Posted by Slynk | Posted on 2:04 PM


I will preface this with this will void the warranty for the drive so follow this guide at your own risk.

I had a common issue with my HL-DT-ST BD-RE BH20N drive that came with my alienware... it absolutely refused to work with BD-RE disks. After googling, checking dell support, messing around with the bios, trying different programs, etc... I came across a guide to cross flash the firmware with that of a BH08NS20 drive. Since everything I read said that Dell refuses to take responsibility for this issue despite it being due to *their* firmware, I decided to go ahead and void my warranty for the drive in the hopes it would fix the issue. It worked!


Firmware -- (Download button towards the bottom)

Extract everything into one folder and close all applications.

Run MediaCodeSpeedEdit.exe

Click load and select the firmware file (mine's called OEL02_BH08NS20_100201_EL02-08.exe)

Check the boxes for Read speed increase and RPC2 Auto Reset if you'd like.

Click the drop down box with the ??????????????? and select the ???????????????

A popup will display, say yes.

Click save and save the patched file.


Shutdown your computer, unplug it from the wall for 10 seconds (to make sure no power goes to the drive).

Plug it back in and you're good to go. You should now be able to burn/erase bluray discs. ^^

New Blog

Posted by Slynk | Posted on 8:18 PM


I've decided to start fresh. I figure it's best to keep my hacky posts here and my game development posts on the new blog. There's not much yet but I'm adding a lot when I get free time.

Toshiba's "Support Forum"

Posted by Slynk | Posted on 7:31 PM


"We're sorry, but you have been banned from using this site.
You have been banned for the following reason:

Accusations against Toshiba. Misrepresenting Toshiba business practices. Promoting anti-Toshiba sentiment.

You have 10079 minutes remaining on the ban."

Apparently, posting about how Toshiba has violated GPL for the Toshiba Thrive, stating that I will not buy future Toshiba products, and stating that the lack of communication on their part shows the consumer how little the company values them, has resulted in a 6 day ban for me.

I urge potential buyers of Electronic devices to steer clear of Toshiba products as they clearly care more about their image than taking care of their consumers. It is well past the 30 day mark and we have yet to see the GPL source of the Thrive.

QA Tutorial

Posted by Slynk | Posted in | Posted on 1:48 AM


There are many methods to accomplish qa and I'm too lazy to document them all so I'll tell you one way. Linux.

Step 1) Install OtherOS++, install linux, make sure to enable the ps3 modules when compiling the kernel.

Step 2) Download, and compile the ps3dm utils

Step 3) Download my tokenator

Step 4) Dump your eid by running ./ps3dm_iim /dev/ps3dmproxy get_data 0x0>dump

Step 5) Set your flag by running ./ps3dm_um /dev/ps3dmproxy write_eprom 0x48C0A 0x00

Step 6) Open your dump in a hex editor and type in the first 16 bytes into tokenator

Step 7) Run the script it spits out

PS3 Step 8) Restart your ps3. Go to the Network Settings options and press L1 + L2 + L3 + R1 + R2 + D-Pad Down

Have fun. It doesn't work on rebug yet. There are other flags to set for debug firmwares and rebug is pseudo debug.

PS3 + IDA Tutorial

Posted by Slynk | Posted in | Posted on 9:42 PM


First off, I will not help you obtain a copy of IDA. Go buy it.


Extract the contents into your IDA folder. I don't take credit for these plugins and loaders.

Loading a File

There are two file types I'll teach you to load. SPU and ELF files.

SPU files can only loaded in IDA 32bit mode. When you load IDA choose "Go" and drag the file onto IDA. Make sure elf is highlighted at the top. In processor type, choose "IBM SPU Cell Processor: spu." Click set. Click OK. "Undefined or unknown...blabla" yes. You should be good to go.

Elf files can be loaded in either 32 or 64 bit mode. When you load IDA choose "Go" and drag the file onto IDA. Make sure PlayStation 3 ELF is highlighted at the top. Don't mess with the processor type. Kernel option 1 check "Create function if data xref data-> code32 exists.

Optional: I don't know what these do but I turn them on anyways XD In kernel option 2 choose "Coagulate data segments in the final pass", "Perform 'no-return' analysis", and "Perform full stack pointer analysis."

Click OK. Sometimes you get a better result from running the analyze_self script. (File->IDC File->C:/Program Files/IDA/idc/analyze_self.idc) Hit yes, copy the TOC Address it shows you and click OK. Go to Options->General->Analysis->Processor specific analysis options. Type the TOC address in (I use 0: instead of 0x to be safe. No clue if it makes a difference.) While you're at it click "Create subi instructions. Click OK. Click Reanalyze Program. Click OK. And wait.

You'll know when a script is done because at the bottom left it's say "AU: idle".

IDA Basics

Just a few things. The program is expansive and I'd love to get to know more about it but here's a few things I know. Hex view and IDA view are connected. That means if you find a string in hex view, you can see it in IDA view. This won't show you magically where it's used at but sometimes, that string is xrefed. If under the string you see "# DATA XREF: " you can right click the ":off_XXXX" at the end, and choose XREF To or From. To, will give you a graph of any functions that have a call "to" that offset. From give's a graph of offset's called "from" that offset (mostly only useful for viewing a graph of where all a function leads to.)

