Difference between revisions of "Virage2"
Jump to navigation
Jump to search
Line 10: | Line 10: | ||
| 0x00 || 0x14 || SK Hash || common | | 0x00 || 0x14 || SK Hash || common | ||
|- | |- | ||
− | | 0x14 || 0x10 | + | | 0x14 || 0x10 x 4 || ROM Patch || common |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
|- | |- | ||
| 0x54 || 0x20 || EccPublicKey || per-console | | 0x54 || 0x20 || EccPublicKey || per-console |
Revision as of 14:01, 2 May 2018
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB
Offset | Size | Description | Note |
---|---|---|---|
0x00 | 0x14 | SK Hash | common |
0x14 | 0x10 x 4 | ROM Patch | common |
0x54 | 0x20 | EccPublicKey | per-console |
0x74 | 0x04 | bbId | per-console |
0x78 | 0x40 | EccPrivateKey | per-console |
0xB8 | 0x10 | bootAppKey - COMMON KEY | common |
0xC8 | 0x10 | recryptListKey | per-console |
0xD8 | 0x10 | appStateKey | per-console |
0xE8 | 0x10 | selfMsgKey | per-console |
0xF8 | 0x04 | csumAdjust | per-console |
0xFC | 0x04 | jtagEnable | common |