Talk:IDPS: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
<mysis> after model type....in short it was right-shift 10d / 0xA
=== IDPS Examples ===
=== IDPS Examples ===


Line 6: Line 4:


{| class="wikitable sortable"
{| class="wikitable sortable"
! IDPS !! 6th<br />byte !! [[Product Code]] !! 8th<br />byte !! [[SKU Models|Product Sub Code]] !! Chassis Check !! Notes
! IDPS !! 6th<br />byte !! [[Product Code]] !! 8th<br />byte !! [[Product Sub Code]] !! Chassis Check !! Notes
|- bgcolor="#CCCCCC"
|- bgcolor="#CCCCCC"
| &nbsp;<code>00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D</code>&nbsp; || {{TID81}} || 0x01 || [[DECR-1000|DECR-1000(A/J)]] / [[DEH-Z1010]] ([[TMU-520]]) || 03 FF || Static Dummy IDPS
| &nbsp;<code>00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D</code>&nbsp; || {{TID81}} || 0x01 || [[DECR-1000|DECR-1000(A/J)]] / [[DEH-Z1010]] ([[TMU-520]]) || 03 FF || Static Dummy IDPS
Line 211: Line 209:
|-
|-
|}
|}
=== Chassis Check ===
The Chassis Check seems to be still a secret, or at least it's not 100% clear what it represents. So my immediate question was of course: if it's not clear what this means, how does the scene even know that it's called "Chassis Check" at all? Where does this information come from?
Answer: according to the analysis of many different models of PSP, PS3, PSVita and PS4, it is clear that the only possible values are 0x3, 0x4, 0xC, 0x10, 0x14 and 0xF4.<br />
*Doing [https://en.wikipedia.org/wiki/Arithmetic_shift right shift] by 2 results in:
**0x3 >> 2 gives 0
**0x4 >> 2 gives 1
**0xC >> 2 gives 3
**0x10 >> 2 gives 4
**0x14 >> 2 gives 5
**the exception is 0xF4 >> 2 gives 61...
We clearly see that most of models released at the same period have the same Chassis Check, and we can see that the more the console is released late, so more it has a high Chassis Check.
And second: how is the current state (or former experience) with bruteforcing the IDPS from the IDPS hash of a PARAM.SFO file (second hash iirc). I mean most of the information is known so in the best case you chose your region and model and only have to bruteforce the last six bytes (if the Chassis Check was known better).
if the scene could establish some kind of standard or BF blueprint, like a blank PARAM.SFO of the PS3 singstar app, which should look the same on every console, someone could even work on a rainbow table for IDPS.<br />
just some thoughts from someone who just entered the PS3 dev scene, so don't be too harsh please ;)
* You can verify the IDPS of a PS3 console through 2 ways : param.sfo of savedata or HDD backup from PS3.
** wasn't there also the possibility to read some deviceid file from the PS Store app (given you got root access to the hdd, thanks to ps3xploit) ?
* the easiest would be of course param.sfo of savedata, by manually verifying a certain sha1-hmac made from the file PARAM.PFD with idps as key. you'd need to bruteforce at least 8 bytes (or almost 8 bytes, if you could take care of all the possibilities for Chassis Check)
** exactly, i was just looking into that and did a small PoC in c#, which BFs my IDPS. But even with all optimizations (especially for C#) and running on all cores with parallelization it isn't really THAT fast. Moreover, I even cheated and only bruteforced the last six bytes of my (known) IDPS. It's currently still running xD.
* using openCL would help, because graphic cards are naturally faster than CPUs
** my idea, too. currently looking into that, but I never worked with openCL before and can't even find a hmac/sha1 kernel for openCL. like nobody every did that before ... ;) edit: https://searchcode.com/codesearch/view/45893397/ ?
but surely someone from the scene was or is already working on something like that? i basically search for people to share experiences or even try to build something together. anyone, bueller?
* nobody is working on it but I had the idea once. Btw, if you're thinking into profitting from this, I assure you I won't help you further xD. I guess you'll have to learn some openCL on the way :P
** wanted to look into opencl for quite some time now, anyways. there were more than one or two occasions where it would've come in handy down the road. oh and i'm absolutely not planning on making profit in any way with this, honest! perhaps we could continue this discussion somewhere more fitting? another dev from the scene told me, that the efnet channel would be a good place?
* i'm zecoxao on skype, notzecoxao on Twitter. Contact me if you wish :)
* Is this something that's still being looked into?  My old PS3 received the YLOD, however I have a hard drive backup of it, but not longer have the actual unit, but I do have a new PS3. I want to recover all my data to my new PS3, but need to be able to dump all the data from archive2.dat to create a fresh backup with all the data to restore to the new unit. Anyone have any suggestions or know of a way I could crack the IDPS used to encrypt my backup ?

