ID Dumper

PS2 A console/CDVD/HDD IDs dumper 2016-10-27

Download
Overview Extra info History Discussion
krHACKen

krHACKen

Developer
A little PS2 ELF which was coded for the sole purpose of dumping the machine and iLink IDs, the CDVD keys (DNA$ and SUD), and the $ONY HDD ID. It also reads the entire MECHACON NVRAM...
The dumped data are saved as raw binaries to the USB drive.

To dump your PS2HDD ID, you need three $ONY drivers (dev9.irx, atad.irx and hdd.irx), NOT INCLUDED in this package. The download comes free of $ONY proprietary code.

ID-DUMPER-SCREENSHOT.png

[good old debug printf, needs nothing more but a lame appname]


Optional drivers on S1tpgSFW at pastebin.com

README.TXT said:
Hello.

This little tool dumps some IDs/keys from the consoles, pressed CDVDs and genuine $ONY PS2HDD firmwares.
It may be useful to the gentlemen who want to quickly grab the data for their module hacking needs...
This program can be shared/distributed freely, consider that it's not a "private" tool.
Oh, and the ELF contains no $ONY material.


How to use :
1) Copy the needed modules to the ID_DUMPER folder;
2) Copy the ID_DUMPER folder in the root of your FAT32 formatted USB device;
3) Run RUNME.ELF.


Requirements :
* To dump the MechaCon NVRAM (MC_NVRAM.BIN, 1024 bytes) *
- None

* To dump the Console ID (CONSOLE_ID.BIN, 8 bytes) *
- None

* To dump the iLink ID (ILINK_ID.BIN, 8 bytes) *
- None

* To dump the DNAS ID of the CDVD (DNAS_ID.BIN, 5 bytes) *
- A pressed PS2CD or PS2DVD of an online playable game in your console

* To dump the $ONY Utility Disc ID of the CDVD (SUD_ID.BIN, 4 bytes) *
- A pressed DVD Player/HDD Utility/PSBBN disc in your console

* To dump the PS2HDD ID (HDD_ID.BIN, 128 bytes) *
- A $ONY dev9.irx in the ID_DUMPER folder
- An original (NOT PATCHED) $ONY atad.irx in the ID_DUMPER folder
- A $ONY hdd.irx in the ID_DUMPER folder
- A $ONY PS2HDD + a $ONY network adaptor in your console


Optional things :
- Want your HDD to be turned off after the tool dumped the HDD ID ? Put homebrew iomanx.irx and filexio.irx in the ID_DUMPER folder.
- mc#:/SYS-CONF/usbd.irx and mc#:/SYS-CONF/usbhdfsd.irx (USB drivers)


I couldn't try it in my PSX because my step down transformer is dead :( .
Tested in a SCPH-30004, a DTL-H30102, a SCPH-70011a and a System246 Rack B.

Best regards.

kHn, 2015/12/17
Click to expand...

Cannot dump the HDD ID ? Try this : https://www.psx-place.com/threads/a-console-cdvd-hdd-ids-dumper.11370/#post-214458
 
Last edited:
@krHACKen I never heard of SUD ID and HDD ID. Could You reveal to me more details? What exactly those IDs are, how they are calculating/reading and what they purpose is? And the last question about DNAS: authors of other apps for dumping DNAS disc id said that their app must be launch on non modded console, as modchip could somehow (?) spoof that number. Is the same is in this case?
 
The SUD ID (the CDVD key that is specific to the $ONY Utility Disc DRM), consists of two parts : the start-LBA of the hidden update package (MC installable files, like the DVD Player KELF & KIRX) and the sceCdDecSet parameter to put the MECHACON into the according decryption mode.
$ONY wanted to hide their M@gicGate binaries and forbid the installation from a CD-R/DVD-R backup, anticipating the Freevast h4x0rage hehe.

So the dumped SUD ID is used to make hacked copies of working HDD Utility Discs / PSBBN discs / DVD Player discs. I mean, that can actually install the damn files to the MC.
It's also possible to scan/analyse the disc image and calculate the SUD ID. A few years ago I've coded a SUD Wobble Finder thing which was more or less reliable. Can't find that app in my messy computer... Anyway, almost all the SUD cdvdKeys are known now, but the ones of the DVD Player 3.04 disc :( .

I prefer to relocate the update packages in my hacked discs/compilations, rather than leaving them to their original LBAs. I also used to disable sceCdDecSet and put the raw packages...

Like for the DNA$ disc ID, getting the SUD ID involves sceCdReadKey (n-command 0x0C). With the parameter 0x1096 iirc...


The HDD ID is stamped to the firmware of the official HDD. Used by the DNA$ WithHDD DRM to bind/decrypt files to/from the HDD. If my memory serves me right, the "No Key" variant of DNA$ WithHDD is the one that does not rely to the iLink ID and to the __net partition data (only to the HDD ID).
In other words, the HDD ID is related to the marriage between the bootable stuff that is installed and the hardware.

Hacked HDD images with bootable things (like Python games, POL Viewer...) have the genuine iLink ID and HDD ID hardcoded into their dna$load modules (or into their decrypted ELF, depending on how they were hacked) + the region locks (MG zone + ROMVER) defeated.

