search

anonymousps4 / ds4blog

15 stars 1 forks source link

copyFlash issue #2

Open ds42fresh opened 10 months ago

ds42fresh commented 10 months ago

Firstly, I must commend you on an exceptional blog. By following the steps provided, one can successfully obtain their own keys.

Upon implementing the automation script, I noticed a discrepancy. The read_len value was set to 0x7F00, contrary to the 0x7D00 mentioned in the blog. This inconsistency led to a failure in the MAC verification process when attempting to extract the keys using the jedi script.

To rectify this issue, I adjusted the read_len value to 0x7D00, and thereafter, the process functioned smoothly.

Below are the modified code snippets:

    copyFlash = [bytes( [0x4f, 0xf0, 0x00, 0x00, 0xc0, 0xf2, 0x00, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0xfa, 0x40, 0xc0, 0xf2, 0x00, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0x7a, 0x40, 0xc0, 0xf2, 0x00, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0xee, 0x40, 0xc0, 0xf2, 0x01, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0x74, 0x40, 0xc0, 0xf2, 0x01, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0xe2, 0x40, 0xc0, 0xf2, 0x02, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0x6e, 0x40, 0xc0, 0xf2, 0x02, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0xd6, 0x40, 0xc0, 0xf2, 0x03, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xfa, 0x44, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1]),
                bytes([0x4f, 0xf4, 0x68, 0x40, 0xc0, 0xf2, 0x03, 0x00,
                    0x4f, 0xf4, 0x02, 0x41, 0xc2, 0xf2, 0x03, 0x01,
                    0x4f, 0xf4, 0xc0, 0x54, 0x50, 0xf8, 0x04, 0x3b,
                    0x41, 0xf8, 0x04, 0x3b, 0x01, 0x3c, 0xf9, 0xd1])]

Furthermore, on line 304, the read_len should be updated to 0x7D00 as follows:

        read_len = 0x7D00

These alterations should ensure a successful key extraction process.

SK83RJOSH commented 5 months ago

I just want to chime in and say that this enabled me to dump a JDM-001 board correctly. For whatever reason it was failing pretty catastrophically without this fix.