User talk:Zecoxao

From PS3 Developer wiki
Jump to: navigation, search

The Last Piece of the Puzzle

Vita Shennanigans

BGA Test Pins (for 100 and 64 pin config)

100-pin:
TOOL0 D8
TOOL1 E7
FLMD0 F9
RESET G9

64-pin
TOOL0 D6
TOOL1 E6
FLMD0 E8
RESET E7

CL Pad to Syscon (IRS-002) (78K0R)

F5 F6 F9 F10 G10 H1 H4 J3 J10

DYN-001 Shennanigans

PSP Shennanigans

D780032AY (TMU-001/TMU-002)
ROM: 16 KB, RAM: 512 B
(see D790019)


D790019 (TA-079/TA-081)
			ROM	RAM
D780021AY/D780031AY 	8 KB	512 B
D780022AY/D780032AY	16 KB	512 B
D780023AY/D780033AY	24 KB	1 KB
D780024AY/D780034AY	32 KB	1 KB
D78F0034AY/D78F0034BY	32 KB	1 KB

Tools: IE-78K0-NS, IE-78K0-NS-A, IE-78K0-NS-PA, IE-780034-NS-EM1, IE-78001-R-A, IE-78K0-R-EX1, PG-FP3, PG-FP4


D79F0036 (TA-082/TA-086)
			ROM	RAM	ERAM
D78F0531/D78F0531A	16 KB	768 B	-
D78F0532/D78F0532A	24 KB	1 KB	-
D78F0533/D78F0533A	32 KB	1 KB	-
D78F0534/D78F0534A	48 KB	1 KB	1 KB
D78F0535/D78F0535A	60 KB	1 KB	2 KB		
D78F0536/D78F0536A	96 KB	1 KB	4 KB
D78F0537/D78F0537A	128 KB	1 KB	6 KB
D78F0537D/D78F0537DA	128 KB	1 KB	6 KB

Tools: QB-78K0KX2, QB-MINI2, E1, E20, PG-FP4, PG-FP5, PG-FP6


D79F???? (TA-085)
"custom" 84-pin 78K0 based on D79F0036
(see D79F0036)



Service/Debug Testpoints
	TA-081		TA-082/TA-086	        TA-085

CL3001	VDD		VDD			VDD
CL3002	RxD		RxD			RxD
CL3003	TxD		TxD			TxD
CL3004	IC/VPP		FLMD0			FLMD0
CL3005	RESET	        RESET			RESET
CL3006	GND		OCD0B			OCD0B
CL3007	-		OCD0A			OCD0A
CL3008 	-		VDD (R3037)		-
CL3009	-		GND			GND
CL3010	-		P01			-
CL3011	-		P22			-
CL3012	-		CPU_RESET		-
CL3013	-		LEPTON_RST		-
CL3014	-		POMMEL_ALERT	        -

How

  • By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set) false
  • It is possible to dump the syscon firmware using this method (in unencrypted state) false
  • The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered false
  • The leaked service manuals present information about the pins connected to the JigPin false
  • The ObjectiveSuite contains an object (DIAGSERVICE) used to diagnose the ps3 using JTAG false
  • Using a DIY JigPin would facilitate the task, but we still need more info about the hardware and software interface used by ObjectiveSuite to handle this. false
  • This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist) false
  • f0f's method is a viable way to get the ROM from later syscons
  • tx function can be produced and it's not required for bruteforcing
  • ocd flag is located somewhere in the second SFR area (which covers 0x800 bytes, minus already documented flags)
  • code base is located somewhere in the backup ram ( 0x800 bytes) or in the second SFR area (0x800 bytes)
  • second SFR area ranges from 0xF0000 to 0xF0800
  • backup ram ranges from 0xF0800 to 0xF1000
  • ocd flag is likely 0xF07F5 since the other SFRs are the same from RL78 to 78K0R
  • 486 registers from the 2nd SFR range are publically documented (https://www.youtube.com/watch?v=FdveKrmoA7E)
  • 1562 registers are not documented (0xF01E7 - 0xF07FF)
  • minimum scan area would be 0xE1A bytes (covering code base only and assuming ocd flag is the known value of 0xF07F5)
  • maximum scan area would be 0x55FC8A bytes (same as above and assuming ocd flag isn't known (times 0x619 bytes)
  • assuming that the code base is in the 2nd SFR area on RL78 and that the two devices are very similar, we could narrow down the minimum scan area to 0x61A bytes
  • IC4002 is sony's syscon naming in oficial service docs
//TX FUNC, 78K0R CASE
//TAKING NOTE THAT PS3 SYSCON is uPD78F11XX, where X is A, B or C
//ASIM -> 0xFFF8C
//TXS  -> 0xFFF8F 
<pre>
ROM:000EFF05                 set1    byte_FFF8C.7
ROM:000EFF08                 nop
ROM:000EFF09                 mov     byte_FFF8F, a
ROM:000EFF0B
ROM:000EFF0B loc_EFF0B:                              ; CODE XREF: ROM:loc_EFF0B↓j
ROM:000EFF0B                 bf      byte_FFF8B.0, loc_EFF0B
ROM:000EFF0F                 mov     byte_FFF8B, #0
ROM:000EFF12                 clr1    byte_FFF8C.7
ROM:000EFF15                 ret
  • OCD Flag at 0xF07EC
  • Entry Point at 0xF07F0
  • All SW Models use 0xFFF as block size (SW, SW2, SW3)
  • SW Uses 0x80000 as total ROM size. SW2,SW3 use 0xC0000 as total rom size
  • To use block related commands, one must send signature check command before sending the block check/erase/program command
  • 0xFFFFFED0(IV error?) 0xFFFFFED1 (hash error?) 0xFFFFFED2 (magic error)

