User talk:Zecoxao: Difference between revisions
Jump to navigation
Jump to search
Line 258: | Line 258: | ||
|- | |- | ||
| IV || 00000000000000000000000000000000 || SW IV | | IV || 00000000000000000000000000000000 || SW IV | ||
|- | |||
| Key || 0E65378199BE4517AB06EC22451A5793 || MD5 Blanker | |||
|- | |- | ||
|} | |} |
Revision as of 00:56, 6 May 2020
The Last Piece of the Puzzle
- http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
- http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
- http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
- http://www.psdevwiki.com/ps3/Talk:Service_Connectors
- http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
- http://www.psdevwiki.com/ps3/SIG_File_Format
- http://i.imgur.com/xQizq0K.png
- http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
- http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
- http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
- http://www.fpga4fun.com/images/JTAG_TAP.gif
- http://hsb.wikidot.com/arduino-jtag-finder-workshop
- https://www.youtube.com/watch?v=Up0697E5DGc
- http://urjtag.org/
- http://i.imgur.com/O10hqAK.png
- http://pastie.org/private/grd5u9izjlglkult64rta
- http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487
- http://i.imgur.com/o9R0YjJ.jpg
- https://www.sendspace.com/file/qzq6a4 (Patent Explaining DECR SYSCON)
- https://imgur.com/a/pR0a4 (Messages from mullion indicating erasing of User Program Area before updating)
Vita Shennanigans
BGA Test Pins (for 100 and 64 pin config) 100-pin: TOOL0 D8 TOOL1 E7 FLMD0 F9 RESET G9 64-pin TOOL0 D6 TOOL1 E6 FLMD0 E8 RESET E7 CL Pad to Syscon (IRS-002) (78K0R) F5 F6 F9 F10 G10 H1 H4 J3 J10
DYN-001 Shennanigans
- https://imgur.com/OJbWsPZ
- https://imgur.com/z5zhedg
- VDD Feeds to 5 different pins, as opposed to ARM BGA VDD.
- Needs a large number of samples and a proper alignment
- https://www.sendspace.com/file/lofkfo
PSP Shennanigans
D780032AY (TMU-001/TMU-002) ROM: 16 KB, RAM: 512 B (see D790019) D790019 (TA-079/TA-081) ROM RAM D780021AY/D780031AY 8 KB 512 B D780022AY/D780032AY 16 KB 512 B D780023AY/D780033AY 24 KB 1 KB D780024AY/D780034AY 32 KB 1 KB D78F0034AY/D78F0034BY 32 KB 1 KB Tools: IE-78K0-NS, IE-78K0-NS-A, IE-78K0-NS-PA, IE-780034-NS-EM1, IE-78001-R-A, IE-78K0-R-EX1, PG-FP3, PG-FP4 D79F0036 (TA-082/TA-086) ROM RAM ERAM D78F0531/D78F0531A 16 KB 768 B - D78F0532/D78F0532A 24 KB 1 KB - D78F0533/D78F0533A 32 KB 1 KB - D78F0534/D78F0534A 48 KB 1 KB 1 KB D78F0535/D78F0535A 60 KB 1 KB 2 KB D78F0536/D78F0536A 96 KB 1 KB 4 KB D78F0537/D78F0537A 128 KB 1 KB 6 KB D78F0537D/D78F0537DA 128 KB 1 KB 6 KB Tools: QB-78K0KX2, QB-MINI2, E1, E20, PG-FP4, PG-FP5, PG-FP6 D79F???? (TA-085) "custom" 84-pin 78K0 based on D79F0036 (see D79F0036) Service/Debug Testpoints TA-081 TA-082/TA-086 TA-085 CL3001 VDD VDD VDD CL3002 RxD RxD RxD CL3003 TxD TxD TxD CL3004 IC/VPP FLMD0 FLMD0 CL3005 RESET RESET RESET CL3006 GND OCD0B OCD0B CL3007 - OCD0A OCD0A CL3008 - VDD (R3037) - CL3009 - GND GND CL3010 - P01 - CL3011 - P22 - CL3012 - CPU_RESET - CL3013 - LEPTON_RST - CL3014 - POMMEL_ALERT -
How
By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)falseIt is possible to dump the syscon firmware using this method (in unencrypted state)falseThe JTAG registers/TAP-controllers need to be bruteforced / reverse engineeredfalseThe leaked service manuals present information about the pins connected to the JigPinfalseThe ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAGfalseUsing a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.falseThis would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)false- f0f's method is a viable way to get the ROM from later syscons
- tx function can be produced and it's not required for bruteforcing
- ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags)
- code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes)
- second SFR area ranges from 0xF0000 to 0xF0800
- backup ram ranges from 0xF0800 to 0xF1000
- ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R
- 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E)
- 1562 registers are not documented (0xF01E7 - 0xF07FF)
- minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5)
- maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes)
- assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes
- IC4002 is sony's syscon naming in oficial service docs
//TX FUNC, 78K0R CASE //TAKING NOTE THAT PS3 SYSCON is uPD78F11XX, where X is A, B or C //ASIM -> 0xFFF8C //TXS -> 0xFFF8F <pre> ROM:000EFF05 set1 byte_FFF8C.7 ROM:000EFF08 nop ROM:000EFF09 mov byte_FFF8F, a ROM:000EFF0B ROM:000EFF0B loc_EFF0B: ; CODE XREF: ROM:loc_EFF0B↓j ROM:000EFF0B bf byte_FFF8B.0, loc_EFF0B ROM:000EFF0F mov byte_FFF8B, #0 ROM:000EFF12 clr1 byte_FFF8C.7 ROM:000EFF15 ret
- OCD Flag at 0xF07EC
- Entry Point at 0xF07F0
- All SW Models use 0xFFF as block size (SW, SW2, SW3)
- SW Uses 0x80000 as total ROM size. SW2,SW3 use 0xC0000 as total rom size
- To use block related commands, one must send signature check command before sending the block check/erase/program command
- 0xFFFFFED0(IV error?) 0xFFFFFED1 (hash error?) 0xFFFFFED2 (magic error)
To wikify
- Wikify begin (please wait...)
- Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.)
- When I get my left hand back, then we can check this out together. Roxanne
request_idps generated files binary xor
Note: files are padded 8 bytes at start, for convenience
Wii Key/IV Goodness
Type | Key | Description |
---|---|---|
Key | 9258A75264960D82676F904456882A73 | Boot1 Decryption Key |
IV | 00000000000000000000000000000000 | Boot1/2 Decryption IV |
Key | A1604A6A7123B529AE8BEC32C816FCAA | Boot2 Decryption Key (Devel) |
Key | EBE42A225E8593E448D9C5457381AAF7 | Boot2 Decryption Key (Prod) |
RSA Key | D01FE100D43556B24B56DAE971B5A5D3 84B93003BE1BBF28A2305B060645467D 5B0251D2561A274F9E9F9CEC646150AB 3D2AE3366866ACA4BAE81AE3D79AA6B0 4A8BCBA7E6FB648945EBDFDB85BA091F D7D114B5A3A780E3A22E6ECD87B5A4C6 F910E4032208814B0CEEA1A17DF73969 5F617EF63528DB949637A056037F7B32 413895C0A8F1982E1565E38EEDC22E59 0EE2677B8609F48C2E303FBC405CAC18 042F822084E4936803DA7F4134924856 2B8EE12F78F803246330BC7BE7EE724A F458A472E7AB46A1A7C10C2F18FA07C3 DDD89806A11C9CC130B247A33C8D47DE 67F29E5577B11C43493D5BBA7634A7E4 E71531B7DF5981FE24A114554CBD8F00 5CE1DB35085CCFC77806B6DE254068A2 6CB5492D4580438FE1E5A9ED75C5ED45 1DCE789439CCC3BA28A2312A1B8719EF 0F73B713950C02591A7462A607F37C0A A7A18FA943A36D752A5F4192F0136100 AA9CB41BBE14BEB1F9FC692FDFA09446 DE5A9DDE2CA5F68C1C0C21429287CB2D AAA3D263752F73E09FAF4479D2817429 F69800AFDE6B592DC19882BDF581CCAB F2CB91029EF35C4CFDBBFF49C1FA1B2F E31DE7A560ECB47EBCFE32425B956F81 B69917487E3B789151DB2E78B1FD2EBE 7E626B3EA165B4FB00CCB751AF507329 C4A3939EA6DD9C50A0E7386B0145796B 41AF61F78555944F3BC22DC3BD0D00F8 798A42B1AAA08320659AC7395AB4F329 |
Root Key (Devel) |
RSA Key | F8246C58BAE7500301FBB7C2EBE00105 71DA922378F0514EC0031DD0D21ED3D0 7EFC852069B5DE9BB951A8BC90A24492 6D379295AE9436AAA6A302510C7B1DED D5FB20869D7F3016F6BE65D383A16DB3 321B95351890B17002937EE193F57E99 A2474E9D3824C7AEE38541F567E7518C 7A0E38E7EBAF41191BCFF17B42A6B4ED E6CE8DE7318F7F5204B3990E226745AF D485B24493008B08C7F6B7E56B02B3E8 FE0C9D859CB8B68223B8AB27EE5F6538 078B2DB91E2A153E85818072A23B6DD9 3281054F6FB0F6F5AD283ECA0B7AF354 55E03DA7B68326F3EC834AF314048AC6 DF20D28508673CAB62A2C7BC131A533E 0B66806B1C30664B372331BDC4B0CAD8 D11EE7BBD9285548AAEC1F66E821B3C8 A0476900C5E688E80CCE3C61D69CBBA1 37C6604F7A72DD8C7B3E3D51290DAA6A 597B081F9D3633A3467A356109ACA7DD 7D2E2FB2C1AEB8E20F4892D8B9F8B46F 4E3C11F4F47D8B757DFEFEA3899C3359 5C5EFDEBCBABE8413E3A9A803C69356E B2B2AD5CC4C858455EF5F7B30644B47C 64068CDF809F76025A2DB446E03D7CF6 2F34E702457B02A4CF5D9DD53CA53A7C A629788C67CA08BFECCA43A957AD16C9 4E1CD875CA107DCE7E0118F0DF6BFEE5 1DDBD991C26E60CD4858AA592C820075 F29F526C917C6FE5403EA7D4A50CEC3B 7384DE886E82D2EB4D4E42B5F2B149A8 1EA7CE7144DC2994CFC44E1F91CBD495 |
Root Key (Prod) |
Key | 67C6697351FF4AEC29CDBAABF2FBE346 | DVD Key (Devel) |
Key | AB01B9D8E1622B08AFBAD84DBFC2A55D | App Key |
IV | 216712E6AA1F689F95C5A22324DC6A98 | App IV |
