IDPS: Difference between revisions
CelesteBlue (talk | contribs) No edit summary |
CelesteBlue (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
The IDPS is a 16 bytes value that contains console specific information. | The IDPS is a 16 bytes value that contains console specific information. | ||
= Description = | |||
The IDPS is a sequence of bytes which is used as a unical per console ID. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. rms had made a splitter application (where?). Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. | |||
= Structure = | = Structure = | ||
Line 16: | Line 20: | ||
7th and 8th byte represent [[SKU_Models|SKU Model]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//--> | 7th and 8th byte represent [[SKU_Models|SKU Model]] <!--// Note that CECHAxx is type 0x01 and CECHBxx is type 0x02 but they both have a COK-001 motherboard... (Changing 0x02 to 0x01 in CECH-B will enable wifi options in menu. But there is still missing hardware), and at the opposite... CECH-25xx models are type 0x0B but with 2 possible motherboards: JSD-001 or JTP-001//--> | ||
9th byte represents <abbr title="To convert it to | 9th byte represents <abbr title="To convert it to chassis revision, right shift it by 2 : (0x14 >> 0x2) = 5">chassis check</abbr> | ||
10th byte represents an unkwnown model identifier | 10th byte represents an unkwnown model identifier | ||
remaining bytes seam to be an identifier generated from some per console data | remaining bytes seam to be an identifier generated from some per console data | ||
== Dummy Reference Tool IDPS == | |||
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D</pre> | |||
This IDPS is the dummy IDPS, the one that is used when some Tool PS3's IDPS fails to be decrypted from flash. That IDPS belongs to a Referecence Tool DECR-1000A. The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it. | |||
00 00 00 01 <- Magic<br> | |||
00 89 <- Product Code<br> | |||
00 0B <- Product Sub Code<br> | |||
14 <- Chassis check<br> | |||
00 <- unk0, FF in the dummy IDPS<br> | |||
EF DD <- unk1, FF FF in the dummy IDPS<br> | |||
CA 25 52 66 <- unk2<br> <- some unique ID | |||
Source: [http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/ rms' blogtext]. | |||
== Dummy PSP Emulator IDPS == | |||
<pre>0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78</pre> | |||
Found into the emulator_drm.sprx (iso self inside). | |||
== IDPS Regex == | |||
=== PS3 === | |||
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF]{13} | |||
Based on 300+ PS3 IDPS dumps. | |||
= Location = | = Location = | ||
== NAND/NOR == | |||
The IDPS can be found in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070). | The IDPS can be found in EID0 and EID5. See [[Flash:Encrypted_Individual_Data_-_eEID#EID0|Flash]] (NAND @ 0x80870 / NOR @ 0x2F070). | ||
== registry? == | |||
?It can also be found in registry/application_persistent file inside playstation Store folder (as DeviceID).? | |||
== PSN == | |||
== idpstealer (patched since FW 4.70 and deprecated since ps3exploit) == | === idpstealer (patched since FW 4.70 and deprecated since ps3exploit) === | ||
<div style="border-width: 1px; border-style:dashed; border-color:#000000; padding: 10px; background-color:#FFFFFF; color:#000000; "> | <div style="border-width: 1px; border-style:dashed; border-color:#000000; padding: 10px; background-color:#FFFFFF; color:#000000; "> | ||
Line 60: | Line 100: | ||
* This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same. | * This method no longer works because now Sony uses '''OpenPSID''' instead of '''IDPS''' although the key/algorithm remains the same. | ||
* This should work also on PS4 and PSVita, but with a different key (not known/public atm) | * This should work also on PS4 and PSVita, but with a different key (not known/public atm) | ||
= Changing IDPS = | |||
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality? | |||
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20xx/DYN-001, because CECH-21xx/SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (of course you can use OtherOS++). | |||
= Tools = | |||
== PS3 Identification tools == | |||
=== Multiman === | |||
IDPS is displayed under setting information in MultiMan. | |||
=== [Homebrew-App] PS3 Model Detection === | |||
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/ | |||
<pre> | |||
Dumping PS3 Model Data: | |||
- PS3 System Target ID: 0x85 (Retail - Europe) | |||
- PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1) | |||
- PS3 BD-Laser Revision: 0x04 (KES-400, SACD supported) | |||
Probable Model: CECH-2504A | |||
Raw Model Data: | |||
Byte 0: 0x00 | |||
Byte 1: 0x01 | |||
Byte 2: 0x00 | |||
Byte 3: 0x85 | |||
Byte 4: 0x00 | |||
Byte 5: 0x0B | |||
Byte 6: 0x00 | |||
Byte 7: 0x04 | |||
</pre> | |||
Notes: | |||
* '7th byte of IDPS' is ''not'' [[Bluray Drive]] (it was misunderstood at that time). You can see it in the example where it names incorrectly a [[CECH-25xx]] as Super Audio CD compatible with a [[KES-400]] laserslide (which in real life has either [[KES-460A]] or [[KES-470A]] without daughterboard (swap can be done without remarry). | |||
* Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc. | |||
=== [Homebrew-App] IDPS Viewer === | |||
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer | |||
* Displays the IDPS | |||
* Shows Target ID | |||
* Displays Motherboard revision | |||
* Save <abbr title="(NAND @ 0x80870 / NOR @ 0x2F070)">IDPS</abbr> (16 bytes from EID) in dev_hdd0/IDPS.bin file | |||
{{Flash}} | {{Flash}} | ||
{{Development}}<noinclude>[[Category:Main]]</noinclude> | {{Development}}<noinclude>[[Category:Main]]</noinclude> |
Revision as of 06:39, 6 March 2020
The IDPS is a 16 bytes value that contains console specific information.