To wikify

  • Wikify begin (please wait...)
  • Roxanne, if you could also take care of these : http://pastebin.com/s75FzYxd , that would be awesome (i'm not sure what happened to eussNL so, i leave it on your hands.)
    • When I get my left hand back, then we can check this out together. Roxanne

request_idps generated files binary xor

Note: files are padded 8 bytes at start, for convenience

Wii Key/IV Goodness

Type Key Description
Key 9258A75264960D82676F904456882A73 Boot1 Decryption Key
IV 00000000000000000000000000000000 Boot1/2 Decryption IV
Key A1604A6A7123B529AE8BEC32C816FCAA Boot2 Decryption Key (Devel)
Key EBE42A225E8593E448D9C5457381AAF7 Boot2 Decryption Key (Prod)
RSA Key
D01FE100D43556B24B56DAE971B5A5D3
84B93003BE1BBF28A2305B060645467D
5B0251D2561A274F9E9F9CEC646150AB
3D2AE3366866ACA4BAE81AE3D79AA6B0
4A8BCBA7E6FB648945EBDFDB85BA091F
D7D114B5A3A780E3A22E6ECD87B5A4C6
F910E4032208814B0CEEA1A17DF73969
5F617EF63528DB949637A056037F7B32
413895C0A8F1982E1565E38EEDC22E59
0EE2677B8609F48C2E303FBC405CAC18
042F822084E4936803DA7F4134924856
2B8EE12F78F803246330BC7BE7EE724A
F458A472E7AB46A1A7C10C2F18FA07C3
DDD89806A11C9CC130B247A33C8D47DE
67F29E5577B11C43493D5BBA7634A7E4
E71531B7DF5981FE24A114554CBD8F00
5CE1DB35085CCFC77806B6DE254068A2
6CB5492D4580438FE1E5A9ED75C5ED45
1DCE789439CCC3BA28A2312A1B8719EF
0F73B713950C02591A7462A607F37C0A
A7A18FA943A36D752A5F4192F0136100
AA9CB41BBE14BEB1F9FC692FDFA09446
DE5A9DDE2CA5F68C1C0C21429287CB2D
AAA3D263752F73E09FAF4479D2817429
F69800AFDE6B592DC19882BDF581CCAB
F2CB91029EF35C4CFDBBFF49C1FA1B2F
E31DE7A560ECB47EBCFE32425B956F81
B69917487E3B789151DB2E78B1FD2EBE
7E626B3EA165B4FB00CCB751AF507329
C4A3939EA6DD9C50A0E7386B0145796B
41AF61F78555944F3BC22DC3BD0D00F8
798A42B1AAA08320659AC7395AB4F329
Root Key (Devel)
RSA Key
F8246C58BAE7500301FBB7C2EBE00105
71DA922378F0514EC0031DD0D21ED3D0
7EFC852069B5DE9BB951A8BC90A24492
6D379295AE9436AAA6A302510C7B1DED
D5FB20869D7F3016F6BE65D383A16DB3
321B95351890B17002937EE193F57E99
A2474E9D3824C7AEE38541F567E7518C
7A0E38E7EBAF41191BCFF17B42A6B4ED
E6CE8DE7318F7F5204B3990E226745AF
D485B24493008B08C7F6B7E56B02B3E8
FE0C9D859CB8B68223B8AB27EE5F6538
078B2DB91E2A153E85818072A23B6DD9
3281054F6FB0F6F5AD283ECA0B7AF354
55E03DA7B68326F3EC834AF314048AC6
DF20D28508673CAB62A2C7BC131A533E
0B66806B1C30664B372331BDC4B0CAD8
D11EE7BBD9285548AAEC1F66E821B3C8
A0476900C5E688E80CCE3C61D69CBBA1
37C6604F7A72DD8C7B3E3D51290DAA6A
597B081F9D3633A3467A356109ACA7DD
7D2E2FB2C1AEB8E20F4892D8B9F8B46F
4E3C11F4F47D8B757DFEFEA3899C3359
5C5EFDEBCBABE8413E3A9A803C69356E
B2B2AD5CC4C858455EF5F7B30644B47C
64068CDF809F76025A2DB446E03D7CF6
2F34E702457B02A4CF5D9DD53CA53A7C
A629788C67CA08BFECCA43A957AD16C9
4E1CD875CA107DCE7E0118F0DF6BFEE5
1DDBD991C26E60CD4858AA592C820075
F29F526C917C6FE5403EA7D4A50CEC3B
7384DE886E82D2EB4D4E42B5F2B149A8
1EA7CE7144DC2994CFC44E1F91CBD495
Root Key (Prod)
Key 67C6697351FF4AEC29CDBAABF2FBE346 DVD Key (Devel)
Key AB01B9D8E1622B08AFBAD84DBFC2A55D App Key
IV 216712E6AA1F689F95C5A22324DC6A98 App IV
Key 2B7E151628AED2A6ABF7158809CF4F3C SW Key
IV 00000000000000000000000000000000 SW IV
Key 0E65378199BE4517AB06EC22451A5793 MD5 Blanker