Revision as of 09:57, 6 March 2020

IDPS Examples

The reason of why ordering the examples this way is because Product Code and Product Sub Code are known, and Chassis Check is the only thing left we can deduce from the examples...

IDPS 6th
byte
Product Code 8th
byte
Product Sub Code Chassis Check Notes
 00 00 00 01 00 81 00 01 03 FF FF FF 18 43 C1 4D  0x81  TOOL  Reference Tool or  SD  System Debugger / DECR 0x01 DECR-1000(A/J) / DEH-Z1010 (TMU-520) 03 FF Static Dummy IDPS
 00 00 00 01 00 84 00 01 04 00 F3 44 AC 4F 8D 2F  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001) 04 00 (1)
 00 00 00 01 00 8A 00 01 10 00 52 BC C7 11 6D B2  0x8A  CEX  Retail or  SHOP  Kiosk - South Asia / CECH 0x01 CECHA (COK-001) 10 00 (4)
 00 00 00 01 00 84 00 01 10 19 15 0C 45 9F 1C 2A  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001) 10 19 (4)
 00 00 00 01 00 84 00 01 10 1B 23 A2 EA C6 4D D0  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x01 CECHA (COK-001) 10 1B (4)
 00 00 00 01 00 84 00 02 10 01 15 ED DE D8 06 8B  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x02 CECHB (COK-001) 10 01 (4)
 00 00 00 01 00 85 00 03 10 00 3D F9 65 97 B6 EA  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x03 CECHC (COK-002) 10 00 (4)
 00 00 00 01 00 85 00 03 10 11 62 95 56 FF DB FD  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x03 CECHC (COK-002) 10 11 (4)
 00 00 00 01 00 A0 00 04 04 00 04 1B 13 AB 46 25  0xA0  ARC  Arcade / GECR 0x04 GECR-1100 (COK-002) 04 00 (1) (COK-002 without Bluetooth/Wifi)
 00 00 00 01 00 ?? 00 04 ?? ?? ?? ?? ?? ?? ?? ??  ? ? 0x04 CECHE ??
 00 00 00 01 00 85 00 05 04 00 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 04 00 (1)
 00 00 00 01 00 85 00 05 04 00 33 A3 44 9D 57 2B  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 04 00 (1)
 00 00 00 01 00 8C 00 05 10 00 D1 F3 55 2D DA BC  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x05 CECHG (SEM-001) 10 00 (4)
 00 00 00 01 00 85 00 05 10 01 5F 01 12 FF 56 4F  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 10 01 (4)
 00 00 00 01 00 87 00 05 10 02 3A 2D 53 AF 66 28  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001) 10 02 (4)
 00 00 00 01 00 87 00 05 10 0A EE 67 DD 75 86 DA  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001) 10 0A (4) (original label stated CECHC model!)
 00 00 00 01 00 85 00 05 14 02 F7 06 9F 10 B6 22  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 14 02 (5)
 00 00 00 01 00 85 00 05 14 09 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 14 09 (5)
 00 00 00 01 00 85 00 05 14 0E F0 DF DC DD 5E 56  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x05 CECHG (SEM-001) 14 0E (5)
 00 00 00 01 00 84 00 05 F4 00 41 86 55 9B D3 52  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x05 CECHG (SEM-001) F4 00 (0)
 00 00 00 01 00 87 00 05 F4 01 E9 4F 17 DB D9 5D  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x05 CECHG (SEM-001) F4 01 (0)
 00 00 00 01 00 85 00 06 04 00 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x06 CECHH/CECHH (DIA-001) 04 00 (1)
 00 00 00 01 00 ?? 00 06 ?? ?? ?? ?? ?? ?? ?? ??  ? ? 0x06 CECHH/CECHH (DIA-001)
 00 00 00 01 00 85 00 07 04 00 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x07 CECHJ/CECHK (DIA-002) 04 00 (1)
 00 00 00 01 00 87 00 07 10 00 A3 15 8F 61 36 85  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x07 CECHJ/CECHK (DIA-002) 10 00 (4)
 00 00 00 01 00 85 00 07 14 02 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x07 CECHJ/CECHK (DIA-002) 14 02 (5)
 00 00 00 01 00 85 00 07 14 03 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x07 CECHJ/CECHK (DIA-002) 14 03 (5)
 00 00 00 01 00 A0 00 08 04 00 13 69 BC E4 78 80  0xA0  ARC  Arcade / GECR 0x08 GECR-1500 (VER-001) 04 00 (1) (VER-001 without Bluetooth/Wifi)
 00 00 00 01 00 85 00 08 10 05 52 88 E8 AF 75 0D  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 10 05 (4)
 00 00 00 01 00 85 00 08 10 07 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 10 07 (4)
 00 00 00 01 00 85 00 08 10 0C XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 10 0C (4)
 00 00 00 01 00 87 00 08 14 01 B7 A7 1F C8 3A EA  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 14 01 (5)
 00 00 00 01 00 89 00 08 14 01 01 06 1B 91 1C 5C  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 14 01 (5)
 00 00 00 01 00 85 00 08 14 08 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 14 08 (5)
 00 00 00 01 00 84 00 08 14 0B 80 7A 2E 4F AA C7  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 14 0B (5)
 00 00 00 01 00 84 00 08 14 11 D8 06 97 94 B6 80  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) 14 11 (5)
 00 00 00 01 00 85 00 08 F4 01 AA 02 51 EE 33 7B  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x08 CECHL/CECHM/CECHP/CECHQ (VER-001) F4 01 (0)
 00 00 00 01 00 85 00 09 10 01 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 01 (4)
 00 00 00 01 00 85 00 09 10 0A 27 3E 8E 1D DF 65  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 0A (4)
 00 00 00 01 00 85 00 09 10 0B XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 0B (4)
 00 00 00 01 00 85 00 09 10 0D XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 0D (4)
 00 00 00 01 00 85 00 09 10 14 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 14 (4)
 00 00 00 01 00 85 00 09 10 1B 69 BD CA CC BE 85  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 1B (4)
 00 00 00 01 00 84 00 09 10 1C B0 13 5F 2C 17 AF  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x09 CECH20xx (DYN-001) 10 1C (4)
 00 00 00 01 00 85 00 09 10 1D XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 1D (4)
 00 00 00 01 00 85 00 09 10 22 4D 7A 32 A4 11 F4  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 10 22 (4)
 00 00 00 01 00 85 00 09 14 0C XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 14 0C (5)
 00 00 00 01 00 85 00 09 14 12 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) 14 12 (5)
 00 00 00 01 00 85 00 09 F4 02 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x09 CECH20xx (DYN-001) F4 02 (0) Refurbished
 00 00 00 01 00 85 00 0A 14 03 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0A CECH21xx (SUR-001) 14 03 (5)
 00 00 00 01 00 85 00 0A 14 05 67 A0 79 37 DC 17  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0A CECH21xx (SUR-001) 14 05 (5)
 00 00 00 01 00 A0 00 0B 04 00 XX XX XX XX XX XX  0xA0  ARC  Arcade / GECR 0x0B GECR-2500 (JTP-001/JSD-001) 04 00 (1)
 00 00 00 01 00 85 00 0B 10 07 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001) 10 07 (4)
 00 00 00 01 00 85 00 0B 10 18 EC 96 E4 A8 BE EF  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001) 10 18 (4)
 00 00 00 01 00 8C 00 0B 14 00 E1 1D 11 03 C8 65  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 00 (5) used by PS-Unban
 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 00 (5)
 00 00 00 01 00 85 00 0B 14 02 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 02 (5)
 00 00 00 01 00 85 00 0B 14 05 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 05 (5)
 00 00 00 01 00 89 00 0B 14 05 18 95 D3 EE D0 76  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 05 (5)
 00 00 00 01 00 87 00 0B 14 0C 84 81 81 33 FA 68  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 0C (5)
 00 00 00 01 00 87 00 0B 14 0E 71 DF 87 E5 A2 4D  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 0E (5)
 00 00 00 01 00 85 00 0B 14 15 XX XX XX XX XX XX  0x85  CEX  Retail or  SHOP  Kiosk - Europe / CECH 0x0B CECH25xx (JTP-001/JSD-001) 14 15 (5)
 00 00 00 01 00 84 00 0C 10 11 21 52 A6 EB 62 10  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001) 10 11 (4) used by PS-Unban
 00 00 00 01 00 84 00 0C 10 19 15 0C 45 9F 1C 2A  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001) 10 19 (4) used by PS-Unban
 00 00 00 01 00 84 00 0C 10 22 CE B2 EB 40 D9 EB  0x84  CEX  Retail or  SHOP  Kiosk - USA / CECH 0x0C CECH30xx (KTE-001) 10 22 (4)
 00 00 00 01 00 87 00 0C 14 06 C3 90 35 41 45 18  0x87  CEX  Retail or  SHOP  Kiosk - United Kingdom / CECH 0x0C CECH30xx (KTE-001) 14 06 (5)
 00 00 00 01 00 8C 00 0C 14 0E 7D FA F1 5F 9F 3F  0x8C  CEX  Retail or  SHOP  Kiosk - Russia / CECH 0x0C CECH30xx (KTE-001) 14 0E (5)
 00 00 00 01 00 89 00 0D 14 00 93 75 A9 00 4C 96  0x89  CEX  Retail or  SHOP  Kiosk - Australia & New Zealand / CECH 0x0D CECH40xx (MPX-001/MSX-001) 14 00 (5)
  • Chasis check speculation (bytes 9th and 10th):
    • 9th byte (most common: 0x04, 0x10, 0x14, 0xF4), 0x03 in the "Dummy IDPS"
      • First nibble values: 0, 1, or F
      • Second nibble values: 0, or 4 (3 in the "Dummy IDPS")
    • 10th byte (seems to be a counter, biggest value found 0x22), 0xFF in the "Dummy IDPS"
      • First nibble values: 0, 1, or 2
      • Second nibble values: too random to find a pattern
  • Next 6 bytes speculation
    • 11th and 12th: (FF in the "Dummy IDPS")
    • 13th, 14th, 15th, 16th: per console identifyer ? a hash / encryption of previous bytes ?
IDPS 6th
byte
Target ID 8th
byte
PS3 Model Notes
 00 00 00 01 00 80 00 01 xx xx xx xx xx xx xx xx  0x80  NOT IN USE  0x01 DECHSA00A/J (COK-001) -
 00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx  0x82  DEX   AV TEST   DTCP-IP  Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS 0x01 DECHSA00A/J (COK-001)

