Need help for a project - Страница 3

vitas155 · 17.04.2012, 02:21

Цитата:

Сообщение от krHACKen


	By the way, SCPH-39008 have 2.16D. It would be very kind if anyone could dump it

поспрашиваю у друзей,возможно смогу помочь

**krHACKen** · 22.04.2012, 07:59

My project of hacking the DVD Player Version 3.11 goes on. My researches are plotted against the Japanese version of it.

Achieved tasks (done and tested) :

Coding of a payload
The payload embeds IRX modules/IOP images and the firmware executable in one stand alone ELF. It is responsible of the system initialisation and software startup. In the case of the DVD Player 3.11, it does an IOP reset with a set of modules, loads a few modules one by one and execute the embedded DVD Player firmware with 2 arguments (arg 1 is the launch path, arg 2 is the path of a fake parent program).

Injection of resource files
For the DVD Player to be standalone and usable in any console, separate resource files (that are stored on the console erom) have to be injected in the firmware executable at their correct load address

.

Defeat the "mouchard"
What I call the "mouchard" is a protection measure that Sony implemented since v2.12. It is intended to prevent modifications of the program memory area. I think they made this in order to irritate those who want to hook a debugger and build a dvd unzoning solution (Datel, Blaze, Data Power...).
This is a 2-steps routine. First, it wipes the EE memory; and if you managed to bypass the first step of the routine, the second step floods the EE of "Break" instructions. When this thing is active and detects any illegal modification of the firmware, it simply crash the console within 15-20 seconds

.

Turn the DVD Player region free
Third party softwares like DVD Region X reside on memory while the DVD is playing and poke the value of your DVD-Video region (mostly in the user memory range, out of the firmware code).
The first version of Datel's DVD Region X replaces the region code of the cached VIDEO_TS.IFO with a region code that is allowed to play by your firmware. Then your DVD-Video appears to be a DVD-Video of another region.
Data Power's Cheat Code Demon locates the routine that contains the value of the restricted zone, and patch it with the region code of your choice. Then your DVD Player firmware RPC matches the region of your DVD-Video. Kinda silly method, this software pokes preset values (from 1 to 6) but a static 0x09 turns the player region free without the need to select the region from a damn menu. The routine can be found with the long magic 180007B52000228D200002AD02000224, no longer exist after 2.13E/2.14J.
Those things are crap. My RPC hack is hardcoded in the firmware. Basically, the RPC function always returns the signed 0 reply. It checks the regional coding of your DVD-Video but always returns 0 (0 means validated, <0 means rejected)

.

Make the DVD Player multistandard
That's a pleasant finding. NTSC firmwares (US, JAP...) aren't meant to play PAL DVDs. When you put a PAL movie, it says "TV system doesn't match" or something. 3.11J shows the same error message with a PAL DVD, but I've found a way to bypass it. NTSC ans PAL DVDs play fine in their respective video modes

. Mmmm, I'm gonna have to investigate about it on older versions.

Remaining task :

Prevent access/loading from the erom
For now, I don't know how the %$#@ to do. Resource files are properly injected in the executable, I must force the firmware to use the embedded data. No I/O operations should be performed with the erom, otherwise the DVD Player will not work on consoles older than SCPH-75xxx and continue to use erom resources. Such an access/loading function might have dependances with another which acquires parameters from the non volatile memory...

EDIT :
Right, I found a temporary solution. Experimental for now. Resources are loaded from an USB Mass Drive after the firmware execution. It worked in my SCPH-39004 machine, so I assume that it should work in any PlayStation 2 models, fat and slimline. I'll port this hack to firmwares of other region and publish the files soon...

**krHACKen** · 06.05.2012, 20:57

The dumping method has changed (see my first post). Now it's easier to dump the files I need. Simply run the PCSX2 dumper "ps2dumper.elf" in your console and upload the dumped BIOS.

My tools were inefficient and I found out how to apply the .diff for decrypting the firmware.
So now this thread is a PS2 BIOS dump request thread

.