Wii U Key/IV Goodness

. .

Type Key SHA1 Status Description
Key key:0ADC3A209A563EC90CFE09F324821670 sha1:7a21e70751dd0ba38b3a0f4a1e6e7af5aa34a9a3 Valid Wii U Xor
Key key:E5959ADF673CA63143A744080EE67FE4 sha1:5baa45b5e9020adf4c1117bd7f7b04a0385de04e Valid USB Stor ENC
Key key:7B118F321870DAB70AF6F207ED2972BA sha1:09edc0533ddb270df18b644320dad6105cca4faa Valid SSL ENC/DEC
Key key:EBE42A225E8593E448D9C5457381AAF7 sha1:ebeae6d2762d4d3ea160a6d8327fac9a25f8062b Valid Wii Common
Key key:3B8D192A39B759A8DF501FC5DA8EC3E2 sha1:1505970d69ae87fd4a89f02d9a5a20e6d144f017 Valid Wii U SEEPROM
Key key:805E6285CD487DE0FAFFAA65A6985E17 sha1:2ba6f692ddbf0b3cd267e9374fa7dd849e80f8ab Valid Wii U Expresso Ancast
Key key:2EFE8ABCEDBB7BAAE3C0ED92FA29F866 sha1:ce3641b2660253f5a7e789db297be2c1585b3054 Valid vWii Expresso Ancast
IV key:596D5A9AD705F94FE158026FEAA7B887 sha1:c1a8bffb7ca5271677d4242989c6ffe44fd3dc7d Valid Wii U Expresso Ancast / vWii Expresso Ancast
Key key:B5D8AB06ED7F6CFC529F2CE1B4EA32FD sha1:d8b4970a7ed12e1002a0c4bf89bee171740d268b Valid Wii U Starbuck Ancast
IV key:91C9D008312851EF6B228BF14BAD4322 sha1:8377c1b51fd6aeab9d6f48a8e858f53aebfd0be3 Valid Wii U Starbuck Ancast
Key key:D7B00402659BA2ABD2CB0DB27FA2B656 sha1:6a0b87fc98b306ae3366f0e0a88d0b06a2813313 Valid Wii U Common
Key key:30BFC76E7C19AFBB23163330CED7C28D sha1:2b30b703c6676c8124c7347b30c7972ffeae2b39 Valid vWii Common
Key - sha1:56dd59752e6af1e55fc2ee7074abe2d2c9e70a10 Confirmation Needed boot1
IV key:4FCD24A0E4D3AB6FAE8DFD8108581DCF sha1:a1a87792b95d0294c0867c93d46c3068c1c6d322 Valid boot1
Binary - sha1:ee28d0be718055423ee79d89889ebe386e5b0c2d Found boot0
Binary - sha1:3d331b3165f9638c6cd6221702b2f736f7fcf931 Found BootROM

