Reverse Engineering 6.20 IPL

bbtgp32465 · Post by **bbtgp32465** » Sat Nov 21, 2009 2:18 pm

Yesterday i updated psardumper with the table keys for 6.20 and decrypted/dumped all of the user modules resources and ipls etc

Next i need to reverse the ipl to get the kernel keys. My problem is that the code doesn't make since after i run it though prxtool
e.g.
prxtool -b -w -r 0x40EFFF0 %RTS% > %RTT%

I know that the phats ipl (part 1) is loaded to address 0x040F0000 on boot because of silverspings handy tech doc. What i dont know is why on all the dumps that i have done on 5.00, 6.10, and 6.20 there is always 16 bytes of what looks to be garbage in first part of the ipl and i cant help but think that i have the wrong address because all of the jal point to address that dont exist or are in the middle of functions.

What i want to know is: 1 what is the address for slims? is it the same as phat?(0x040F0000) 2, has the ipl format changed recently that would cause psardumper to output garbage data, and 3 why is part 3 of the ipl always 0.

I'm at a loss on what to do next, any help or links would be appreciated.

Draan · Post by **Draan** » Sun Nov 22, 2009 10:28 am

I'm don't know many things about the IPL, but...
why part 3 has 0 bytes? I think it's just not used. On 5.00 and probably lower part 3 has 0 bytes, too.

About the garbage data - I think I saw a post on MaxConsole about XORing some data, but I think this was about the nand updater prxes.

bbtgp32465 · Post by **bbtgp32465** » Tue Nov 24, 2009 12:47 am

Thanks anyways, i found out what those 16 bytes are here http://forums.ps2dev.org/viewtopic.php?t=3573 that helped allot.