Difference between revisions of "Virage2"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
− | OTP | + | OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB |
{| class="wikitable" | {| class="wikitable" |
Revision as of 14:00, 2 May 2018
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB
Offset | Size | Description | Note |
---|---|---|---|
0x00 | 0x14 | SK Hash | common |
0x14 | 0x10 | ROM Patch | common |
0x24 | 0x10 | ROM Patch | common |
0x34 | 0x10 | ROM Patch | common |
0x44 | 0x10 | ROM Patch | common |
0x54 | 0x20 | EccPublicKey | per-console |
0x74 | 0x04 | bbId | per-console |
0x78 | 0x40 | EccPrivateKey | per-console |
0xB8 | 0x10 | bootAppKey - COMMON KEY | common |
0xC8 | 0x10 | recryptListKey | per-console |
0xD8 | 0x10 | appStateKey | per-console |
0xE8 | 0x10 | selfMsgKey | per-console |
0xF8 | 0x04 | csumAdjust | per-console |
0xFC | 0x04 | jtagEnable | common |