AV Testing Tool labeled as DECHSA00A
Stock Firmware 2.41 (ros0), ros1 is empty
Target ID 82, installation of DEX PUPs still impossible.
NAND patched with 3.55 downgrade file.
Installation of CEX and DEX PUPs was successful after FSM.

 00 00 00 01 00 82 00 01 xx xx xx xx xx xx xx xx  0x82  DEX   AV TEST   DTCP-IP  Debug / AV Tool / DTCP-IP Debugger / DECH / DECHS 0x01 DECHA00A/J (COK-001) -
 00 00 00 01 00 8A 00 01 xx xx xx xx xx xx xx xx  0x8A  CEX  Retail or  SHOP  Kiosk - South Asia / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 8B 00 01 xx xx xx xx xx xx xx xx  0x8B  CEX  Retail or  SHOP  Kiosk - Taiwan / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 83 00 01 xx xx xx xx xx xx xx xx  0x83  CEX  Retail or  SHOP  Kiosk - Japan / CECH 0x01 CECHA (COK-001) -
 00 00 00 01 00 86 00 04 xx xx xx xx xx xx xx xx  0x86  CEX  Retail or  SHOP  Kiosk - Korea / CECH 0x04 CECHE (COK-002/COK-002W) -
 00 00 00 01 00 88 00 04 xx xx xx xx xx xx xx xx  0x88  CEX  Retail or  SHOP  Kiosk - Mexico / CECH 0x04 CECHE (COK-002/COK-002W) -
 00 00 00 01 00 8D 00 0C xx xx xx xx xx xx xx xx  0x8D  CEX  Retail or  SHOP  Kiosk - China / CECH 0x0C CECH30xx (KTE-001) -
 00 00 00 01 00 8F 00 0E xx xx xx xx xx xx xx xx  0x8F  CEX  Retail or  SHOP  Kiosk - Brazil / CECH 0x0E non existant -