User talk:Zecoxao

From PS3 Developer wiki
Jump to: navigation, search

The Last Piece of the Puzzle[edit]

Vita Shennanigans[edit]

BGA Test Pins (for 100 and 64 pin config)

100-pin:
TOOL0 D8
TOOL1 E7
FLMD0 F9
RESET G9

64-pin
TOOL0 D6
TOOL1 E6
FLMD0 E8
RESET E7

CL Pad to Syscon (IRS-002) (78K0R)

F5 F6 F9 F10 G10 H1 H4 J3 J10

PSP Shennanigans[edit]

D780032AY (TMU-001/TMU-002)
ROM: 16 KB, RAM: 512 B
(see D790019)


D790019 (TA-079/TA-081)
			ROM	RAM
D780021AY/D780031AY 	8 KB	512 B
D780022AY/D780032AY	16 KB	512 B
D780023AY/D780033AY	24 KB	1 KB
D780024AY/D780034AY	32 KB	1 KB
D78F0034AY/D78F0034BY	32 KB	1 KB

Tools: IE-78K0-NS, IE-78K0-NS-A, IE-78K0-NS-PA, IE-780034-NS-EM1, IE-78001-R-A, IE-78K0-R-EX1, PG-FP3, PG-FP4


D79F0036 (TA-082/TA-086)
			ROM	RAM	ERAM
D78F0531/D78F0531A	16 KB	768 B	-
D78F0532/D78F0532A	24 KB	1 KB	-
D78F0533/D78F0533A	32 KB	1 KB	-
D78F0534/D78F0534A	48 KB	1 KB	1 KB
D78F0535/D78F0535A	60 KB	1 KB	2 KB		
D78F0536/D78F0536A	96 KB	1 KB	4 KB
D78F0537/D78F0537A	128 KB	1 KB	6 KB
D78F0537D/D78F0537DA	128 KB	1 KB	6 KB

Tools: QB-78K0KX2, QB-MINI2, E1, E20, PG-FP4, PG-FP5, PG-FP6


D79F???? (TA-085)
"custom" 84-pin 78K0 based on D79F0036
(see D79F0036)



Service/Debug Testpoints
	TA-081		TA-082/TA-086	        TA-085

CL3001	VDD		VDD			VDD
CL3002	RxD		RxD			RxD
CL3003	TxD		TxD			TxD
CL3004	IC/VPP		FLMD0			FLMD0
CL3005	RESET	        RESET			RESET
CL3006	GND		OCD0B			OCD0B
CL3007	-		OCD0A			OCD0A
CL3008 	-		VDD (R3037)		-
CL3009	-		GND			GND
CL3010	-		P01			-
CL3011	-		P22			-
CL3012	-		CPU_RESET		-
CL3013	-		LEPTON_RST		-
CL3014	-		POMMEL_ALERT	        -

How[edit]

  • By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set) false
  • It is possible to dump the syscon firmware using this method (in unencrypted state) false
  • The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered false
  • The leaked service manuals present information about the pins connected to the JigPin false
  • The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG false
  • Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this. false
  • This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist) false
  • f0f's method is a viable way to get the ROM from later syscons
  • tx function can be produced and it's not required for bruteforcing
  • ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags)
  • code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes)
  • second SFR area ranges from 0xF0000 to 0xF0800
  • backup ram ranges from 0xF0800 to 0xF1000
  • ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R
  • 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E)
  • 1562 registers are not documented (0xF01E7 - 0xF07FF)
  • minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5)
  • maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes)
  • assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes
  • IC4002 is sony's syscon naming in oficial service docs
//TX FUNC, 78K0R CASE
//TAKING NOTE THAT PS3 SYSCON is uPD78F11XX, where X is A, B or C
//ASIM -> 0xFFF8C
//TXS  -> 0xFFF8F 
<pre>
ROM:000EFF05                 set1    byte_FFF8C.7
ROM:000EFF08                 nop
ROM:000EFF09                 mov     byte_FFF8F, a
ROM:000EFF0B
ROM:000EFF0B loc_EFF0B:                              ; CODE XREF: ROM:loc_EFF0B↓j
ROM:000EFF0B                 bf      byte_FFF8B.0, loc_EFF0B
ROM:000EFF0F                 mov     byte_FFF8B, #0
ROM:000EFF12                 clr1    byte_FFF8C.7
ROM:000EFF15                 ret
  • OCD Flag at 0xF07EC
  • Entry Point at 0xF07F0
  • All SW Models use 0xFFF as block size (SW, SW2, SW3)
  • SW Uses 0x80000 as total ROM size. SW2,SW3 use 0xC0000 as total rom size
  • To use block related commands, one must send signature check command before sending the block check/erase/program command
  • 0xFFFFFED0(IV error?) 0xFFFFFED1 (hash error?) 0xFFFFFED2 (magic error)

To wikify[edit]

  • Wikify begin (please wait...)
  • Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.)
    • When I get my left hand back, then we can check this out together. Roxanne

request_idps generated files binary xor[edit]

Note: files are padded 8 bytes at start, for convenience

Wii U Key/IV Goodness[edit]

. .

