Talk:IDPS: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
Line 4: Line 4:
! IDPS !! TargetID !! Mobo Rev. !!  
! IDPS !! TargetID !! Mobo Rev. !!  
|-
|-
| '''''00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D''''' || Reference Tool / DECR || COK-001 || Static Dummy IDPS
| &nbsp;<code>00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D </code>&nbsp; || 81 - Reference Tool / DECR || 01 - COK-001 || Static Dummy IDPS
|-
|-
| '''''00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17''''' || Retail Europe || SUR-001 ||  
| &nbsp;<code>00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17 </code>&nbsp; || 85 - Retail Europe || 0A - SUR-001 ||  
|-
|-
| '''''00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C''''' || Retail Australia/New Zealand || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C</code>&nbsp; || 89 - Retail Australia/New Zealand || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7 || Retail USA || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7</code>&nbsp; || 84 - Retail USA || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F || Retail USA || COK-001 ||
| &nbsp;<code>00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F</code>&nbsp; || 84 - Retail USA || 01 - COK-001 ||
|-
|-
| 00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF || Retail USA || DYN-001 ||
| &nbsp;<code>00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF</code>&nbsp; || 84 - Retail USA || 09 - DYN-001 ||
|-
|-
| 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 || Retail Australia/New Zealand || JTP-001/JSD-001 ||  
| &nbsp;<code>00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66</code>&nbsp; || 89 - Retail Australia/New Zealand || 0B - JTP-001/JSD-001 ||  
|-
|-
| 00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76 || Retail Australia/New Zealand || JTP-001/JSD-001 || <!--// bluemimmo 3.56 factory //-->
| &nbsp;<code>00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76</code>&nbsp; || 89 - Retail Australia/New Zealand || 0B - JTP-001/JSD-001 || <!--// bluemimmo 3.56 factory //-->
|-
|-
| 00 00 00 01 00 87 00 08 14 00 EF DD CA 25 52 66 || Retail United Kingdom || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 87 00 08 14 00 EF DD CA 25 52 66</code> || 87 - Retail United Kingdom || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 85 00 08 10 05 52 88 e8 af 75 0d || Retail Europe || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D</code>&nbsp; || 85 - Retail Europe || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 85 00 08 f4 01 aa 02 51 ee 33 7b || Retail Europe || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B</code>&nbsp; || 85 - Retail Europe || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 85 00 09 10 1b 69 bd ca cc be 85 || Retail Europe || DYN-001 ||  
| &nbsp;<code>00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85</code>&nbsp; || 85 - Retail Europe || 09 - DYN-001 ||  
|-
|-
| 00 00 00 01 00 85 00 0b 10 18 ec 96 e4 a8 be ef || Retail Europe || JTP-001/JSD-001 ||  
| &nbsp;<code>00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF</code>&nbsp; || 85 - Retail Europe || 0B - JTP-001/JSD-001 ||  
|-
|-
| 00 00 00 01 00 87 00 08 14 01 b7 a7 1f c8 3a ea || Retail United Kingdom || VER-001 ||  
| &nbsp;<code>00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA</code>&nbsp; || 87 - Retail United Kingdom || 08 - VER-001 ||  
|-
|-
| 00 00 00 01 00 87 00 07 10 00 a3 15 8f 61 36 85 || Retail United Kingdom || DIA-002 ||  
| &nbsp;<code>00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85</code>&nbsp; || 87 - Retail United Kingdom || 07 - DIA-002 ||  
|-
|-
| 00 00 00 01 00 87 00 0b 14 0c 84 81 81 33 fa 68 || Retail United Kingdom || JTP-001/JSD-001 ||  
| &nbsp;<code>00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68</code>&nbsp; || 87 - Retail United Kingdom || 0B - JTP-001/JSD-001 ||  
|-
|-
| 00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D || Retail United Kingdom || JTP-001 || <!--// CECH2501B (JTP-001) bingoman with metldr2 //-->
| &nbsp;<code>00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D</code>&nbsp; || 87 - Retail United Kingdom || 0B - JTP-001 || <!--// CECH2501B (JTP-001) bingoman with metldr2 //-->
|-
|-
| 00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F || Retail Russia || KTE-001 || <!--// CECH3008B (KTE-001) Kill17 copypaste, no flashdump proof. Ok  http://narod.ru/disk/39647482001/bkpps3.bin.html  PASS: PS3 //-->
| &nbsp;<code>00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F</code>&nbsp; || 8C - Retail Russia || 0C - KTE-001 || <!--// CECH3008B (KTE-001) Kill17 copypaste, no flashdump proof. Ok  http://narod.ru/disk/39647482001/bkpps3.bin.html  PASS: PS3 //-->
|-
| &nbsp;<code>00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18</code>&nbsp; || 87 - Retail United Kingdom || 0C - KTE-001 || <!--// http://www.mediafire.com/?2j9el16bsdwqm9d //-->
|-
| &nbsp;<code>00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx</code>&nbsp; || 82 - Debug/DEX || 01 - COK-001 ||
|-
| &nbsp;<code>00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx</code>&nbsp; || 83 - Retail Japan || 01 - COK-001 ||
|-
| &nbsp;<code>00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx</code>&nbsp; || 86 - Retail Korea || 04 - COK-002 ||
|-
| &nbsp;<code>00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx</code>&nbsp; || 88 - Retail Mexico || 04 - COK-002 ||
|-
| &nbsp;<code>00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx</code>&nbsp; || 8A - Retail Malaysia || 01 - COK-001 ||
|-
| &nbsp;<code>00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx</code>&nbsp; || 8B - Retail Taiwan || 01 - COK-001 ||
|-
| &nbsp;<code>00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx</code>&nbsp; || 8D - Retail China || 0C - KTE-001 || unreleased
|-
|-
|}
|}
Note: for KTE-001 there are postings of both 0B and 0C as revision @ IDPS offsetin flashdumps for CECH3000 series :/


