Finding where the region code is stored

steddy · Post by **steddy** » Wed May 25, 2005 8:27 am

I have a theory about the movie region. Maybe the unique hardware ID that is stored in DATA2.BIN (see the exploit thread on the Wipeout Downloads) actually tells it the region.

On Windows Mobile devices, the unique hardware ID tells you information such as the the manufacturer and model. Maybe Sony do the same.

The following java code can be compiled and ran on your desktop PC to find the hardware ID.

Code: Select all

package data2reader; 

import java.io.FileInputStream; 
import java.io.FileOutputStream; 
import java.io.File; 
import java.io.InputStream; 
import java.io.OutputStream; 
import net.scee.drm.mypsp.download.hash.SHA1CipherStream; 

public class Data2Reader 
&#123; 

    private static final char HEX&#91;&#93; = 
    &#123; 
        '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 
        'A', 'B', 'C', 'D', 'E', 'F' 
    &#125;; 

    public static void main &#40;String&#91;&#93; args&#41; 
    &#123; 
        boolean bWrite=false; 
        File data2File=new File&#40;args&#91;0&#93;&#41;; 
        if&#40;args.length==2&#41; &#123; 
            bWrite=true; 
        &#125; 
        long fileLength = data2File.length&#40;&#41;; 
        if&#40;fileLength % 276L != 0L&#41; 
        &#123; 
            System.out.println&#40;"Error&#58; File length not multiple of 276"&#41;; 
            System.exit&#40;1&#41;; 
        &#125; 
        else 
        &#123; 
            try 
            &#123; 
               InputStream dis = new FileInputStream&#40;data2File&#41;; 
                int nIdent = &#40;int&#41; &#40;fileLength / 276L&#41;; 
                for&#40;int i = 0; &#40;long&#41;i < nIdent; i++&#41; 
                &#123; 
                    byte&#91;&#93; version     = new byte&#91;4&#93;; 
                    byte&#91;&#93; hardwareId  = new byte&#91;20&#93;; 
                    byte&#91;&#93; timeStamp   = new byte&#91;4&#93;; 
                    byte&#91;&#93; nickName    = new byte&#91;208&#93;; 
                    byte&#91;&#93; fingerprint = new byte&#91;20&#93;; 
                    byte&#91;&#93; key         = new byte&#91;20&#93;; 
                    dis.read&#40;version&#41;; 
                    dis.read&#40;hardwareId&#41;; 
                    dis.read&#40;timeStamp&#41;; 
                    dis.read&#40;nickName&#41;; 
                    dis.read&#40;fingerprint&#41;; 
                    dis.read&#40;key&#41;; 
                    SHA1CipherStream cipher = new SHA1CipherStream&#40;key&#41;; 
                    cipher.xor&#40;version&#41;; 
                    cipher.xor&#40;hardwareId&#41;; 
                    cipher.xor&#40;timeStamp&#41;; 
                    cipher.xor&#40;nickName&#41;; 
                    cipher.xor&#40;fingerprint&#41;; 
                    System.out.println&#40;"Found identity&#58; "+convertToString&#40;nickName&#41;&#41;; 
                    System.out.println&#40;"HardwareID&#58; "+dump&#40;hardwareId&#41;&#41;; 
                    System.out.println&#40;"Version&#58; "+dump&#40;version&#41;&#41;; 
                    System.out.println&#40;"TimeStamp&#58; "+dump&#40;timeStamp&#41;&#41;; 
                    System.out.println&#40;&#41;; 
                    if&#40;bWrite==true&#41; &#123; 
                        // Now output the file if required 
                        OutputStream out = new FileOutputStream&#40;args&#91;1&#93;&#41;; 
                        out.write&#40;version&#41;; 
                        out.write&#40;hardwareId&#41;; 
                        out.write&#40;timeStamp&#41;; 
                        out.write&#40;nickName&#41;; 
                        out.write&#40;fingerprint&#41;;                    
                    &#125; 
                &#125; 
            &#125; 
            catch &#40;Exception e&#41; 
            &#123; 
                System.out.println&#40;"Error&#58; "+e&#41;; 
            &#125; 
        &#125; 
    &#125; 

    public static final String convertToString&#40;byte&#91;&#93; input&#41; 
    &#123; 
        try 
        &#123; 
            int n=0; 
            while &#40;input&#91;n&#93;!=0&#41; n++; 
            return new String&#40;input, 0, n, "UTF8"&#41;; 
        &#125; 
        catch&#40;Exception e&#41; 
        &#123; 
            return null; 
        &#125; 
    &#125; 

    public static final String dump&#40;byte a&#91;&#93;&#41; 
    &#123; 
        StringBuffer buf = new StringBuffer&#40;&#41;; 
        for&#40;int i = 0; i < a.length; i++&#41; 
        &#123; 
            buf.append&#40;HEX&#91;a&#91;i&#93; >> 4 & 0xf&#93;&#41;; 
            buf.append&#40;HEX&#91;a&#91;i&#93; & 0xf&#93;&#41;; 
        &#125; 
        return buf.toString&#40;&#41;; 
    &#125; 

&#125;

As you can see its a modification of the code presented by piercer in the PSP Download Agent thread. It requires the jar file libraries provided in the following download from Sony:

https://www.yourpsp.com/download/static ... ppletS.jar

Pass in the DATA2.BIN that is created when a profile is loaded or created in Wipeout Pure for the first parameter.

If we can get a few people from different regions to do this we may be able to spot a pattern. My only concern is, is there any risk in posting hardware ID's here? Do any of the mods care to comment on this?

Steddy

steddy · Post by **steddy** » Sat May 28, 2005 12:19 am

Come on guys... somebody help me out with this.

Since I have had no response from the Dev's I will post the details for my Two PSP's:

1.5 JAP PSP (upgraded from 1.0):
Found identity: PSPsteddy
HardwareID: 64262ABAFD618B8611C13DED5D49B2CF96B22BE7
Version: 01000000
TimeStamp: 12AA7C0A

1.0 JAP PSP:
Found identity: PSP114
HardwareID: 610AC0F19FC1A95B4657484B964A2A3E24BDD88B
Version: 01000000
TimeStamp: CDD5C60A

They do look pretty random, but the first digit is the same. Could the 6 be the device region identifier. Remeber it doesn't have to be 2, its how its converted that matters. Also note the version is the same across both. I wonder if thats related to the original firmware version.

Steddy

PS if you can get this compiled and you have an FTP you'd like me to drop it on, then just say.

zigzag · Post by **zigzag** » Sat May 28, 2005 1:21 pm

Why do you think the region code is in the hardware id as a digit? It can easily be some sort of decodable set of numbers, likely much like a serial number.

steddy · Post by **steddy** » Sat May 28, 2005 5:31 pm

Because on a lot of systems I have worked on, it is.

All Windows CE devices that support a hardware ID use it to encode information such as the Device manufacturer and model number. If it isn't in the hardware ID which we know to be unique, where is it?

Only people trying this code out and posting the results will tell us if this is the case.

Steddy

Squall333 · Post by **Squall333** » Sun May 29, 2005 7:35 am

How do we do this do we need wipeout ot a 1.0 psp not much instuctions to go by

steddy · Post by **steddy** » Sun May 29, 2005 7:54 am

You need to compile the source above to a JAR file with the Sun Java compiler, then run the JAR with the DATA2.BIN created by Wipeout Pure (/PSP/SAVES/PPCD00001DLS001 on the memory card) as the first parameter.

The compiled JAR file referenced above from yourpsp.com will need to be present UNDERNEATH the directory where you place the data2reader.class file for compilation.

Steddy