Switch Key/IV Goodness

Type Key SHA1/SHA256 Status Description
AES-CTR key:F4ECA1685C1E4DF77F19DB7B44A985CA sha1:8c98ff409724784ddf3e3d39b60b25b7087ff537 Valid stage1_key_00
AES-128-ECB key:C2CAAFF089B9AED55694876055271C7D sha1:4a98d62ff6ec0a042b7592219200e37dd9603479 Valid package1_key_00
AES-128-ECB key:54E1B8E999C2FD16CD07B66109ACAAA6 sha1:8cec47b1b3974eed32c03b11a9de0133d9e0f00b Valid master_key_01
AES-128-ECB key:4F6B10D33072AF2F250562BFF06B6DA3 sha1:add1d37e4a5c540aeeef4050a2ab98e8b0dc1d04 Valid master_key_02
AES-CTR key:A35A19CB14404B2F4460D343D178638D sha1:4d64731f7afa031c7eeae3eb2f462d55ff8ff5ae Valid package2_key_00
Kernel - sha1:124befb2895bba4db1726485daf6684b33ef5f51 Valid 1.00 Encrypted Kernel
System Modules - sha1:96bf598bd162d5d8c87f2b25741f758f47730c88 Valid 1.00 Encrypted System Modules
Modulus
B36554FB0AB01E85A7F6CF918EBA9699
0D8B91692AEE01204F345C2C4F4E37C7
F10BD4CDA17F93F13359CEB1E9DD26E6
F3BB7787467AD64E474AD141B7794A38
066ECF618FCDC1400BFA26DCC0345183
D93B11543B9627329A95BE1E681150A0
6B10A8838BF5FCBC90847A5A5C4352E6
C826E9FE06A08B530FAF1EC41C0BCF50
1AA4F35CFBF097E4DE320A9FE35AAAB7
447F5C3360B90F222D332AE969793142
8FE43A138BE726BD08876CA6F273F68E
A7F2FEFB6C28660DBDD7EB42A878E6B8
6BAEC7A9E2406E892082258E3C6A60D7
F3568EEC8D518A633C0478230E900CB4
E7863B4F8E130947320E04B84D5BB046
71B05CF4AD634FC5E2AC1EC43396097B
sha1:f847ed0465c0dfdcd2c28b3e1a6da0c0f01fbbc5 Valid Public Debug
Modulus
8D13A7776AE5DCC03B25D058E4206959
554BAB7040082807A8A7FD0F312E11FE
47A0F99DDF80DB865A2789CD976C85C5
6C397F41F2FF2420C395A6F79D4A4574
8B5D288AC699356885A56432809FD348
39A21D246769DF75AC12B5BDC32990BE
37E4A0809ABE36BF1F2CAB2BADF59732
9A429D098B08F06347A3E91B36D82D8A
D7E1541195E44588698A2B35CED0A50B
D55DACDBAF114DCAB81EE7019EF446A3
8A946D76BD8AC83BD231580C79A826E9
D1799CCBD42B6A4FC6CCCF90A7B99847
FDFA4C6C6F81873BCAB850F63E395D4D
973F0F353953FBFACDABA87A629A3FF2
0927963F079A91F716BFC63A825A4BCF
4950958C55807E39B148051E21C7244F
sha1:a809e09f8bd790446b86f28b84a6d0f36481a245 Valid Public Retail

Regarding Jokes

  • Sorry, but it's difficult to distinguish Contributors with Spam Users, especially when you aren't logged in and when you log in to your account with different IP Addresses (and especially with this current Spam situation). It won't happen for a second time. Roxanne 21th December 2015 (18:12 GMT+1)
    • It's ok, i should've logged, but i keep formatting my pc, so i always forget :) In the end it was my fault. Thanks for the feedback though Zecoxao
      • OK and to answer your question regarding the newest DEX Firmwares, I'm on CEX but I'm still on this Firmware. Is this Good or Bad? :) (Roxanne 22th December 2015 (22:56 GMT+1)

ebootrom wikify

https://yadi.sk/d/z2Vr1NE_DZ6eHQ