Description
The IDPS is a sequence of bytes which is used as a unical per console ID. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. rms had made a splitter application (where?). Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload.
Structure
Chassis Check ⇓ 00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf ⇑ ⇑ ⇑ ⇑ Target ID Model type (Internal:Product Code) (Internal: Product Sub Code)
5th and 6th byte represent Target ID
7th and 8th byte represent SKU Model
9th byte represents chassis check
10th byte represents an unkwnown model identifier
remaining bytes seam to be an identifier generated from some per console data
Dummy Reference Tool IDPS
0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x03, 0xFF, 0xFF, 0xFF, 0x18, 0x43, 0xC1, 0x4D
This IDPS is the dummy IDPS, the one that is used when some Tool PS3's IDPS fails to be decrypted from flash. That IDPS belongs to a Referecence Tool DECR-1000A. The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.
00 00 00 01 <- Magic
00 89 <- Product Code
00 0B <- Product Sub Code
14 <- Chassis check
00 <- unk0, FF in the dummy IDPS
EF DD <- unk1, FF FF in the dummy IDPS
CA 25 52 66 <- unk2
<- some unique ID
Source: rms' blogtext.
Dummy PSP Emulator IDPS
0x00, 0x00, 0x00, 0x01, 0x00, 0x81, 0x00, 0x01, 0x0C, 0x40, 0x00, 0xB1, 0x0E, 0x69, 0x69, 0x78
Found into the emulator_drm.sprx (iso self inside).
IDPS Regex
PS3
0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF]{13}
Based on 300+ PS3 IDPS dumps.
Location
NAND/NOR
The IDPS can be found in EID0 and EID5. See Flash (NAND @ 0x80870 / NOR @ 0x2F070).
registry?
?It can also be found in registry/application_persistent file inside playstation Store folder (as DeviceID).?
PSN
idpstealer (patched since FW 4.70 and deprecated since ps3exploit)
From flatz: Privet, PS3 fans! Once KaKaRoTo published his backup tool I’ve decided to bring a way of getting a console ID (IDPS) to the community. It can be used on OFW/CFW firmware and you don’t need any additional software/hardware installed on your PS3.
However there are several cons about releasing:
- A big company will fix it in the next firmwares.
- It can be used to steal other people’s IDPS if you have an access to their consoles.
And it seems that this is the only method of getting ConsoleId without using hardware solutions on the moment. So please, if you want to get an IDPS from your console then do it as fast as possible because I think this method won’t work in the nearly future.
How it works: IDPStealer works as a proxy server and intercepts all network traffic (including SSL traffic via HTTPS over HTTP tunneling) and it tries to get IDPS from it. It doesn’t contains any malicious code and can be safely used like any other proxy server.
Usage: idpstealer.exe [options] <idps file> Options: -p <port number> - Port to listen on (default: 1337 -h - Show this help Arguments: <idps file> - Output file for IDPS
C:\>idpstealer.exe idps.bin Starting proxy server on 192.168.1.13:1337 IDPS have been successfully written to: idps.bin
https://dl.dropboxusercontent.com/u/35197530/zip/idpstealer.7z
https://web.archive.org/web/20160309135920/http://pastie.org/private/wlakfucps3bc21dfuosdtg
- This method no longer works because now Sony uses OpenPSID instead of IDPS although the key/algorithm remains the same.
- This should work also on PS4 and PSVita, but with a different key (not known/public atm)
Changing IDPS
Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?
I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20xx/DYN-001, because CECH-21xx/SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (of course you can use OtherOS++).
Tools
PS3 Identification tools
Multiman
IDPS is displayed under setting information in MultiMan.
[Homebrew-App] PS3 Model Detection
http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/
Dumping PS3 Model Data: - PS3 System Target ID: 0x85 (Retail - Europe) - PS3 Motherboard Revision: 0x0B (JTP-001 Motherboard, Revision 1) - PS3 BD-Laser Revision: 0x04 (KES-400, SACD supported) Probable Model: CECH-2504A Raw Model Data: Byte 0: 0x00 Byte 1: 0x01 Byte 2: 0x00 Byte 3: 0x85 Byte 4: 0x00 Byte 5: 0x0B Byte 6: 0x00 Byte 7: 0x04
Notes:
- '7th byte of IDPS' is not Bluray Drive (it was misunderstood at that time). You can see it in the example where it names incorrectly a CECH-25xx as Super Audio CD compatible with a KES-400 laserslide (which in real life has either KES-460A or KES-470A without daughterboard (swap can be done without remarry).
- Also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.
[Homebrew-App] IDPS Viewer
http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer
- Displays the IDPS
- Shows Target ID
- Displays Motherboard revision
- Save IDPS (16 bytes from EID) in dev_hdd0/IDPS.bin file
|