Key | 2B7E151628AED2A6ABF7158809CF4F3C | SW Key |
IV | 00000000000000000000000000000000 | SW IV |
Key | 0E65378199BE4517AB06EC22451A5793 | MD5 Blanker |
Wii U Key/IV Goodness
Switch Key/IV Goodness
Type | Key | SHA1/SHA256 | Status | Description |
---|---|---|---|---|
AES-CTR | key:F4ECA1685C1E4DF77F19DB7B44A985CA | sha1:8C98FF409724784DDF3E3D39B60B25B7087FF537 | Valid | stage1_key_00 |
AES-128-ECB | key:C2CAAFF089B9AED55694876055271C7D | sha1:4A98D62FF6EC0A042B7592219200E37DD9603479 | Valid | package1_key_00 |
AES-128-ECB | key:54E1B8E999C2FD16CD07B66109ACAAA6 | sha1:8CEC47B1B3974EED32C03B11A9DE0133D9E0F00B | Valid | master_key_01 |
AES-128-ECB | key:4F6B10D33072AF2F250562BFF06B6DA3 | sha1:ADD1D37E4A5C540AEEEF4050A2AB98E8B0DC1D04 | Valid | master_key_02 |
AES-CTR | key:A35A19CB14404B2F4460D343D178638D | sha1:4D64731F7AFA031C7EEAE3EB2F462D55FF8FF5AE | Valid | package2_key_00 |
Kernel | - | sha1:124BEFB2895BBA4DB1726485DAF6684B33EF5F51 | Valid | 1.00 Encrypted Kernel |
System Modules | - | sha1:96BF598BD162D5D8C87F2B25741F758F47730C88 | Valid | 1.00 Encrypted System Modules |
Modulus |
B36554FB0AB01E85A7F6CF918EBA9699 0D8B91692AEE01204F345C2C4F4E37C7 F10BD4CDA17F93F13359CEB1E9DD26E6 F3BB7787467AD64E474AD141B7794A38 066ECF618FCDC1400BFA26DCC0345183 D93B11543B9627329A95BE1E681150A0 6B10A8838BF5FCBC90847A5A5C4352E6 C826E9FE06A08B530FAF1EC41C0BCF50 1AA4F35CFBF097E4DE320A9FE35AAAB7 447F5C3360B90F222D332AE969793142 8FE43A138BE726BD08876CA6F273F68E A7F2FEFB6C28660DBDD7EB42A878E6B8 6BAEC7A9E2406E892082258E3C6A60D7 F3568EEC8D518A633C0478230E900CB4 E7863B4F8E130947320E04B84D5BB046 71B05CF4AD634FC5E2AC1EC43396097B |
sha1:F847ED0465C0DFDCD2C28B3E1A6DA0C0F01FBBC5 | Valid | Public Debug |
Modulus |
8D13A7776AE5DCC03B25D058E4206959 554BAB7040082807A8A7FD0F312E11FE 47A0F99DDF80DB865A2789CD976C85C5 6C397F41F2FF2420C395A6F79D4A4574 8B5D288AC699356885A56432809FD348 39A21D246769DF75AC12B5BDC32990BE 37E4A0809ABE36BF1F2CAB2BADF59732 9A429D098B08F06347A3E91B36D82D8A D7E1541195E44588698A2B35CED0A50B D55DACDBAF114DCAB81EE7019EF446A3 8A946D76BD8AC83BD231580C79A826E9 D1799CCBD42B6A4FC6CCCF90A7B99847 FDFA4C6C6F81873BCAB850F63E395D4D 973F0F353953FBFACDABA87A629A3FF2 0927963F079A91F716BFC63A825A4BCF 4950958C55807E39B148051E21C7244F |
sha1:A809E09F8BD790446B86F28B84A6D0F36481A245 | Valid | Public Retail |
Regarding Jokes
- Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. Roxanne 21th December 2015 (18:12 GMT+1)
- It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao
- OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)
- it'd be nice to test some psgroove on it :)
- http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed?
- nope
- http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed?
- it'd be nice to test some psgroove on it :)
- OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)
- It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao