Virage2
Jump to navigation
Jump to search
OTP is stored somewhere inside a console chip (maybe inside the "big" NEC chip) and seems to be called "virage2" inside SDK code. OTP can be dumped together with bootROM using a patched .rec file able to launch a modified .sta save file; when executed, the code writes a new .sta file containing BOOROM+OTP; dump it from iQue console using ique_diag.exe to save it to your PC (ique_diag.exe -> B -> 3 savegameId.sta); inside the dumped .sta file OTP data can be found from 0x20CC to 0x21CB
Offset | Size | Description | Note |
---|---|---|---|
0x00 | 0x14 | SK Hash | common |
0x14 | 0x10 x 4 | ROM Patch | common |
0x54 | 0x20 | EccPublicKey | per-console |
0x74 | 0x04 | bbId | per-console |
0x78 | 0x40 | EccPrivateKey | per-console |
0xB8 | 0x10 | bootAppKey - COMMON KEY | common |
0xC8 | 0x10 | recryptListKey | per-console |
0xD8 | 0x10 | appStateKey | per-console |
0xE8 | 0x10 | selfMsgKey | per-console |
0xF8 | 0x04 | csumAdjust | per-console |
0xFC | 0x04 | jtagEnable | common |