22.04.2012, 07:59	#22
krHACKen PSX Planet Elite Supporter Регистрация: 31.08.2008 Адрес: France Пол: Мужской Сообщений: 254	Slimline DVD Player being cracked My project of hacking the DVD Player Version 3.11 goes on. My researches are plotted against the Japanese version of it. Achieved tasks (done and tested) : Coding of a payload The payload embeds IRX modules/IOP images and the firmware executable in one stand alone ELF. It is responsible of the system initialisation and software startup. In the case of the DVD Player 3.11, it does an IOP reset with a set of modules, loads a few modules one by one and execute the embedded DVD Player firmware with 2 arguments (arg 1 is the launch path, arg 2 is the path of a fake parent program). Injection of resource files For the DVD Player to be standalone and usable in any console, separate resource files (that are stored on the console erom) have to be injected in the firmware executable at their correct load address. Defeat the "mouchard" What I call the "mouchard" is a protection measure that Sony implemented since v2.12. It is intended to prevent modifications of the program memory area. I think they made this in order to irritate those who want to hook a debugger and build a dvd unzoning solution (Datel, Blaze, Data Power...). This is a 2-steps routine. First, it wipes the EE memory; and if you managed to bypass the first step of the routine, the second step floods the EE of "Break" instructions. When this thing is active and detects any illegal modification of the firmware, it simply crash the console within 15-20 seconds. Turn the DVD Player region free Third party softwares like DVD Region X reside on memory while the DVD is playing and poke the value of your DVD-Video region (mostly in the user memory range, out of the firmware code). The first version of Datel's DVD Region X replaces the region code of the cached VIDEO_TS.IFO with a region code that is allowed to play by your firmware. Then your DVD-Video appears to be a DVD-Video of another region. Data Power's Cheat Code Demon locates the routine that contains the value of the restricted zone, and patch it with the region code of your choice. Then your DVD Player firmware RPC matches the region of your DVD-Video. Kinda silly method, this software pokes preset values (from 1 to 6) but a static 0x09 turns the player region free without the need to select the region from a damn menu. The routine can be found with the long magic 180007B52000228D200002AD02000224, no longer exist after 2.13E/2.14J. Those things are crap. My RPC hack is hardcoded in the firmware. Basically, the RPC function always returns the signed 0 reply. It checks the regional coding of your DVD-Video but always returns 0 (0 means validated, <0 means rejected). Make the DVD Player multistandard That's a pleasant finding. NTSC firmwares (US, JAP...) aren't meant to play PAL DVDs. When you put a PAL movie, it says "TV system doesn't match" or something. 3.11J shows the same error message with a PAL DVD, but I've found a way to bypass it. NTSC ans PAL DVDs play fine in their respective video modes. Mmmm, I'm gonna have to investigate about it on older versions. Remaining task : Prevent access/loading from the erom For now, I don't know how the %$#@ to do. Resource files are properly injected in the executable, I must force the firmware to use the embedded data. No I/O operations should be performed with the erom, otherwise the DVD Player will not work on consoles older than SCPH-75xxx and continue to use erom resources. Such an access/loading function might have dependances with another which acquires parameters from the non volatile memory... EDIT : Right, I found a temporary solution. Experimental for now. Resources are loaded from an USB Mass Drive after the firmware execution. It worked in my SCPH-39004 machine, so I assume that it should work in any PlayStation 2 models, fat and slimline. I'll port this hack to firmwares of other region and publish the files soon... Последний раз редактировалось krHACKen; 23.04.2012 в 06:32. Причина: Release announcement

06.05.2012, 20:57	#23
krHACKen PSX Planet Elite Supporter Регистрация: 31.08.2008 Адрес: France Пол: Мужской Сообщений: 254	Re: Need help for a project The dumping method has changed (see my first post). Now it's easier to dump the files I need. Simply run the PCSX2 dumper "ps2dumper.elf" in your console and upload the dumped BIOS. My tools were inefficient and I found out how to apply the .diff for decrypting the firmware. So now this thread is a PS2 BIOS dump request thread.

Похожие темы
Тема	Автор	Раздел	Ответов	Последнее сообщение
Wallace & Gromit in Project Zoo [ENG-RUS]	Ryudo	(XBox Original) Platform	4	28.08.2024 11:54
Project I.G.I. (Project IGI: I'm Going In) [Full Rus/Multi5] [XXI Век/ПРП]	Puteec61R	(PC) Action/Shooter	2	02.01.2019 19:26
Ищу Project snowblind	EXzen	Request For XBox Original Games	2	07.07.2018 19:48
Idol Project	kurtkurt222	FM-Towns	2	23.07.2014 15:59
Project Paradise	volgame	(PC) Action/Shooter	0	16.09.2013 20:06

Реклама

Реклама