=== IDPS rms blogtext ===
=== IDPS rms blogtext ===
Line 57: Line 72:


I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 are known to have a lowvercheck of 3.20). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++).
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 are known to have a lowvercheck of 3.20). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++).
=== [Homebrew-App] PS3 Model Detection ===
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/
<pre>Dumping PS3 Model Data:
- PS3 System Target ID:    0x85 (Retail - Europe)
- PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1)
- PS3 BD-Laser Revision:    0x04 (KES-400, SACD supported)
Probable Model: CECH-2504A
Raw Model Data:
  Byte 0: 0x00
  Byte 1: 0x01
  Byte 2: 0x00
  Byte 3: 0x85
  Byte 4: 0x00
  Byte 5: 0x0B
  Byte 6: 0x00
  Byte 7: 0x04
  Byte 7: 0x04</pre>
=== [Homebrew-App] IDPS Viewer ===
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer
* Displays the IDPS
* Shows Target ID
* Displays Motherboard revision
* Save <abbr title="(NAND @ 0x80870 / NOR @ 0x2F070)">IDPS</abbr> (16 bytes from EID) in dev_hdd0/IDPS.bin file

Revision as of 05:03, 24 March 2012

IDPS Examples

IDPS TargetID Mobo Rev.
 00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D   81 - Reference Tool / DECR 01 - COK-001 Static Dummy IDPS
 00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17   85 - Retail Europe 0A - SUR-001
 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  89 - Retail Australia/New Zealand 08 - VER-001
 00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  84 - Retail USA 08 - VER-001
 00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  84 - Retail USA 01 - COK-001
 00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  84 - Retail USA 09 - DYN-001
 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  89 - Retail Australia/New Zealand 0B - JTP-001/JSD-001
 00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  89 - Retail Australia/New Zealand 0B - JTP-001/JSD-001
 00 00 00 01 00 87 00 08 14 00 EF DD CA 25 52 66 87 - Retail United Kingdom 08 - VER-001
 00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  85 - Retail Europe 08 - VER-001
 00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  85 - Retail Europe 08 - VER-001
 00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  85 - Retail Europe 09 - DYN-001
 00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  85 - Retail Europe 0B - JTP-001/JSD-001
 00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  87 - Retail United Kingdom 08 - VER-001
 00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  87 - Retail United Kingdom 07 - DIA-002
 00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  87 - Retail United Kingdom 0B - JTP-001/JSD-001
 00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  87 - Retail United Kingdom 0B - JTP-001
 00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  8C - Retail Russia 0C - KTE-001
 00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  87 - Retail United Kingdom 0C - KTE-001
 00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx  82 - Debug/DEX 01 - COK-001
 00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx  83 - Retail Japan 01 - COK-001
 00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx  86 - Retail Korea 04 - COK-002
 00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx  88 - Retail Mexico 04 - COK-002
 00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx  8A - Retail Malaysia 01 - COK-001
 00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx  8B - Retail Taiwan 01 - COK-001
 00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx  8D - Retail China 0C - KTE-001 unreleased

IDPS rms blogtext

You’re probably wondering: “What the hell is this sequence of bytes?”. This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn’t decrypted.

The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that’s used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.

Source: http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/

Note: The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.

Change HWID

Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?

I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 are known to have a lowvercheck of 3.20). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++).


[Homebrew-App] PS3 Model Detection

http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/

Dumping PS3 Model Data:

- PS3 System Target ID:     0x85	(Retail - Europe)
- PS3 Motherboard Revision: 0x0B	(JTP-001 Motherboard, Revision 1)
- PS3 BD-Laser Revision:    0x04	(KES-400, SACD supported)

Probable Model: CECH-2504A

Raw Model Data:

  Byte 0:		0x00
  Byte 1:		0x01
  Byte 2:		0x00
  Byte 3:		0x85
  Byte 4:		0x00
  Byte 5:		0x0B
  Byte 6:		0x00
  Byte 7:		0x04
  Byte 7:		0x04

[Homebrew-App] IDPS Viewer

http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer

  • Displays the IDPS
  • Shows Target ID
  • Displays Motherboard revision
  • Save IDPS (16 bytes from EID) in dev_hdd0/IDPS.bin file