In IDA view, you can search for either an immediate value, a string, or a byte sequence. I've never "not" checked "find all occurrences." Don't know why you wouldn't want to. It'll return a list of occurrences in its own window.

If you're lucky, the file you scanned will have some of the functions named (something other than sub_, nullsub_, or start). These are known functions that are defined in the ps3 sdk.

When exiting, always make sure, unless you WANT to re analyze the whole file again, to choose one of the Pack database options and Collect garbage.

NPDRM Basic Info

Posted by Slynk | Posted in | Posted on 2:23 AM


I'd like to begin this post with a few comments.

  1. Only a little bit of this is my own findings, a lot of this info was found from other sources.
  2. NPDRM discussion does not have to be a topic of piracy, it can be used in conjunction with signing/encrypting homebrew if it is fully documented one day.
  3. This is mostly to bring together the bits of info scattered across the interwebs.

NP 3 is a free licensed app. It has no license check. No edata/riff. Just install and use. This can be trial software as well.

NP 2 is a locally licensed app. First time activation must take place online. After which you'll have an edata/riff for that app and somehow this is connected to your act.dat.

NP1 is a network licensed app. It requires network authentication every time it is launched.

The offset for determining the NPDRM type of a self is at the NPDRM Header offset + 0x1C.

NPDRM Security

NPDRM as well as edata use AES, ECDSA, and CMAC for authenticity. These keys, with the exception of the CMAC key, are out there in the ether and can be found without much effort for someone who knows what they're doing. The specifics of the algorithm are still being researched but a few people have already figured it out; but of course they won't share their info.

AES and ECDSA are handle by appldr like always. CMAC is handle by one of vsh's modules. (Don't know which one, just adding it for completeness.)

Another form of security used in NPDRM is called a k_license. This is a 16 byte key that the developer makes that functions as sort of a "project key". It's used in all npdrm encrypted files within the project to prevent one of the files from being replaced by another project's file. It is also referred to as an SCE NPDRM Key. 

NPDRM Header

The current known structure of the NPDRM Header:

typedef struct 
    byte[4] block_type;  // this is 3(NPDRM) 
    byte[4] block_size;  // this is 0x90(sizeof(Self_NPDRM)) 
    byte[4] unknown1;    // So far always 0 
    byte[4] unknown2;    // So far always 0 
    byte[4] magic;       // 0x4E504400(NPD) 
    byte[4] unknown3;    // So far always 1 
    byte[4] license;     // 1 Network License, 2 Local License, 3 Free 
    byte[4] type;        // 1 Executable, 21 Update for Disc Based Game 
    byte[0x30] titleid; 
    byte[0x10] hash_unknown; 
    byte[0x10] hash1; 
    byte[0x10] hash2; 
    byte[0x10] padding; 
} Self_NPDRM

I hear there's plenty of more info in the official sdk for anyone who legally owns it as well. Anyway, I'll post more if anything else comes to light. ^^

Things Every Newb Should Know

Posted by Slynk | Posted in | Posted on 4:36 PM


I'll keep this article simple for its target audience, the newbs. (That's not to be confused with noob.)

Learn about AES Encryption:

AES is an encryption that uses a key and an initialization "vector" to encrypt the file. The key can be 16 bytes (numbers, for simplicity), 24 bytes, or 32 bytes long. These numbers are the same as when you see AES-128, AES-192, and AES-256 respectively. The initialization vector is, at least in PS3 encryption, always 16 bytes.

AES can be used in a variety of "modes." Such as the PS3 uses AES in both CTR mode and CBC mode. Think of these as just... a different set of instructions for reading and writing the encrypted data.

Brute forcing AES is just out of the question. Think about this. If you had a 1 digit password, with a possibility ranging from 0-9, there would be 10 possibilities aka 10^1. If you had a 2 digit password, there would be 100 possibilities aka 10^2. 3 digits would be 1000.

Now with AES, each digit ranges from 0-255. Even if you used a 16 byte key, that would be 256^16 possible keys which is 3.4028236692093846346337460743177e+38. That's just for the key. If you don't know the initialization vector, because you need that too, there are (256^16)(256^16) possible combinations to cycle through. It's unrealistic with current hardware, even with a distributed attack.

Learn about Hashing:

Hashing's a pretty easy concept to understand. It's like a book summary. You get the gist of what's in the book but you couldn't replicate the entire book from that summary. It's the same with hashing. You generate a summary of the file, or part of the file, then store it to be checked later. Now the problem with this is if you know the algorithm used to calculate the hash, you might be able to tweak a file to loosly match it. Or anyone could easily just hash the file themselves and replace your hash. To avoid that, HMAC uses a key to encrypt the hash. If the person doesn't have the key, they can't replicate a similar file structure nor can they make their own hash.

Learn about ECDSA:

I'll be honest, I'm still learning about this. But from what I understand, this is for authenticity. You have 2 keys, the public key (the one you give to people to verify that the file that get is from you) and the private key (the key you use to sign the file.) Due to one of the parameters for generating the key not being random like it should be, the people could calculate private keys for the ps3 to sign their own files. This has since been fixed for most keys.