Difference between revisions of "Virage2"
Jump to navigation
Jump to search
| Line 10: | Line 10: | ||
| 0x00 || 0x14 || SK Hash || common | | 0x00 || 0x14 || SK Hash || common | ||
|- | |- | ||
| − | | 0x14 || 0x10 | + | | 0x14 || 0x10 x 4 || ROM Patch || common |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|- | |- | ||
| 0x54 || 0x20 || EccPublicKey || per-console | | 0x54 || 0x20 || EccPublicKey || per-console | ||
Revision as of 13:01, 2 May 2018
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB
| Offset | Size | Description | Note |
|---|---|---|---|
| 0x00 | 0x14 | SK Hash | common |
| 0x14 | 0x10 x 4 | ROM Patch | common |
| 0x54 | 0x20 | EccPublicKey | per-console |
| 0x74 | 0x04 | bbId | per-console |
| 0x78 | 0x40 | EccPrivateKey | per-console |
| 0xB8 | 0x10 | bootAppKey - COMMON KEY | common |
| 0xC8 | 0x10 | recryptListKey | per-console |
| 0xD8 | 0x10 | appStateKey | per-console |
| 0xE8 | 0x10 | selfMsgKey | per-console |
| 0xF8 | 0x04 | csumAdjust | per-console |
| 0xFC | 0x04 | jtagEnable | common |