Talk:IDPS

From PS3 Developer wiki
Jump to navigation Jump to search


IDPS Examples

The examples are ordered based in priority: first "PS3 model" (byte 8), second "chasis check" (bytes 9 and 10), and third "target id" (byte 6)

The reason of why ordering the examples this way is because "PS3 model" is known, and "chasis check" is the only thing left we can deduce from the examples

IDPS 6th
byte
Target ID 8th
byte
PS3 Model Notes
 00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81  TOOL  Reference Tool or  SD  System Debugger / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) Static Dummy IDPS
 00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001)
 00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A  CEX  Retail or  SHOP  Kiosk - South Asia / CECH 0x01 CECHA (COK-001)
 00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001)
 00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001)
 00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x02 CECHB (COK-001)
 00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x03 CECHC (COK-002)
 00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x03 CECHC (COK-002)
 00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0  ARC  Arcade / GECR 0x04 GECR-1100 (COK-002) (COK-002 without Bluetooth/Wifi)
 00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ??  ? ? 0x04 CECHE
 00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001) (original label stated CECHC model!)
 00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001)
 00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ??  ? ? 0x06 CECHH
 00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x07 CECHJ/CECHK (DIA-002)
 00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0  ARC  Arcade / GECR 0x08 GECR-1500 (VER-001) (VER-001 without Bluetooth/Wifi)
 00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001)
 00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001)
 00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001)
 00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x09 CECH20xx (DYN-001)
 00 00 00 01 00 85 00 09 10 22 4D 7A 32 A4 11 F4  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001)
 00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0A CECH21xx (SUR-001)
 00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001)
 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0B CECH25xx (JTP-001/JSD-001)
 00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x0B CECH25xx (JTP-001/JSD-001) used by PS-Unban
 00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0B CECH25xx (JTP-001/JSD-001)
 00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0B CECH25xx (JTP-001/JSD-001)
 00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0B CECH25xx (JTP-001/JSD-001)
 00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001) used by PS-Unban
 00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001) used by PS-Unban
 00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001)
 00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0C CECH30xx (KTE-001)
 00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x0C CECH30xx (KTE-001)
 00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0D CECH40xx (MPX-001/MSX-001)
  • Chasis check speculation (bytes 9th and 10th):
    • 9th byte (most common: 0x04, 0x10, 0x14, 0xF4... and 03 in the "Dummy IDPS")
      • First nibble values: 0, 1, or F
      • Second nibble values: 0, or 4 (3 in the "Dummy IDPS")
    • 10th byte
      • First nibble values: 0, 1, or 2 (F in the "Dummy IDPS")
      • Second nibble values: too random to find a pattern (F in the "Dummy IDPS")
  • Next 6 bytes speculation
    • 11th and 12th: (FF in the "Dummy IDPS")
    • 13th, 14th, 15th, 16th: per console identifyer ?
IDPS 6th
byte
Target ID 8th
byte
PS3 Model Notes
 00 00 00 01 00 80 00 01 xx xx xx xx xx xx xx xx  0x80  NOT IN USE  0x01 DECHAS00A/J (COK-001) -
 00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx  0x82  DEX   AV TEST   DTCP-IP  Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS 0x01 DECHA00A/J (COK-001) -
 00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx  0x8A  CEX  Retail or  SHOP  Kiosk - South Asia / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx  0x8B  CEX  Retail or  SHOP  Kiosk - Taiwan / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx  0x83  CEX  Retail or  SHOP  Kiosk - Japan / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx  0x86  CEX  Retail or  SHOP  Kiosk - Korea / CECH 0x04 CECHE (COK-002/COK-002W) -
 00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx  0x88  CEX  Retail or  SHOP  Kiosk - Mexico / CECH 0x04 CECHE (COK-002/COK-002W) -
 00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx  0x8D  CEX  Retail or  SHOP  Kiosk - China / CECH 0x0C CECH30xx (KTE-001) -
 00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx  0x8F  CEX  Retail or  SHOP  Kiosk - Brazil / CECH 0x0E non existant -

IDPS Regex

0{7}10{2}8[456789ACE]000[6789ABCD][01F][04][0123][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF][0123456789ABCDEF]

Based on 300+ dumps

IDPS rms blogtext

You’re probably wondering: “What the hell is this sequence of bytes?”. This is the IDPS, a sequence of bytes which determine console type. This structure is relatively undocumented until now, anyway. The IDPS is contained in EID0. EID0 is on the console internal flash as the file eEID and has multiple sections. I had made a splitter application to make your life easier a long time ago. Now, EID is decrypted by metldr, and is passed over to the isolated loader, which may pass it to a self. We can see this in graf_chokolo’s original payload. The IDPS is also used in various other parts of the system which could be of interest to you, but I will not discuss those right now. The IDPS itself, isn’t decrypted.

The IDPS contains your target ID, motherboard? and BD? revision. The IDPS shown at the beginning of this article is the dummy IDPS, the one that’s used when your IDPS fails to be decrypted. That IDPS belongs to a DECR-1000A. The one below belongs to a European PS3, and the one below that belongs to a Australian/NZ PS3.

Source: http://rmscrypt.wordpress.com/2011/05/16/idps-what-the-hell-is-that-thing/

Note: The Reference Tool IDPS from above is static. aim_iso uses it. Retail/3.55 doesn't have it.

Change HWID

Theory: If you give a slim console a fat IDPS, would that console have 3.15 OtherOS functionality?

I would say it would, because most likely the check is done in firmware to either en/disable that option. However, it would still require a console that can be downgraded to that version (only CECH-20../DYN-001, because CECH-21../SUR-001 use different drivers for RSX). So classic OtherOS on a CellBE 45nm/RSX 40nm would be impossible (ofcourse you can use OtherOS++).

[Homebrew-App] PS3 Model Detection

http://www.ps3hax.net/2011/01/homebrew-app-ps3-model-detection/

Dumping PS3 Model Data:

- PS3 System Target ID:     0x85	(Retail - Europe)
- PS3 Motherboard Revision: 0x0B	(JTP-001 Motherboard, Revision 1)
- PS3 BD-Laser Revision:    0x04	(KES-400, SACD supported)

Probable Model: CECH-2504A

Raw Model Data:

  Byte 0:		0x00
  Byte 1:		0x01
  Byte 2:		0x00
  Byte 3:		0x85
  Byte 4:		0x00
  Byte 5:		0x0B
  Byte 6:		0x00
  Byte 7:		0x04

footnotes:

  • '7th byte of IDPS' is not Bluray Drive (it was misunderstood at that time). You can see it in the example where it names incorrectly a CECH-25xx as Super Audio CD compatible with a KES-400 laserslide (which in real life has either KES-460A or KES-470A without daughterboard (swap can be done without remarry).
  • also, it named bytes 0-2 "Byte 0", byte 3 "Byte 1", byte 4 "Byte 2", byte 5 "Byte 3", byte 6 "Byte 4", byte 7 "Byte 5", byte 8 "Byte 6", byte 9 "Byte 7" etc.

[Homebrew-App] IDPS Viewer

http://www.tortuga-cove.com/hacking/31-ps3/8396-released-idps-viewer

  • Displays the IDPS
  • Shows Target ID
  • Displays Motherboard revision
  • Save IDPS (16 bytes from EID) in dev_hdd0/IDPS.bin file

hypothesis

the way i see it:
00 00 00 01 <- magic
00 89 <- target id
00 0B <- Model type
14 00 <- chassis check
EF DD <- unk1, FF FF in Dummy IDPS
CA 25 <- unk2
52 66 <- unk3