Type Key SHA1 Status Description
Key key:0ADC3A209A563EC90CFE09F324821670 sha1:7a21e70751dd0ba38b3a0f4a1e6e7af5aa34a9a3 Valid Wii U Xor
Key key:E5959ADF673CA63143A744080EE67FE4 sha1:5baa45b5e9020adf4c1117bd7f7b04a0385de04e Valid USB Stor ENC
Key key:7B118F321870DAB70AF6F207ED2972BA sha1:09edc0533ddb270df18b644320dad6105cca4faa Valid SSL ENC/DEC
Key key:EBE42A225E8593E448D9C5457381AAF7 sha1:ebeae6d2762d4d3ea160a6d8327fac9a25f8062b Valid Wii Common
Key key:3B8D192A39B759A8DF501FC5DA8EC3E2 sha1:1505970d69ae87fd4a89f02d9a5a20e6d144f017 Valid Wii U SEEPROM
Key key:805E6285CD487DE0FAFFAA65A6985E17 sha1:2ba6f692ddbf0b3cd267e9374fa7dd849e80f8ab Valid Wii U Expresso Ancast
Key key:2EFE8ABCEDBB7BAAE3C0ED92FA29F866 sha1:ce3641b2660253f5a7e789db297be2c1585b3054 Valid vWii Expresso Ancast
IV key:596D5A9AD705F94FE158026FEAA7B887 sha1:c1a8bffb7ca5271677d4242989c6ffe44fd3dc7d Valid Wii U Expresso Ancast / vWii Expresso Ancast
Key key:B5D8AB06ED7F6CFC529F2CE1B4EA32FD sha1:d8b4970a7ed12e1002a0c4bf89bee171740d268b Valid Wii U Starbuck Ancast
IV key:91C9D008312851EF6B228BF14BAD4322 sha1:8377c1b51fd6aeab9d6f48a8e858f53aebfd0be3 Valid Wii U Starbuck Ancast
Key key:D7B00402659BA2ABD2CB0DB27FA2B656 sha1:6a0b87fc98b306ae3366f0e0a88d0b06a2813313 Valid Wii U Common
Key key:30BFC76E7C19AFBB23163330CED7C28D sha1:2b30b703c6676c8124c7347b30c7972ffeae2b39 Valid vWii Common
Key - sha1:56dd59752e6af1e55fc2ee7074abe2d2c9e70a10 Confirmation Needed boot1
IV key:4FCD24A0E4D3AB6FAE8DFD8108581DCF sha1:a1a87792b95d0294c0867c93d46c3068c1c6d322 Valid boot1
Binary - sha1:ee28d0be718055423ee79d89889ebe386e5b0c2d Found boot0
Binary - sha1:3d331b3165f9638c6cd6221702b2f736f7fcf931 Found BootROM

Switch Key/IV Goodness[edit]

Type Key SHA1/SHA256 Status Description
AES-CTR key:F4ECA1685C1E4DF77F19DB7B44A985CA sha1:8c98ff409724784ddf3e3d39b60b25b7087ff537 Valid stage1_key_00
AES-128-ECB key:C2CAAFF089B9AED55694876055271C7D sha1:4a98d62ff6ec0a042b7592219200e37dd9603479 Valid package1_key_00
AES-128-ECB key:54E1B8E999C2FD16CD07B66109ACAAA6 sha1:8cec47b1b3974eed32c03b11a9de0133d9e0f00b Valid master_key_01
AES-128-ECB key:4F6B10D33072AF2F250562BFF06B6DA3 sha1:add1d37e4a5c540aeeef4050a2ab98e8b0dc1d04 Valid master_key_02
AES-CTR key:A35A19CB14404B2F4460D343D178638D sha1:4d64731f7afa031c7eeae3eb2f462d55ff8ff5ae Valid package2_key_00
Kernel - sha1:124befb2895bba4db1726485daf6684b33ef5f51 Valid 1.00 Encrypted Kernel
System Modules - sha1:96bf598bd162d5d8c87f2b25741f758f47730c88 Valid 1.00 Encrypted System Modules
Modulus
B36554FB0AB01E85A7F6CF918EBA9699
0D8B91692AEE01204F345C2C4F4E37C7
F10BD4CDA17F93F13359CEB1E9DD26E6
F3BB7787467AD64E474AD141B7794A38
066ECF618FCDC1400BFA26DCC0345183
D93B11543B9627329A95BE1E681150A0
6B10A8838BF5FCBC90847A5A5C4352E6
C826E9FE06A08B530FAF1EC41C0BCF50
1AA4F35CFBF097E4DE320A9FE35AAAB7
447F5C3360B90F222D332AE969793142
8FE43A138BE726BD08876CA6F273F68E
A7F2FEFB6C28660DBDD7EB42A878E6B8
6BAEC7A9E2406E892082258E3C6A60D7
F3568EEC8D518A633C0478230E900CB4
E7863B4F8E130947320E04B84D5BB046
71B05CF4AD634FC5E2AC1EC43396097B
sha1:f847ed0465c0dfdcd2c28b3e1a6da0c0f01fbbc5 Valid Public Debug
Modulus
8D13A7776AE5DCC03B25D058E4206959
554BAB7040082807A8A7FD0F312E11FE
47A0F99DDF80DB865A2789CD976C85C5
6C397F41F2FF2420C395A6F79D4A4574
8B5D288AC699356885A56432809FD348
39A21D246769DF75AC12B5BDC32990BE
37E4A0809ABE36BF1F2CAB2BADF59732
9A429D098B08F06347A3E91B36D82D8A
D7E1541195E44588698A2B35CED0A50B
D55DACDBAF114DCAB81EE7019EF446A3
8A946D76BD8AC83BD231580C79A826E9
D1799CCBD42B6A4FC6CCCF90A7B99847
FDFA4C6C6F81873BCAB850F63E395D4D
973F0F353953FBFACDABA87A629A3FF2
0927963F079A91F716BFC63A825A4BCF
4950958C55807E39B148051E21C7244F
sha1:a809e09f8bd790446b86f28b84a6d0f36481a245 Valid Public Retail

Regarding Jokes[edit]

  • Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. Roxanne 21th December 2015 (18:12 GMT+1)
    • It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao
      • OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)

ebootrom wikify[edit]

https://yadi.sk/d/z2Vr1NE_DZ6eHQ