Anyone have doco for cellFsArcadeHddSerialNumber?

[zetsurin]

I'm reversing a game for one of my Namco PS3-based units (I hate the idea that if my HDD dies I'm kind of SOL), and I need to know the input/s and output of this function, but I cannot seem to find any. Does any kind soul have any information they are able to share about this function?

Thanks!

 

[M4j0r]

Lv1 reads the HDD serial number and saves it to a struct which contains the HDD serial, HDD model and BD drive model. After dev_flash2 is mounted, the hdd serial gets written to XRegistry.sys (/setting/system/hddSerial). Lv2 and applications then use the info from XRegistry.sys. My guess is that cellFsArcadeHddSerialNumber just returns this serial, which could be verified by comparing the result to the one saved in XRegistry.sys. On NOR models this should also match the ext_nor_flash device serial.

If this vsh export only exists on Arcade units and you don't have access to a Arcade unit, but to a DECR-1000, you can simulate the Arcade environment (https://www.psdevwiki.com/ps3/Talk:Namco_System_357#Boot_DECR-1000_in_Arcade_Mode + replacing lv2/vsh).

If you just want to preserve the game, you can decrypt the hdd using the static seeds (https://www.psdevwiki.com/ps3/Seeds#Arcade.2FSYSDBG_Seeds) and then patch these poor hdd/dongle checks (lol).

 

[zetsurin]

Thanks M4j0r for that info, very useful! Basically I have a System 357 with Tekken 6 on it, and indeed I am wanting to work out all the security for preservation purposes. I've basically found a check where it is comparing the return value from that function against the contents of a 64-byte file called PS3GAME.DAT. Have been puzzled how it ends up with 64 bytes when Hdd Serials are usually maybe 20 chars max.

Looking at the contents of PS3GAME.DAT there's no ASCII characters so I am suspecting it might be hashing the serial number, and Sha256 would potentially explain the 64-bytes, but that's just a hunch. I'll step through the code a bit more. I'm pretty new to PS3 dev as well as PowerPC asm so I'm possibly overlooking something at first glance. Like you say, I may as well just patch it out. It's just gotten me a little curious, however. I look forward to having a peek at how it interacts with the dongle next.