PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

October 13, 2009 // 6:46 am - Developers at DemonHades have located and mapped the JTag Port on a PS3 Blu-ray drive board today.

To quote, roughly translated: I found the JTag port for the Blu-ray Reader on the PlayStation 3. Last night after finishing the research meeting I went looking for information about BD integrated reader.

In and looking at the information that I found on the back of the plate reader I saw that there is no connector terminals, these terminals belong to a connector which connects 'something' via terminals and through the Internet I found the points used in a JTag, including the TDO, TDI, TMS etc.

Originally developed for printed circuit boards, it is currently used for test of submodules of integrated circuits, and is also useful as a mechanism for debugging embedded applications, as it provides a backdoor to within the system.

When used as a debugging tool, an in-circuit emulator that uses JTag as the transport mechanism allows the programmer to access the debugging module that is integrated into the CPU. The debug module enables the programmer to correct their errors and code logic of their systems.

There are consumer products that have a JTag port integrated, so that the connections are often available on the PCB as part of the prototype phase of the product. These connections can provide a simple way to reverse-engineer.

As you can see we have a door strike to try to get the firmware, decrypted data, and all that is able to control the Blu-ray reader.

The data from this integrated JTag will CXD5063GG-1. CXD5063GG-1 = ASIC / CPU - Video Decryption Device Sony Computer Entertainment Inc., CXD5063GG-1, 2005 SCEI, 120,748 0608HAL.

JTag Port on PS3 Blu-ray Drive Board Located and Mapped

JTag Port on PS3 Blu-ray Drive Board Located and Mapped

JTag Port on PS3 Blu-ray Drive Board Located and Mapped

PlayStation Follow us on Twitter, Facebook and join us at our new site WWW.PSXHAX.COM!

#50 - xhugox - October 29, 2009 // 4:42 pm
xhugox's Avatar
I like the idea of attacking a part which has been announced to be blocked by Sony already.
Because if we are able to bypass this block, the signals we put in are most likely not checked by any software.

Why should they double check?

#49 - DemonHades - October 29, 2009 // 2:18 pm
DemonHades's Avatar
hi guys i find new information mcu CXD5063-GG-1,tonight i find new information show details for best study,special mention at AD5620 (is how a mx25).

OUT (Pin 1): Analog Output. In normal filtering, this is the output of an internal operational amplifier and is capable of swinging essentially to any voltage between the power supply rails (that is, between V+ and V C). This output is designed to drive a nominal load of 5k and 50pF. For lowest signal distortion it should be loaded as lightly as possible. The output can drive lower resistances than 5k, but distortion may increase, and the output current will limit at approximately 10mA. Capacitances higher than 50pF should be isolated by a series resistor of 500Ω to preserve AC stability. In the Mute state (F code 0000 or RST = 0), the output operates as in normal filtering but the gain from the IN pin becomes zero and the output noise is reduced. In the shutdown state (EN = 1 or EN open circuited), most of the circuitry in the CXD5063GG-1 shuts off and the OUT pin assumes a high impedance state.

The AD5620/AD5640/AD5660 on-chip precision output amplifier allows rail-to-rail output swing to be achieved. For remote sensing applications, the output amplifiers inverting input is available to the user. The AD5620/AD5640/AD5660 use a versatile 3-wire serial interface that operates at clock rates up to 30 MHz and is compatible with standard SPIŽ, QSPI™, MICROWIRE™, and DSP interface standards.

4.4.2 Group B inspection. Group B inspection shall be conducted in accordance with the conditions specified for subgroup testing in tables VIb (JAN, JANTX, and JANTXV) of MIL-PRF-19500 and paragraphs herein. Electrical measurements (end-points) shall be in accordance with table I, group A, subgroup 2 herein.

Note 13: Machine Model ESD test is covered by specification EIAJ IC-121-1981. A 200 pF cap is charged to the specific voltage, then discharged directly into the IC with no external series resistor (resistance of discharge path must be under 50Ω.
AVX Paignton is the Divisional Headquarters for the Tantalum division which has manufacturing locations in Paignton in the UK, Biddeford in Maine, USA, Juarez in Mexico, Lanskroun in the Czech Republic and El Salvador. The Division takes its name from the raw material used to make its main products, Tantalum Capacitors.

