/A | N/A | 0x0000 0x0015 to 0x0017 0x001F 0x00FF |
4.82 (actual) | 4.82 (actual) | 3.55 (actual) | 4.82 (actual) |
N/A | N/A | 0x0018 to 0x001E 0x0020 to 0x008E 0x0091 to 0xAFFF 0xFFFF |
untested | untested | untested | 4.82 (actual) |
N/A (arcade, unknown model) | N/A | 0x008F 0x0090 |
untested | 4.31 | untested | 4.31 |