ReDRM / Piracy dongles
Description
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's
Downloads
- MFW: Jailbreak2.CFW.rar (172.34 MB)
- Dongle Updater: JB2.Dongle.Updater.rar (2.1 MB)
FW Info
PS3 System Software MFW 3.55-Dongle (Jailbreak2.CFW) filedate: juli 13 2011 2:08:58 174639 KB MD5: 43C522F8897D77B6165F95BCF3409090 SHA1: A64B010DB98996C7E53768D37D4D346F271D5950 CRC32: A32FDD1D CRC16: 6420 HMAC_SHA1: 0x88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C Remarks: needs JB2 dongle as DRM
PUP file information Package version: 1 Image version: 47517 File count: 7 Header length: 528 Data length: 178829542 PUP file hash : 88EF9FEB9BB80ABE7CF68EB3BD76148F7AD6230C File 0 Entry id: 0x100 Filename : version.txt Data offset: 0x210 Data length: 13 File hash : 8E533875E1B43B6CBAF5E91663EB7554107B5509 File 1 Entry id: 0x101 Filename : license.xml Data offset: 0x21D Data length: 267513 File hash : B77EFE54859738385DD803E88FB5E807FF1BC6AB File 2 Entry id: 0x103 Filename : update_flags.txt Data offset: 0x41716 Data length: 5 File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB File 3 Entry id: 0x200 Filename : ps3swu.self Data offset: 0x4171B Data length: 5661656 File hash : C61DDE12E75C2218214700D7D49006583F1B968B File 4 Entry id: 0x201 Filename : vsh.tar Data offset: 0x5A7AF3 Data length: 10240 File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08 File 5 Entry id: 0x202 Filename : dots.txt Data offset: 0x5AA2F3 Data length: 3 File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A File 6 Entry id: 0x300 Filename : update_files.tar Data offset: 0x5AA2F6 Data length: 172890112 File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0
Content discs
EBOOT.BIN details
SELF header
elf #1 offset: 00000000_00000090 header len: 00000000_00000a80 meta offset: 00000000_000004a0 phdr offset: 00000000_00000040 shdr offset: 00000000_002117f8 file size: 00000000_0021150c auth id: 10100000_01000003 (Unknown) vendor id: 01000002 info offset: 00000000_00000070 sinfo offset: 00000000_00000290 version offset: 00000000_00000390 control info: 00000000_000003c0 (00000000_00000100 bytes) app version: 1.0.0 SDK type: Devkit app type: NP-DRM application
Control info
control flags: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 file digest: 62 7c b1 80 8a b9 38 e3 2c 8c 09 17 08 72 6a 57 9e 25 86 e4 f1 95 cf a4 c0 04 0f c9 14 de 1f 9a 21 4e 10 ca 6b a6 8c 86 NPDRM info: magic: 4e504400 unk0 : 00000001 unk1 : 00000003 unk2 : 00000001 content_id: IV0002-NPXS00020_00-TEST000000000001 digest: 09 37 f1 32 60 b9 70 02 76 9e e4 0f 7b 10 70 0f invdigest: f6 c8 0e cd 9f 46 8f fd 89 61 1b f0 84 ef 8f f0 xordigest: 5c 62 a4 67 35 ec 25 57 23 cb b1 5a 2e 45 25 5b
Section header
offset size compressed unk1 unk2 encrypted 00000000_00000a80 00000000_00209dc0 [NO ] 00000000 00000000 [NO ] 00000000_00210a80 00000000_000005b0 [NO ] 00000000 00000000 [NO ] 00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] 00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] 00000000_00211030 00000000_00000000 [NO ] 00000000 00000000 [NO ] 00000000_00210df8 00000000_00000004 [NO ] 00000000 00000000 [N/A] 00000000_0020a7e0 00000000_00000020 [NO ] 00000000 00000000 [N/A] 00000000_0020a800 00000000_00000040 [NO ] 00000000 00000000 [N/A]
Encrypted Metadata
no encrypted metadata in fselfs.
ELF header
type: Executable file machine: PowerPC64 version: 1 phdr offset: 00000000_00000040 shdr offset: 00000000_00210e08 entry: 00000000_002200f0 flags: 00000000 header size: 00000040 program header size: 00000038 program headers: 8 section header size: 00000040 section headers: 28 section header string table index: 27
FW analysis
FW Changes
Compared to OFW 3.55: ofw-vs-jb2.rar (4.18 MB)
EULA.xml
<str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str>
Version.txt
3.55-Dongle
CORE_OS_PACKAGE.pkg
lv1.self
Just one patch:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F OFW: 000F5A40 39 20 00 00 9 .. li r9,0 JB2: 000F5A40 39 20 00 01 9 .. li r9,1
This is in lv1_map_htab to allow for RW mapping of all RAM. So who knows how many other lv1 patches are done at runtime.
lv2_kernel.self
dev_flash_010.tar.aa.2010_11_27_051337
\dev_flash\vsh\module\nas_plugin.sprx
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F OFW: 00003250 7C 60 1B 78 |`.x mr r0, r3 JB2: 00003250 38 00 00 00 8... li r0, 0
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F OFW: 00037350 41 9E 00 4C Až.L beq- cr7,4c JB2: 00037350 60 00 00 00 `... nop
"standard pkg patches"
dev_flash_016.tar.aa.2010_11_27_051337
\dev_flash\vsh\resource\explore\xmb\category_game.xml
\dev_flash\vsh\resource\explore\xmb\category_video.xml
Hardware Dongle
Components
Actel ProASIC3 A3P250 - FPGA
A3P250 = 250,000 System Gates blank = Speed Grade: Standard VQ = Package Type: Very Thin Quad Flat Pack (0.5mm pitch) G = Lead-Free Packaging: RoHS-Compliant (Green) 100 = Package Lead Count : 100 pins blank = Security Feature : no IP license blank = Temperature Range: Commercial (0°C to +70°C Ambient Temperature)
128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals: http://www.actel.com/products/pa3/docs.aspx#ds
Familyroot: http://www.actel.com/products/pa3/
Pinout A3P250 VQ100
Pin | Function | Notes |
---|---|---|
1 | GND | Ground |
2 | GAA2/IO118UDB3 | |
3 | IO118VDB3 | |
4 | GAB2/IO117UDB3 | |
5 | IO117VDB3 | |
6 | GAC2/IO116UDB3 | |
7 | IO116VDB3 | |
8 | IO112PSB3 | |
9 | GND | Ground |
10 | GFB1/IO109PDB3 | |
11 | GFB0/IO109NDB3 | |
12 | VCOMPLF | |
13 | GFA0/IO108NPB3 | |
14 | VCCPLF | |
15 | GFA1/IO108PPB3 | |
16 | GFA2/IO107PSB3 | |
17 | VCC | |
18 | VCCIB3 | |
19 | GFC2/IO105PSB3 | |
20 | GEC1/IO100PDB3 | |
21 | GEC0/IO100NDB3 | |
22 | GEA1/IO98PDB3 | |
23 | GEA0/IO98NDB3 | |
24 | VMV3 | |
25 | GNDQ | Ground |
26 | GEA2/IO97RSB2 | |
27 | GEB2/IO96RSB2 | |
28 | GEC2/IO95RSB2 | |
29 | IO93RSB2 | |
30 | IO92RSB2 | |
31 | IO91RSB2 | |
32 | IO90RSB2 | |
33 | IO88RSB2 | |
34 | IO86RSB2 | |
35 | IO85RSB2 | |
36 | IO84RSB2 | |
37 | VCC | |
38 | GND | Ground |
39 | VCCIB2 | |
40 | IO77RSB2 | |
41 | IO74RSB2 | |
42 | IO71RSB2 | |
43 | GDC2/IO63RSB2 | |
44 | GDB2/IO62RSB2 | |
45 | GDA2/IO61RSB2 | |
46 | GNDQ | Ground |
47 | TCK | |
48 | TDI | |
49 | TMS | |
50 | VMV2 | |
51 | GND | Ground |
52 | VPUMP | |
53 | NC | |
54 | TDO | |
55 | TRST | |
56 | VJTAG | |
57 | GDA1/IO60USB1 | |
58 | GDC0/IO58VDB1 | |
59 | GDC1/IO58UDB1 | |
60 | IO52NDB1 | |
61 | GCB2/IO52PDB1 | |
62 | GCA1/IO50PDB1 | |
63 | GCA0/IO50NDB1 | |
64 | GCC0/IO48NDB1 | |
65 | GCC1/IO48PDB1 | |
66 | VCCIB1 | |
67 | GND | Ground |
68 | VCC | |
69 | IO43NDB1 | |
70 | GBC2/IO43PDB1 | |
71 | GBB2/IO42PSB1 | |
72 | IO41NDB1 | |
73 | GBA2/IO41PDB1 | |
74 | VMV1 | |
75 | GNDQ | Ground |
76 | GBA1/IO40RSB0 | |
77 | GBA0/IO39RSB0 | |
78 | GBB1/IO38RSB0 | |
79 | GBB0/IO37RSB0 | |
80 | GBC1/IO36RSB0 | |
81 | GBC0/IO35RSB0 | |
82 | IO29RSB0 | |
83 | IO27RSB0 | |
84 | IO25RSB0 | |
85 | IO23RSB0 | |
86 | IO21RSB0 | |
87 | VCCIB0 | |
88 | GND | Ground |
89 | VCC | |
90 | IO15RSB0 | |
91 | IO13RSB0 | |
92 | IO11RSB0 | |
93 | GAC1/IO05RSB0 | |
94 | GAC0/IO04RSB0 | |
95 | GAB1/IO03RSB0 | |
96 | GAB0/IO02RSB0 | |
97 | GAA1/IO01RSB0 | |
98 | GAA0/IO00RSB0 | |
99 | GNDQ | Ground |
100 | VMV0 |
24.000 MHz Crystal
CLK for Actel
AMS1117 2.851049 - Low Dropout Linear Regulator
Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf
File:AMS1117 - SOT-223.png
unidentified Winbond 8pin IC
eprom simular to : http://www.ps3devwiki.com/index.php?title=Flash_%28Hardware%29#Renesas_HN58X2504TIE_.28EEPROM.29 perhaps
Dongle Updater PKG
SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62
Unpkg/unself'ed: dongle-updater.pkg.out.rar (2.03 MB)
Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)
Payload
located in unself'ed eboot.bin @ offset:
eboot payload Offset(h) Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000084F0 00000000 09 02 12 00 01 00 00 80 FA 09 04 00 00 00 FE 01 .......€ú.....þ. ... 002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ};
SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78
lv2 dump
payload decrypted @ LV2 dump 0x7f0000
Start Offset | End Offset | descriptor | Description |
---|---|---|---|
00000000 | 00000FFF | 0 | 3.41 |
00001000 | 00001FFF | 1 | 3.41 |
00002000 | 00002FFF | 2 | 3.41 |
00003000 | 00003FFF | 3 | 3.41 |
00004000 | 00007FFF | 4 | |
00008000 | 00008FFF | 5 | |
00009000 | 0000BFFF | 6 | |
0000C000 | 0000CFFF | 7 | |
0000D000 | 0000DFFF | 8 | |
0000E000 | 0000FFFF | 9 | |
00010000 | 00013FFF | a | |
00014000 | 0001BFFF | b | |
0001C000 | 0001C00F | c | |
0001C010 | 0001C01F | d | |
0001C020 | 0001C03F | e | |
0001C040 | 0001C05F | f | |
0001C060 | 0001C06F | 10 | |
0001C070 | 0001C07F | 11 | |
0001C080 | 0001C09F | 12 | |
0001C0A0 | 000A1A7F | 13 | |
000A1A80 | 000B039F | 14 | |
000B03A0 | 001736FF | 15 | |
00173700 | 00189D5F | 16 | |
00189D60 | 001FFFFF | 17 |