User talk:Zecoxao
Jump to navigation
Jump to search
The Last Piece of the Puzzle
- http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
- http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
- http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
- http://www.psdevwiki.com/ps3/Talk:Service_Connectors
- http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
- http://www.psdevwiki.com/ps3/SIG_File_Format
- http://i.imgur.com/xQizq0K.png
- http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
- http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
- http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
- http://www.fpga4fun.com/images/JTAG_TAP.gif
- http://hsb.wikidot.com/arduino-jtag-finder-workshop
- https://www.youtube.com/watch?v=Up0697E5DGc
- http://urjtag.org/
- http://i.imgur.com/O10hqAK.png
- http://pastie.org/private/grd5u9izjlglkult64rta
- http://psx-scene.com/forums/f149/brick-recovery-research-74903/index37.html#post786487
- http://i.imgur.com/o9R0YjJ.jpg
- https://www.sendspace.com/file/qzq6a4 (Patent Explaining DECR SYSCON)
- https://imgur.com/a/pR0a4 (Messages from mullion indicating erasing of User Program Area before updating)
Vita Shennanigans
BGA Test Pins (for 100 and 64 pin config) 100-pin: TOOL0 D8 TOOL1 E7 FLMD0 F9 RESET G9 64-pin TOOL0 D6 TOOL1 E6 FLMD0 E8 RESET E7 CL Pad to Syscon (IRS-002) (78K0R) F5 F6 F9 F10 G10 H1 H4 J3 J10
DYN-001 Shennanigans
- https://imgur.com/OJbWsPZ
- https://imgur.com/z5zhedg
- VDD Feeds to 5 different pins, as opposed to ARM BGA VDD.
- Needs a large number of samples and a proper alignment
- https://www.sendspace.com/file/lofkfo
PSP Shennanigans
D780032AY (TMU-001/TMU-002) ROM: 16 KB, RAM: 512 B (see D790019) D790019 (TA-079/TA-081) ROM RAM D780021AY/D780031AY 8 KB 512 B D780022AY/D780032AY 16 KB 512 B D780023AY/D780033AY 24 KB 1 KB D780024AY/D780034AY 32 KB 1 KB D78F0034AY/D78F0034BY 32 KB 1 KB Tools: IE-78K0-NS, IE-78K0-NS-A, IE-78K0-NS-PA, IE-780034-NS-EM1, IE-78001-R-A, IE-78K0-R-EX1, PG-FP3, PG-FP4 D79F0036 (TA-082/TA-086) ROM RAM ERAM D78F0531/D78F0531A 16 KB 768 B - D78F0532/D78F0532A 24 KB 1 KB - D78F0533/D78F0533A 32 KB 1 KB - D78F0534/D78F0534A 48 KB 1 KB 1 KB D78F0535/D78F0535A 60 KB 1 KB 2 KB D78F0536/D78F0536A 96 KB 1 KB 4 KB D78F0537/D78F0537A 128 KB 1 KB 6 KB D78F0537D/D78F0537DA 128 KB 1 KB 6 KB Tools: QB-78K0KX2, QB-MINI2, E1, E20, PG-FP4, PG-FP5, PG-FP6 D79F???? (TA-085) "custom" 84-pin 78K0 based on D79F0036 (see D79F0036) Service/Debug Testpoints TA-081 TA-082/TA-086 TA-085 CL3001 VDD VDD VDD CL3002 RxD RxD RxD CL3003 TxD TxD TxD CL3004 IC/VPP FLMD0 FLMD0 CL3005 RESET RESET RESET CL3006 GND OCD0B OCD0B CL3007 - OCD0A OCD0A CL3008 - VDD (R3037) - CL3009 - GND GND CL3010 - P01 - CL3011 - P22 - CL3012 - CPU_RESET - CL3013 - LEPTON_RST - CL3014 - POMMEL_ALERT -
How
By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)falseIt is possible to dump the syscon firmware using this method (in unencrypted state)falseThe JTAG registers/TAP-controllers need to be bruteforced / reverse engineeredfalseThe leaked service manuals present information about the pins connected to the JigPinfalseThe ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAGfalseUsing a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this.falseThis would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)false- f0f's method is a viable way to get the ROM from later syscons
- tx function can be produced and it's not required for bruteforcing
- ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags)
- code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes)
- second SFR area ranges from 0xF0000 to 0xF0800
- backup ram ranges from 0xF0800 to 0xF1000
- ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R
- 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E)
- 1562 registers are not documented (0xF01E7 - 0xF07FF)
- minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5)
- maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes)
- assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes
- IC4002 is sony's syscon naming in oficial service docs
//TX FUNC, 78K0R CASE //TAKING NOTE THAT PS3 SYSCON is uPD78F11XX, where X is A, B or C //ASIM -> 0xFFF8C //TXS -> 0xFFF8F <pre> ROM:000EFF05 set1 byte_FFF8C.7 ROM:000EFF08 nop ROM:000EFF09 mov byte_FFF8F, a ROM:000EFF0B ROM:000EFF0B loc_EFF0B: ; CODE XREF: ROM:loc_EFF0B↓j ROM:000EFF0B bf byte_FFF8B.0, loc_EFF0B ROM:000EFF0F mov byte_FFF8B, #0 ROM:000EFF12 clr1 byte_FFF8C.7 ROM:000EFF15 ret
- OCD Flag at 0xF07EC
- Entry Point at 0xF07F0
- All SW Models use 0xFFF as block size (SW, SW2, SW3)
- SW Uses 0x80000 as total ROM size. SW2,SW3 use 0xC0000 as total rom size
- To use block related commands, one must send signature check command before sending the block check/erase/program command
- 0xFFFFFED0(IV error?) 0xFFFFFED1 (hash error?) 0xFFFFFED2 (magic error)
To wikify
- Wikify begin (please wait...)
- Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.)
- When I get my left hand back, then we can check this out together. Roxanne
request_idps generated files binary xor
Note: files are padded 8 bytes at start, for convenience
Wii Key/IV Goodness
Type | Key | Description |
---|---|---|
Key | 9258A75264960D82676F904456882A73 | Boot1 Decryption Key |
IV | 00000000000000000000000000000000 | Boot1/2 Decryption IV |
Key | A1604A6A7123B529AE8BEC32C816FCAA | Boot2 Decryption Key (Devel) |
Key | EBE42A225E8593E448D9C5457381AAF7 | Boot2 Decryption Key (Prod) |
Wii U Key/IV Goodness
Switch Key/IV Goodness
Type | Key | SHA1/SHA256 | Status | Description |
---|---|---|---|---|
AES-CTR | key:F4ECA1685C1E4DF77F19DB7B44A985CA | sha1:8C98FF409724784DDF3E3D39B60B25B7087FF537 | Valid | stage1_key_00 |
AES-128-ECB | key:C2CAAFF089B9AED55694876055271C7D | sha1:4A98D62FF6EC0A042B7592219200E37DD9603479 | Valid | package1_key_00 |
AES-128-ECB | key:54E1B8E999C2FD16CD07B66109ACAAA6 | sha1:8CEC47B1B3974EED32C03B11A9DE0133D9E0F00B | Valid | master_key_01 |
AES-128-ECB | key:4F6B10D33072AF2F250562BFF06B6DA3 | sha1:ADD1D37E4A5C540AEEEF4050A2AB98E8B0DC1D04 | Valid | master_key_02 |
AES-CTR | key:A35A19CB14404B2F4460D343D178638D | sha1:4D64731F7AFA031C7EEAE3EB2F462D55FF8FF5AE | Valid | package2_key_00 |
Kernel | - | sha1:124BEFB2895BBA4DB1726485DAF6684B33EF5F51 | Valid | 1.00 Encrypted Kernel |
System Modules | - | sha1:96BF598BD162D5D8C87F2B25741F758F47730C88 | Valid | 1.00 Encrypted System Modules |
Modulus |
B36554FB0AB01E85A7F6CF918EBA9699 0D8B91692AEE01204F345C2C4F4E37C7 F10BD4CDA17F93F13359CEB1E9DD26E6 F3BB7787467AD64E474AD141B7794A38 066ECF618FCDC1400BFA26DCC0345183 D93B11543B9627329A95BE1E681150A0 6B10A8838BF5FCBC90847A5A5C4352E6 C826E9FE06A08B530FAF1EC41C0BCF50 1AA4F35CFBF097E4DE320A9FE35AAAB7 447F5C3360B90F222D332AE969793142 8FE43A138BE726BD08876CA6F273F68E A7F2FEFB6C28660DBDD7EB42A878E6B8 6BAEC7A9E2406E892082258E3C6A60D7 F3568EEC8D518A633C0478230E900CB4 E7863B4F8E130947320E04B84D5BB046 71B05CF4AD634FC5E2AC1EC43396097B |
sha1:F847ED0465C0DFDCD2C28B3E1A6DA0C0F01FBBC5 | Valid | Public Debug |
Modulus |
8D13A7776AE5DCC03B25D058E4206959 554BAB7040082807A8A7FD0F312E11FE 47A0F99DDF80DB865A2789CD976C85C5 6C397F41F2FF2420C395A6F79D4A4574 8B5D288AC699356885A56432809FD348 39A21D246769DF75AC12B5BDC32990BE 37E4A0809ABE36BF1F2CAB2BADF59732 9A429D098B08F06347A3E91B36D82D8A D7E1541195E44588698A2B35CED0A50B D55DACDBAF114DCAB81EE7019EF446A3 8A946D76BD8AC83BD231580C79A826E9 D1799CCBD42B6A4FC6CCCF90A7B99847 FDFA4C6C6F81873BCAB850F63E395D4D 973F0F353953FBFACDABA87A629A3FF2 0927963F079A91F716BFC63A825A4BCF 4950958C55807E39B148051E21C7244F |
sha1:A809E09F8BD790446B86F28B84A6D0F36481A245 | Valid | Public Retail |
Regarding Jokes
- Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. Roxanne 21th December 2015 (18:12 GMT+1)
- It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao
- OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)
- it'd be nice to test some psgroove on it :)
- http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed?
- nope
- http://www.psdevwiki.com/ps3/User:Not_Zecoxao is still needed?
- it'd be nice to test some psgroove on it :)
- OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)
- It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao