PS-ConsoleId-wiki.txt

// Warning: ConsoleId is stored in big-endian (major at left, minor at right).

// Bitfield structure adapted for little-endian machines (unsure if working on big-endian machines)
typedef struct SceConsoleId {
	uint16_t unknown;      // {0, 0}, maybe magic
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint8_t serial_no_major: 2;
	uint8_t factory_code: 6;
	uint8_t serial_no_middle;
	uint16_t serial_no_minor;
	uint32_t random_stamp;
} SceConsoleId;

// Bitfield structure adapted for little-endian machines (unsure if working on big-endian machines)
typedef struct SceConsoleIdPspDiag {
	uint16_t unknown;      // {0, 0}, maybe magic
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint8_t ps_flags_major: 2;
	uint8_t factory_code: 6;
	uint8_t serial_no_major: 2;
	uint8_t ps_flags_minor: 6;
	uint16_t serial_no_minor;
	uint32_t random_stamp;
} SceConsoleIdPspDiag;

// Structure for systems that do not support bitfield structures. second_half has to be parsed manually with bit-shifts.
typedef struct SceConsoleIdSimplified {
	uint16_t unknown; // {0, 0}, maybe magic
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint8_t second_half[8];
} SceConsoleIdSimplified;

typedef struct ScePsCode {
	uint16_t company_code; // {0, 1}
	uint16_t product_code;
	uint16_t product_sub_code;
	uint16_t factory_code;
} ScePsCode;

// "Magics" for easier memory dumps analysis, considering that Company Code is always 1
uint8_t consoleid_magic[4] = {0, 0, 0, 1};
uint8_t pscode_magic[4] = {0, 1};

/* Product Code in PsCode spoofing on Consumer PS Vita results
 * 0x100 -- IsTest, no red message, no expiration date
 * 0x101 -- IsTool, battery backup has failed red message, activated 32000+ days
 * 0x102 -- IsDEX, expiration red message, expired date
 * 0x103 -- Health warning on boot
 * 0x104 -- Health warning on boot
 * 0x105 -- Epilepsy warning on boot
 * 0x106 -- Health warning on boot
 * 0x107 -- Epilepsy warning on boot
 * 0x108 -- Health warning on boot
 * 0x109 -- Epilepsy warning on boot
 * 0x10A -- Health warning on boot // checked on PCH-2006
 * 0x10B -- ??
 * 0x10C -- Epilepsy warning on boot // checked on PCH-1008 and PCH-1108
 * 0x10D -- ??
 * 0x10E+ -- error message in japanese (error C1-13819-2) certainly related to the Registry Manager
*/

/* Product Code (wrongly called Target Id)

Quick determination:
00  0X = PSP
00  8X = PS3
01  0X = PS Vita
01  8X = PS4

XX  X0 = Test
XX  X1 = Tool
XX  X2 = DEX
XX  X3 or higher = CEX (specific to console selling region)


PSP Product Code
0x00 // Test - Prototype / Test unit - Kicho & Dencho Program default value
0x01 // Tool - DevKit / Development Tool - Development Tool DEM-1000, DTP-T1000
0x02 // DEX - TestKit / Testing Kit - Testing Tool DTP-H1500
0x03 // CEX - Japan
0x04 // CEX - North America
0x05 // CEX - Europe/East/Africa
0x06 // CEX - Korea
0x07 // CEX - Great Britain/United Kingdom
0x08 // CEX - Mexico/Latin America
0x09 // CEX - Australia/New Zeland
0x0A // CEX - Hong Kong/Singapore
0x0B // CEX - Taiwan
0x0C // CEX - Russia
0x0D // CEX - China
0x0E // AVTOOL - AV Testing Tool DTP-L1500

PS3 Product Code
0x80 // Test - AVTest / DECHS (TEST)
0x81 // Tool - SD System Debugger / DECR Reference Tool / DECR (TOOL)
0x82 // DEX - Debug / DECH (DEX) - DECH-XXXX - DEH-FH1500J-A from mid April 2008
0x83 // CEX - Consumer or Shop Kiosk - Japan (J1)
0x84 // CEX - Consumer or Shop Kiosk - USA (UC2)
0x85 // CEX - Consumer or Shop Kiosk - Europe (CEL)
0x86 // CEX - Consumer or Shop Kiosk - Korea (KR2)
0x87 // CEX - Consumer or Shop Kiosk - United Kingdom (CEK)
0x88 // CEX - Consumer or Shop Kiosk - Mexico (MX2)
0x89 // CEX - Consumer or Shop Kiosk - Australia/New Zealand (AU3)
0x8A // CEX - Consumer or Shop Kiosk - South Asia (E12)
0x8B // CEX - Consumer or Shop Kiosk - Taiwan (TW1)
0x8C // CEX - Consumer or Shop Kiosk - Russia (RU3)
0x8D // CEX - Consumer or Shop Kiosk - China (never released) (CN9)
0x8E // CEX - Consumer or Shop Kiosk - Hong Kong (HK5)
0x8F // CEX - Consumer or Shop Kiosk - Brazil (BR2)
0xA0 // ARC - Arcade

PS Vita Product Code
0x100 // Test - Prototype / Test unit
0x101 // Tool - DevKit / Development Tool Kit - PDEL / DEM
0x102 // DEX - TestKit / Testing Kit - PTEL
0x103 // CEX - Consumer - J1 - Japan
0x104 // CEX - Consumer - UC2 - North America
0x105 // CEX - Consumer - CEL - Europe/East/Africa // PCH-xx04
0x106 // CEX - Consumer - KR2 - South Korea
0x107 // CEX - Consumer - CEK - Great Britain/United Kingdom // PCH-xx03, VTE-1016
0x108 // CEX - Consumer - MX2 - Mexico/Latin America
0x109 // CEX - Consumer - AU3 - Australia/New Zealand
0x10A // CEX - Consumer - E12 - Hong Kong/Macao/Singapore/Malaysia
0x10B // CEX - Consumer - TW1 - Taiwan
0x10C // CEX - Consumer - RU3 - Russia
0x10D // CEX - Consumer - CN9 - China - added in 2015

PS Vita Region Code for PCH-XXxx (CEX):
See https://playstationdev.wiki/psvitadevwiki/index.php?title=SKU_Models#Region_Code.

PS4 Product Code
0x180 // Test - Prototype / Test / Diag unit
0x181 // Tool - DevKit / Development Tool Kit
0x182 // DEX - TestKit / Testing Kit
0x183 // CEX - Consumer JAPAN
0x184 // CEX - Consumer USA - CUH-xx15
0x185 // CEX - Consumer EUROPE
0x186 // CEX - Consumer KOREA
0x187 // CEX - Consumer UK - CUH-xx16
0x188 // CEX - Consumer MEXICO
0x189 // CEX - Consumer AUSTRALIA - CUH-xx02
0x18A // CEX - Consumer SOUTH ASIA
0x18B // CEX - Consumer TAIWAN
0x18C // CEX - Consumer RUSSIA
0x18D // CEX - Consumer CHINA
0x18E // CEX - Consumer HK
0x18F // CEX - Consumer BRAZIL
0x190 // CEX - Consumer ?region?
0x191 // CEX - Consumer ?region?
0x1A0 // ARCADE - Kratos
*/

/* