PS3 Memory Card Adaptor (CECHZM1) Allows Free MC Boot Install

**Megatron-uk** · 11-10-2012,09:11 AM

Never mind.......

**Megatron-uk** · 11-10-2012,09:33 AM

OK, on my particular reader - a Logic 3 device, I sometimes get an error -13, but 90% of the time is an error -90.

So, a little bit of debug output thrown in to the source and its coming from meCardVerifyResponse:

./ps3mca-tool -i
PS3MCA-TOOL v1.3
INFO: PS Memory card authentication (1)
DEBUG: meCardVerifyResponse: -1
INFO: PS Memory card authentication (2)
DEBUG: meCardVerifyResponse: -1
INFO: PS Memory card authentication (3)
DEBUG: meCardVerifyResponse: -1
INFO: PS Memory card authentication (4)
DEBUG: meCardVerifyResponse: -1
INFO: PS Memory card authentication (5)
DEBUG: meCardVerifyResponse: -1
ERROR: PS Memory card NOT authenticated
Error: no PS2 Memory Card detected... (-90)

- this probably means that at some point in card_authentificate one of the calls is returning invalid data:

while (auth_retry_count++ < 5) {

printf("INFO: PS Memory card authentication (%d)\n", auth_retry_count);

meResetCryptoContext();

/* auth reset */
CardAuth_Reset();

/* auth keys change */
CardAuth_Cmd(0xf7, 0x01);

/* auth 0x00 */
CardAuth_Cmd(0xf0, 0x00);

/* auth 0x01 */
CardAuth_Cmd_Read(0xf0, 0x01, CardIV);

/* auth 0x02 */
CardAuth_Cmd_Read(0xf0, 0x02, CardMaterial);

/* get the UniqueKey */
meCardCalcUniqueKey(CardIV, CardMaterial);

/* auth 0x03 */
CardAuth_Cmd(0xf0, 0x03);

/* auth 0x04 */
CardAuth_Cmd_Read(0xf0, 0x04, CardNonce);

/* auth 0x05 */
CardAuth_Cmd(0xf0, 0x05);

/* generate the MechaCon challenge */
meCardGenerateChallenge(CardIV, CardNonce, MechaNonce, MechaChallenge1, MechaChallenge2, MechaChallenge3);

/* auth 0x06 */
CardAuth_Cmd_Write(0xf0, 0x06, MechaChallenge3);

/* auth 0x07 */
CardAuth_Cmd_Write(0xf0, 0x07, MechaChallenge2);

/* auth 0x08 */
CardAuth_Cmd(0xf0, 0x08);

/* auth 0x09 */
CardAuth_Cmd(0xf0, 0x09);

/* auth 0x0a */
CardAuth_Cmd(0xf0, 0x0a);

/* auth 0x0b */
CardAuth_Cmd_Write(0xf0, 0x0b, MechaChallenge1);

/* auth 0x0c */
CardAuth_Cmd(0xf0, 0x0c);

/* auth 0x0d */
CardAuth_Cmd(0xf0, 0x0d);

/* auth 0x0e */
CardAuth_Cmd(0xf0, 0x0e);

/* auth 0x0f */
CardAuth_Cmd_Read(0xf0, 0x0f, CardResponse1);

/* auth 0x10 */
CardAuth_Cmd(0xf0, 0x10);

/* auth 0x11 */
CardAuth_Cmd_Read(0xf0, 0x11, CardResponse2);

/* auth 0x12 */
CardAuth_Cmd(0xf0, 0x12);

/* auth 0x13 */
CardAuth_Cmd_Read(0xf0, 0x13, CardResponse3);

/* auth 0x14 */
CardAuth_Cmd(0xf0, 0x14);

/* validate the card response */
r = meCardVerifyResponse(CardResponse1, CardResponse2, CardResponse3);
if (r == 0)
{
printf("WARN: PS Memory card NOT verified\n");
break;
}
}

if (r < 0)
printf("ERROR: PS Memory card NOT authenticated\n");
return sceMcResFailAuth;

printf("INFO: PS Memory card authenticated OK\n");
return sceMcResSucceed;

**bundat** · 11-10-2012,09:56 AM

o_O
Hey, why "never mind"?
.... It looks like you found (?) the source o_O and added debugging messages...?
Argh, how do you send private messages here... I can't find the link.

-----

EDIT:
Welp, I think it's because I'm too new.
... *adds Skype to profile*

Anyway, I was walking along a local store and found THIS!
Since it was dirt cheap (not even $5), I just bought it even though I have that other one coming in the mail.