I can't remember how the DNA$ modules get the HDD ID. My dumper does not need them, as it simply loads the ATAD driver, waits for AtaSecIdentify to complete, scans the IOP RAM and dumps the blob of data hehe.


Berion said:
And the last question about DNAS: authors of other apps for dumping DNAS disc id said that their app must be launch on non modded console, as modchip could somehow (?) spoof that number. Is the same is in this case?
Click to expand...
Yes, same case with my dumper. There's so "software workaround" to that. Modchips interfere with sceCdReadKey to "validate" the inserted disc, the returned key will not correspond to sceCdReadKey with the parameter 0x4B (DNA$ ID) or with the parameter 0x1096 (SUD ID).
Other than to serve some kind of data preservation purpose, getting the DNA$ ID of a disc is moot point nowadays. The DNA$ DNS are no longer registered, so injecting the IDs to the CDVD drivers is a tad useless...
What the hacked POL Viewer does is :
1) Connect to the US/JP DNA$ server IP;
2) Send a universal DNA$ software ID;
3) Ignore the returned status code:victorious:.
So whatever the DNA$-NET returns (OK/Title out-of-service/bad ID/console modified/hardware banned/no connection...), PlayOnline does not give a poo.

Also, to dump the HDD ID, you must disable the ATAD-Patch feature of your modchip, otherwise it may srcew up the AtaSecIdentify function of the driver and the ID could not be read from the firmware, leaving nothing but the drive manufacturer infos to the outbuf.

Off-topic : I don't own a modified console, but I saw RAM dumps with some loaded ATAD drivers that were modchip-patched... It's quite ugly compared to the neat ATADpatcher pattern. No wonder why the HDDOSD/PSBBN installers go crazy with those things lol.
 
UniqueUserName said:
@krHACKen

I added your new tool to our Resources section, you can find it at:
http://www.psx-place.com/resources/id-dumper.455/

Also, added ALL the information from the description into the Download Notification section, so they both match, and can be viewed in full with the "click to expand" feature. ;) :)

Here is that link:
http://www.psx-place.com/threads/id-dumper.11371/

Once again, wonderful tool!
Click to expand...


@krHACKen i then i added the resource Tabs and download button ontop of every page in this thread :) ..

Thanks for the releases :)
 
Paulkuria said:
Am new here.. What is the main purpose for this id dumper.. Is it the same as a modchip??
Click to expand...
No. This has nothing to do with anything like that... The explanation is in the first post.
It dumps important PS2 information.

If you are looking to mod your PS2 without a modchip, then you would need FMCB (FreeMCboot) for the softmod solution. ;) :)
 
@krHACKen Thanks for Your time and full explanation.
If You have more PS2 stuff related which was released only on Assmbler, I'll be happy to see also here.
 
I seem to have missed this. Thank you for sharing your knowledge about the various IDs.

The normal ATAD modules have a set of DRM-related functions, which include the SCE IDENTIFY function. There's one for READ ID and WRITE ID, so perhaps the DNAS library uses those functions.
Within the ATAD modules from ROM, we can see the official names of these functions.

In 2016, the homebrew DEV9 and ATAD modules have not been updated. But now they're on the level of the modules from SDK release v3.02, so I think it should be possible to use this piece of software with the late PS2SDK modules.
Our DEV9 module no longer has a dependency on POWEROFF.IRX. However, the developer must unmount the disk before allowing the power to be shut off.
 
Was trying to use this and it seems that everything works EXCEPT the HDD ID dumping. Copied dev9.irx , atad.irx, and hdd.irx from a copy of The Sims 2 but every time I run the dumper it just says "failed" for the HDD ID.
 
Okay. Then @krHACKen, do you reboot the IOP? If you do, do you use EELOADCNF?

Long ago, it was a popular way for homebrew developers to reboot the IOP, for one reason or another. However, this approach is not really correct - it depends on board-specific files and the module list may differ between ROM versions. In the case of the SCPH-70000, EELOADCNF contains an IOPBTCONF file that lists to NCDVDMAN, instead of the usual CDVDMAN module. This variant of CDVDMAN has some system functions like sceCdRI() replaced with stubs that only return 0 - hence making it impossible to get the i.Link ID. EELOADCNF is normally used by LoadExecPS2.

This matters because hdd.irx attempts to unlock the HDD with it, but failing to get the i.Link ID will prevent the HDD from becoming accessible.
 
I believe that I did while(!SifIopReset("rom0:UDNL ", 0)){};...
Also this program doesn't use a specific command to acquire the HDD ID, it just scans the IOP RAM lol.
FAILED means that the HDD modules were succesfully loaded, but the actual scan has failed. Possible causes could be :
- HDD is not genuine (clearly not the case here).
- ATAD.IRX was patched to allow non-$ONY HDD (not the case).
- A modchip is installed, and it's patching ATAD.IRX on the fly.
- Perhaps ATAD.IRX is not compatible with my program due to the lame way it's designed.

Just in case, I reuploaded the set of $ONY modules. It's on S1tpgSFW at pastebin.com
 
Downloaded from the Pastebin, still getting Failed for dumping the HDD ID. I have no modchip in my system, it's just a plain old SCPH-50001/N.
 
You must log in or register to reply here.

Similar threads

Back
Top