1saludo and regards

#48 - hosmy - October 25, 2009 // 12:04 am
hosmy's Avatar
Quote Originally Posted by cfwprophet View Post
Yop it was already dumped and as to same time the ps3 devs recognized that the bd fw is also present in the ps3 fw the guy who dumped the spansion stated that the encryption of the BD-FW will also be SHA256bit and he stoped his work.

No offence meant but some times it will be better to not let your enemy know that your behind his backplate.

Xbox hackers got the dvdkeys thru power cable, this tells me we need to try while drive is running and not using a programmer. Has anyone connected bdrom to pc via IDE?

Just my 0.02$

#47 - PS4 News - October 22, 2009 // 12:30 am
PS4 News's Avatar
Quote Originally Posted by semitope View Post
It would be a nice little community project because a lot of us useless folks want to help in some way.

Ya, we're drifting from the JTag topic for this thread... but to answer: If you know someone who wishes to start up a project like this and can code then we could support it sure, however the PS3 Devs on IRC are not interested in such a project so it would require other people to do it.

#46 - semitope - October 21, 2009 // 2:08 pm
semitope's Avatar
Thats all well and good but where is the important information of just how quickly the keys could be guessed (with a well coded app) on each machine and what machine specs got him to that 2 mill keys/sec. Also is it really going to go sequentially like that? So that at the end of those 50-3970923kaokfhsaieuyr0098347-2 years is when the key would be found or could someone get lucky and end up with the key in even 1 month?

It would be a nice little community project because a lot of us useless folks want to help in some way.

#45 - PS4 News - October 21, 2009 // 5:20 am
PS4 News's Avatar
Quote Originally Posted by jabberosx View Post
Actually I too remember that. And not only that but Made Man suggesting that one of the dev's was writing the code and requesting the community to help. whatever happened of that idea.

The PS3 KeyVault Project was shelved by the Project Leaders... as I replied in an old post (HERE) they basically found more direct paths to what they were trying to accomplish at the time.

In one of CJPC's PS3 Dev articles (HERE) he posted the corrected estimate of how long it would take to bruteforce the Retail PS3 Decryption Key, and due to an initial gross miscalculation by one of the Lead Devs it ended up being longer than anyone here will be on earth.

Precisely, he also wrote a brute forcer for the same kind of key for XBox 360 and got it up to 2 million keys/second, and worked out it would *only* take 5395141535403007094485264.577495 years to guess it.

Even if we got 1 million people working on it full time, you could only divide that number by 1,000,000 so still a HUGE number indeed.

#44 - cfwprophet - October 21, 2009 // 3:36 am
cfwprophet's Avatar
Im sure pplz would do it but the only way this could work would be over a cluster system like [email protected] or [email protected] or to use a PS3 Cluster with 200-300 consoles to hack the PS3 encryption by the PS3 itself.

I mean to hack the BD Drive/FW is useless.Even if CJPC and the xboxhacker community will be wrong about the jtag port of the bd drive (what i doubt) and the demonhades dev's can dump the bd fw they would need to crack the 256bit encryption and also to change the bd fw in the ps3's fw itself.

Let me say it in the words of Bushing: So much fail...

#43 - jabberosx - October 20, 2009 // 8:51 pm
jabberosx's Avatar
Actually I too remember that. And not only that but Made Man suggesting that one of the dev's was writing the code and requesting the community to help. whatever happened of that idea. I am pretty sure more than enough people will offer their excess computing power for this good of the community. i know I will

#42 - semitope - October 20, 2009 // 7:29 pm
semitope's Avatar
I Liked my idea better. Ski masks and Bebe guns (or was it shotguns? )

I really hate the idea of buying something with so much encryption. At which point is the hardware mine? Anyway, good job with the info so far.

I am not sure i got an answer about using distributed computing to hack these encrypted files. Asked long long ago. Is it not at all possible?

#41 - SCE - October 19, 2009 // 5:36 pm
SCE's Avatar
Quote Originally Posted by CJPC View Post
Well - the post really isn't too clear - but the thing w/ JTAG lines, it requires multiple lines. If even just the right one is blown it will never work, sadly. Some clever people have gotten around this with other embedded devices by rewriting FW to allow output over a UART - but the catch was that the FW wasn't encrypted!

We can all hope that it does work, but in all of our tests - the JTAG was blown.

One must force Sony to release the code of BD FW in the court

Convince the adjudicator