Here's a pic (taken using my crappy webcam):
i49. tinypic. com/244tb84. png
...argh, I can't even post pictures

... just remove the spaces

I'll update this post later with REAL pictures (when I find my real camera), and usbview details and all that.

**bundat** · 11-10-2012,11:45 AM

Okay, more info:

Unfortunately, the retailer who I bought this from is one who rebrands all their products
(I've opened up their 3G USB sticks and MiFi gadgets, all are Huawei branded under the casing, but have no clues on the outside).
The only clue about the unit is the model number: PS3-0023

USBView is surprisingly ALMOST identical to Sony's (based on the one posted by CoreCore)

Code:

Device Descriptor:
bcdUSB:             0x0110
bDeviceClass:         0xFF
bDeviceSubClass:      0x00
bDeviceProtocol:      0xFF
bMaxPacketSize0:      0x40 (64)
idVendor:           0x054C (Sony Corporation)
idProduct:          0x02EA
bcdDevice:          0x0100
iManufacturer:        0x00
iProduct:             0x00
iSerialNumber:        0x00
bNumConfigurations:   0x01

ConnectionStatus: DeviceConnected
Current Config Value: 0x01
Device Bus Speed:     Full
Device Address:       0x03
Open Pipes:              3

Endpoint Descriptor:
bEndpointAddress:     0x81  IN
Transfer Type:        Bulk
wMaxPacketSize:     0x0040 (64)
bInterval:            0x00

Endpoint Descriptor:
bEndpointAddress:     0x02  OUT
Transfer Type:        Bulk
wMaxPacketSize:     0x0040 (64)
bInterval:            0x00

Endpoint Descriptor:
bEndpointAddress:     0x83  IN
Transfer Type:   Interrupt
wMaxPacketSize:     0x0001 (1)
bInterval:            0x64

Configuration Descriptor:
wTotalLength:       0x0027
bNumInterfaces:       0x01
bConfigurationValue:  0x01
iConfiguration:       0x00
bmAttributes:         0x80 (Bus Powered )
MaxPower:             0x64 (200 Ma)

Interface Descriptor:
bInterfaceNumber:     0x00
bAlternateSetting:    0x00
bNumEndpoints:        0x03
bInterfaceClass:      0xFF
bInterfaceSubClass:   0x00
bInterfaceProtocol:   0xFF
iInterface:           0x00

Endpoint Descriptor:
bEndpointAddress:     0x81  IN
Transfer Type:        Bulk
wMaxPacketSize:     0x0040 (64)
bInterval:            0x00

Endpoint Descriptor:
bEndpointAddress:     0x02  OUT
Transfer Type:        Bulk
wMaxPacketSize:     0x0040 (64)
bInterval:            0x00

Endpoint Descriptor:
bEndpointAddress:     0x83  IN
Transfer Type:   Interrupt
wMaxPacketSize:     0x0001 (1)
bInterval:            0x64

Side-by-side comparison pic:
i45. tinypic. com/2lxat20. png
(argh, take out the spaces... again)

The USBView details are surprisingly (or rather, unsurprisingly)... useless.
It was almost identical save for one, "Device Address", which I doubt is relevant to authentication.

Even plain --mc-info calls or --mc-image (pure reads), return -90 no memory card detected errors most of the time
(and sometimes -13 no memory card detected errors).

Just for the heck of it, I pulled out the memory card, and ALSO got a no memory card detected error..... -11.
And I got the error BLAZINGLY fast, almost instantly.
Unlike the -90 and -13 errors, which actually lag for 2-3 seconds, meaning SOME data is getting through... somewhere somehow.

-----

Well, that was a whole lot of.... nothing.

Welp, I guess there really is no way of progressing here without the source. :/

Anyone?

If anyone has a copy from Github... please hit me up on Skype.

**Megatron-uk** · 11-10-2012,12:23 PM

A little more info, and something I've found is that if I remove and insert the memory card after plugging the card reader in I can get it to get past the card_authentificate call.

This is the trace I get now - I've added a whole load of printf statements to see where the call is getting to - as you can see it gets to:

(mcio.c)

Card_ReadPageData(int32_t page, uint8_t *pagebuf, uint8_t *eccbuf)

and then terminates with a segfault on this line:

(mcio.c)

memset((void *)&iodata->mc_data, 0, 9);

./ps3mca-tool -i
PS3MCA-TOOL v1.3
DEBUG: Card_Probe
DEBUG: Card_Probe - Calling Card_Changed
DEBUG: Card_Probe - Calling CardAuth_Reset
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
DEBUG: Card_Probe - Calling Card_Authentificate
INFO: PS Memory card authentication (1)
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
INFO: CardAuth_Cmd (0xf7 / 0x1)- OK
INFO: CardAuth_Cmd (0xf0 / 0x0)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x1) - OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x2) - OK
INFO: CardAuth_Cmd (0xf0 / 0x3)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x4) - OK
INFO: CardAuth_Cmd (0xf0 / 0x5)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x6) - OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x7) - OK
INFO: CardAuth_Cmd (0xf0 / 0x8)- OK
INFO: CardAuth_Cmd (0xf0 / 0x9)- OK
INFO: CardAuth_Cmd (0xf0 / 0xa)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0xb) - OK
INFO: CardAuth_Cmd (0xf0 / 0xc)- OK
INFO: CardAuth_Cmd (0xf0 / 0xd)- OK
INFO: CardAuth_Cmd (0xf0 / 0xe)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0xf) - OK
INFO: CardAuth_Cmd (0xf0 / 0x10)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x11) - OK
INFO: CardAuth_Cmd (0xf0 / 0x12)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x13) - OK
INFO: CardAuth_Cmd (0xf0 / 0x14)- OK
DEBUG: meCardVerifyResponse Decryption response 1: 0
DEBUG: meCardVerifyResponse Decryption response 2: 0
INFO: meCardVerifyResponse - Verification OK
DEBUG: meCardVerifyResponse: 0
INFO: PS Memory card verified on attempt 1
INFO: PS Memory card authenticated OK
DEBUG: Card_Probe - Calling Card_Validate
DEBUG: Card_Probe - Calling Card_SetTerminationCode
DEBUG: Card_Probe - Calling Card_SetDeviceInfo
DEBUG: Card_SetDeviceInfo
DEBUG: Card_SetDeviceInfo - Calling Card_SetDeviceSpecs
DEBUG: Card_SetDeviceInfo - Calling Card_ReadPage
DEBUG: Card_ReadPage
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
Segmentation fault

**bundat** · 11-10-2012,12:28 PM

Welp... without source-access, guess I'll just "backseat" debug here...

1) What is the value of (rather, what are the values in) CardResponse1 after auth 0x0f?
The values before would also be nice, just to see how it changes.

2) What is the value of (rather, what are the values in) CardResponse2 after auth 0x11?
The values before would also be nice, just to see how it changes.

3) same for CardResponse3, auth 0x13: before & after

Can I see the code of meCardVerifyResponse?
When does it return 0 and not -1?

EDIT: LOL at segfault o_O
Anyway, it seems all it is doing during the segfault is clearing 9 elements in the array mcdata of the struct iodata (of type "struct usbio_data")...

But the segfault makes no sense, since CardAuth_Cmd_Read() and CardAuth_Cmd_Write() do the same, with an even larger target size (14).
Unless the iodata pointer or the mcdata pointer (IF it is a pointer, no idea what "struct usbio_data" looks like) were reassigned?

**bundat** · 11-10-2012,12:41 PM

Just some random tests... (I really wish I had the source...)
I tried to "hammer" the MCA, by doing

＠echo off
:LBL
ps3mca-tool --mc-info
if ERRORLEVEL 1 goto LBL

Funny thing, it NEVER goes into -13, ALWAYS -90.
I mean literally NEVER. Not even once in a thousand reps.

But I managed a -12 (sceMcResFailDetect), by Ctrl+C at a certain point.
I halted the loop at the message: "PS3MCA-TOOL v1.3"
BUT before the message: "Error: no PS2....blabla"

It seems that the MCA is stateful...
(like each state is an authentication step or something similar)
And that it was still in the previous state it halted at?
But the tool expects the MCA to be in a certain state (starting point) everytime.

ADDENDUM:

I also managed the instant -11s nonstop, also by Ctrl+C at a certain point.
It seems either the MCA got stuck in an "unsyncable state"...?
Or I just managed to "soft-disconnect" it lol.

**bundat** · 11-10-2012,12:58 PM

About the error codes (which is where we found the starting point for investigation):
For my MCA unit:

Upon first connect (plugging in the USB, or plugging in a memcard).
It is ALWAYS -13.

All subsequent tries are -90.

