Difference between revisions of "Virage2"
Jump to navigation
Jump to search
Jhynjhiruu (talk | contribs) |
|
(No difference)
| |
Revision as of 14:02, 2 May 2018
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB
| Offset | Size | Description | Note |
|---|---|---|---|
| 0x00 | 0x14 | SK Hash | common |
| 0x14 | 0x10 x 4 | ROM Patch | common |
| 0x54 | 0x20 | EccPublicKey | per-console |
| 0x74 | 0x04 | bbId | per-console |
| 0x78 | 0x40 | EccPrivateKey | per-console |
| 0xB8 | 0x10 | bootAppKey - COMMON KEY | common |
| 0xC8 | 0x10 | recryptListKey | per-console |
| 0xD8 | 0x10 | appStateKey | per-console |
| 0xE8 | 0x10 | selfMsgKey | per-console |
| 0xF8 | 0x04 | csumAdjust | per-console |
| 0xFC | 0x04 | jtagEnable | common |