Editing VTRM
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
The | The PS4s VTRM functionality seems to be similar with the one from the PS3. We can either Dump them via HW or via Software methode. Tools to unpack and dump the VTRM can be found here [http://www.psdevwiki.com/ps4/Flash-Main Tool] on the Top, under sources. | ||
On the PS4 a Dev | On the PS4 a Dev unit only hase one Region where a Retail unit will have two Regions. One of thoes regions will be used for deactivation and the other one for activation. | ||
=== Region0 === | === Region0 === | ||
SCEVTRM Magic on 0x380048. | SCEVTRM Magic on 0x380048. | ||
Line 19: | Line 16: | ||
or | or | ||
If VTRM0 is marked as in use then the console is deactivated and if VTRM1 is marked | If VTRM0 is marked as in use then the console is deactivated and if VTRM1 is marked in use then PS4 is activated. | ||
Following some examples. Remember mark 0xFC and count 0x00 == factory state. | Following some examples. Remember mark 0xFC and count 0x00 == factory state. | ||
Line 56: | Line 53: | ||
|} | |} | ||
So we have more ways to identify if a | So we have more ways to identify if a Dump is from a Retail or a Dev/Test console. Either we can check if there are any incremental counters used on the VTRM or we can check if the VTRM hase any mark like 0xFC or 0x00000000 or 0x03000000 then it is reatail else Dev/test. Or we also can check the first 4 bytes of both VTRMs against 4x 0xFF bytes, if True == Dev/Test else Retail. | ||
NOTE: Dev/Test Consoles only do use one VTRM. The array for the second VTRM is completely empty on this SKU models beside that they don't have any mark and also no counter. (yea sure why if they only use one ^^) | NOTE: Dev / Test Consoles only do use one VTRM. The array for the second VTRM is completely empty on this SKU models beside that they don't have any mark and also no counter. (yea sure why if they only use one ^^) | ||
NOTE²: There is another byte that will change | NOTE²: There is another byte that will change douring this process. On offset 0x3A0078 for factory the byte is 0xFF. As soon the console would be the first time activated (so count 0x01) then this byte change to 0xFE. After this (so count 0x02 and upwards) the byte will always be 0xFC. | ||
=== Region0 Digest? === | === Region0 Digest? === | ||
This region of 0x60 ~= 96 bytes is the exact same on the same console of diffrent FW and BIOS versions. We can use thoes 96 bytes to identify dumps as diffrent or as from one and the same device. It's kind of a unique Console identifyer. I will add a new entry to the SystemFlash Extractor and hash this array with SHA1 which we then can use to store it in the DataBase. That gives us the ability to even identify a Dump and his informations from the DataBase out as one and the same device or as a diffrent one, while to same time to protect the privacy of the user in case we use a checksum to store and not the console specific unique vlaue. | |||
'''(From a already dead console)''' | '''(From a already dead console)''' | ||
Line 75: | Line 72: | ||
003801C0 AB F6 48 B9 08 FF CF 89 83 B2 76 37 51 75 8D 87 «öH¹.ÿωƒ²v7Qu.‡ " | 003801C0 AB F6 48 B9 08 FF CF 89 83 B2 76 37 51 75 8D 87 «öH¹.ÿωƒ²v7Qu.‡ " | ||
003801D0 F8 A1 06 69 F7 73 58 36 ø¡.i÷sX6 " | 003801D0 F8 A1 06 69 F7 73 58 36 ø¡.i÷sX6 " | ||
=== Region1 === | === Region1 === | ||
SCEVTRM Magic on 0x3A0048 | SCEVTRM Magic on 0x3A0048 | ||
Line 141: | Line 135: | ||
=== Region1 Digest? === | === Region1 Digest? === | ||
The same like for Region0 applys here but with the diffrence that thoes both digest? from Region0 and Region1 do differ on the same console and also on diffrent versions. But Region0 do match Region0 of diffrent FW and BIOS versions and the same apply for Region1. Thoes 96 bytes from Region1 are always the same on diffrent FW and BIOS versions of the same console. | |||
The same like for Region0 | |||
== Structure == | == Structure == | ||
==== Header ==== | ==== Header ==== | ||
- size always 96 bytes | |||
<br/>- integer values are endian swapped | |||
{| class="wikitable" | {| class="wikitable" | ||
Line 157: | Line 146: | ||
! From !! To !! Description | ! From !! To !! Description | ||
|- | |- | ||
| 00 || 03 || '''Flag''' Marks the VTRM status | | 00 || 03 || '''Flag''' Marks the VTRM status | ||
|- | |- | ||
| 04 || 3F || '''Padding0''' Nothing only 0xFF bytes | | 04 || 3F || '''Padding0''' Nothing only 0xFF bytes | ||
|- | |- | ||
| 40 || 43 || '''Constant''' always 0x01000000 | | 40 || 43 || '''Constant''' always 0x01000000 | ||
|- | |- | ||
| 44 || 47 || '''Padding1''' Nothing always 0xFF bytes | | 44 || 47 || '''Padding1''' Nothing always 0xFF bytes | ||
|- | |- | ||
| 48 || 4F || '''Magic''' The VTRM Magic | | 48 || 4F || '''Magic''' The VTRM Magic | ||
|- | |- | ||
| 50 || 53 || '''Count0''' The activation | | 50 || 53 || '''Count0''' The activation count | ||
|- | |- | ||
| 54 || 57 || '''Padding2''' Nothing always 0x00 bytes | | 54 || 57 || '''Padding2''' Nothing always 0x00 bytes | ||
|- | |- | ||
| 58 || 5B || '''Count1''' The control byte for the activation | | 58 || 5B || '''Count1''' The control byte for the activation count | ||
|- | |- | ||
| 5C || 5F || '''Padding3''' Nothing always 0x00 bytes | | 5C || 5F || '''Padding3''' Nothing always 0x00 bytes | ||
|- | |- | ||
| 60 || 6F || '''Ukn''' Unknowen always the same 16 bytes | | 60 || 6F || '''Ukn''' Unknowen always the same 16 bytes | ||
|- | |- | ||
| 70 || 76 || '''Padding4''' Nothing always 0xFF bytes | | 70 || 76 || '''Padding4''' Nothing always 0xFF bytes | ||
|- | |- | ||
| 77 || 77 || '''Ctrlflag''' Tigthen with the '''Flag''' variable | | 77 || 77 || '''Ctrlflag''' Tigthen with the '''Flag''' variable | ||
|- | |- | ||
| 78 || 7F || '''Padding5''' Nothing always 0xFF bytes | | 78 || 7F || '''Padding5''' Nothing always 0xFF bytes | ||
|} | |} | ||
Line 203: | Line 192: | ||
} vtrmHeader; | } vtrmHeader; | ||
</source> | </source> | ||
'''CSharp''' | '''CSharp''' | ||
Line 222: | Line 212: | ||
} | } | ||
</source> | </source> | ||
==== Body ==== | ==== Body ==== | ||
== Function Calls == | == Function Calls == | ||
From 1.76. [http://pastebin.com/gWg1JeA8 pastebin] | From 1.76. [http://pastebin.com/gWg1JeA8 pastebin] | ||
<pre> | <pre> | ||
VtrmCipherCalcHeaderDigest LOAD FFFFFFFF827CF0E0 00000141 00000138 00000000 R . . . B . . | VtrmCipherCalcHeaderDigest LOAD FFFFFFFF827CF0E0 00000141 00000138 00000000 R . . . B . . |