I think -13 is the real error, and the subsequent -90s are just a "state desync" (i.e. ps3mca-tool assumes the starting state, but the previous segfault left the MCA in an unknown state, that leads to -90 if treated as a starting state)

So I think investigating -13 (sceMcResFailDetect2) is more relevant...? Not really sure about other devices though.

Is the part that throws -13 (sceMcResFailDetect2) on a later stage than -90?
Makes sense, since the MCA is in a post-authentication state already, but the PS3MCA-TOOL thinks it is just at the starting point, pre-authentication).
Meaning it gets farther the first time around.

--------------------

EDIT: Oh wait, you already said this here:

A little more info, and something I've found is that if I remove and insert the memory card after plugging the card reader in I can get it to get past the card_authentificate call.

Never mind then.

Well... the "state desync" isn't the relevant bug anyway. The initial -13 (which caused it via segfault) should be the one.

Could you post Card_ReadPageData()?
Although I don't really think looking at single functions will let me help, but I found it really helpful in understanding it (or at least, just to keep up) when WaveZero was doing it. :/

**Megatron-uk** · 11-10-2012,02:15 PM

I was playing with the usbio_buf size - by default it was 1024 bytes, I dropped it down to 64 and it seemed to improve the frequency at which the device was detected and the error codes changed from -11 and -13 to -90.

Anyway, the call trace from GDB showed a call to usbd_bulk_write with a buf_size of 138, which is clearly greater than the size I was setting. Increased to 256 bytes and I now get further:

Code:

(gdb) run -i
Starting program: /opt/home/megatron/Desktop/ps3mca/PS3MCA/src/ps3mca-tool -i
PS3MCA-TOOL v1.3
DEBUG: mcio_mcDetect
DEBUG: Card_Probe
DEBUG: Card_Probe - Calling Card_Changed
DEBUG: Card_Probe - Calling CardAuth_Reset
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
DEBUG: Card_Probe - Calling Card_Authentificate
INFO: PS Memory card authentication (1)
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
INFO: CardAuth_Cmd (0xf7 / 0x1)- OK
INFO: CardAuth_Cmd (0xf0 / 0x0)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x1) - OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x2) - OK
INFO: CardAuth_Cmd (0xf0 / 0x3)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x4) - OK
INFO: CardAuth_Cmd (0xf0 / 0x5)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x6) - OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x7) - OK
INFO: CardAuth_Cmd (0xf0 / 0x8)- OK
INFO: CardAuth_Cmd (0xf0 / 0x9)- OK
INFO: CardAuth_Cmd (0xf0 / 0xa)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0xb) - OK
INFO: CardAuth_Cmd (0xf0 / 0xc)- OK
INFO: CardAuth_Cmd (0xf0 / 0xd)- OK
INFO: CardAuth_Cmd (0xf0 / 0xe)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0xf) - OK
INFO: CardAuth_Cmd (0xf0 / 0x10)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x11) - OK
INFO: CardAuth_Cmd (0xf0 / 0x12)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x13) - OK
INFO: CardAuth_Cmd (0xf0 / 0x14)- OK
DEBUG: meCardVerifyResponse Decryption response 1: 0
DEBUG: meCardVerifyResponse Decryption response 2: 0
INFO: meCardVerifyResponse - Cypher Verification OK
DEBUG: meCardVerifyResponse: 0
INFO: PS Memory card verified on attempt 1
INFO: PS Memory card authenticated OK
DEBUG: Card_Probe - Calling Card_Validate
DEBUG: Card_Probe - Calling Card_SetTerminationCode
DEBUG: Card_Probe - Calling Card_SetDeviceInfo
DEBUG: Card_SetDeviceInfo
DEBUG: Card_SetDeviceInfo - Calling Card_SetDeviceSpecs
DEBUG: Card_SetDeviceInfo - Calling Card_ReadPage
DEBUG: Card_ReadPage
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
DEBUG: Card_ReadPageData - Read attempt 2
DEBUG: Card_ReadPageData - Read attempt 3
DEBUG: Card_ReadPageData - Read attempt 4
DEBUG: Card_ReadPageData - Read attempt 5
DEBUG: Card_ReadPageData OK (retries exceeded)
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
DEBUG: Card_ReadPageData - Read attempt 2
DEBUG: Card_ReadPageData - Read attempt 3
DEBUG: Card_ReadPageData - Read attempt 4
DEBUG: Card_ReadPageData - Read attempt 5
DEBUG: Card_ReadPageData OK (retries exceeded)
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
DEBUG: Card_ReadPageData - Read attempt 2
DEBUG: Card_ReadPageData - Read attempt 3
DEBUG: Card_ReadPageData - Read attempt 4
DEBUG: Card_ReadPageData - Read attempt 5
DEBUG: Card_ReadPageData OK (retries exceeded)
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
DEBUG: Card_ReadPageData - Read attempt 2
DEBUG: Card_ReadPageData - Read attempt 3
DEBUG: Card_ReadPageData - Read attempt 4
DEBUG: Card_ReadPageData - Read attempt 5
DEBUG: Card_ReadPageData OK (retries exceeded)
DEBUG: Card_ReadPage - Calling Card_ReadPageData
DEBUG: Card_ReadPageData
DEBUG: Card_ReadPageData - Read attempt 1
DEBUG: Card_ReadPageData - Read attempt 2
DEBUG: Card_ReadPageData - Read attempt 3
DEBUG: Card_ReadPageData - Read attempt 4
DEBUG: Card_ReadPageData - Read attempt 5
DEBUG: Card_ReadPageData OK (retries exceeded)
OKDEBUG: Card_Probe OK
DEBUG: mcio_mcDetect exit 1
DEBUG: mcio_mcDetect
DEBUG: Card_Probe
DEBUG: Card_Probe - Calling Card_Changed
DEBUG: Card_Probe - Calling CardAuth_Reset
ERROR: CardAuth_Cmd (0xf3 / 0x0)- failed
ERROR: CardAuth_Cmd (0xf3 / 0x0)- failed
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
DEBUG: Card_Probe - Calling Card_Authentificate
INFO: PS Memory card authentication (1)
INFO: CardAuth_Cmd (0xf3 / 0x0)- OK
INFO: CardAuth_Cmd (0xf7 / 0x1)- OK
INFO: CardAuth_Cmd (0xf0 / 0x0)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x1) - OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x2) - OK
INFO: CardAuth_Cmd (0xf0 / 0x3)- OK
INFO: CardAuth_Cmd_Read (0xf0 / 0x4) - OK
INFO: CardAuth_Cmd (0xf0 / 0x5)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x6) - OK
INFO: CardAuth_Cmd_Write (0xf0 / 0x7) - OK
INFO: CardAuth_Cmd (0xf0 / 0x8)- OK
INFO: CardAuth_Cmd (0xf0 / 0x9)- OK
INFO: CardAuth_Cmd (0xf0 / 0xa)- OK
INFO: CardAuth_Cmd_Write (0xf0 / 0xb) - OK
ERROR: CardAuth_Cmd (0xf0 / 0xc)- failed
ERROR: CardAuth_Cmd (0xf0 / 0xd)- failed
ERROR: CardAuth_Cmd (0xf0 / 0xe)- failed
ERROR: CardAuth_Cmd_Read (0xf0 / 0xf) - failed
ERROR: CardAuth_Cmd (0xf0 / 0x10)- failed
ERROR: CardAuth_Cmd_Read (0xf0 / 0x11) - failed
ERROR: CardAuth_Cmd (0xf0 / 0x12)- failed
ERROR: CardAuth_Cmd_Read (0xf0 / 0x13) - failed
ERROR: CardAuth_Cmd (0xf0 / 0x14)- failed
DEBUG: meCardVerifyResponse Decryption response 1: 101
DEBUG: meCardVerifyResponse Decryption response 2: -101
ERROR: meCardVerifyResponse - Cypher verification failed
DEBUG: meCardVerifyResponse: -1
ERROR: PS Memory card NOT authenticated
DEBUG: mcio_mcDetect exit 2
Error: can't get MC infos... (-90)

Program exited with code 01.
(gdb)

Sorry, it's hit and miss when I try to paste any code - I get 'you cannot post URL' messages from the forum.

So, it looks like the first authentication pass of the memory card is successful (so it knows that a card is there), but then the second time it is called in order to do the actual info reading you can see that several card_authcmd() calls fail and the cypher verification stage breaks.

**WaveZero** · 11-10-2012,08:27 PM

Sorry guys, I been way too busy to even check back. I have all the source files. Here: https://dl.dropbox.com/u/58587566/ji...ol-12a198f.zip

As you read my previous post I pretty much came to the same conclusion but however I stopped debugging and never really found the real cause of it. Been way too busy with my studies...

Edit:
Added a more stable link:
http://www.mediafire.com/?czzi9i143c17rra

User Tag List

Thread: PS3 Memory Card Adaptor (CECHZM1) Allows Free MC Boot Install

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!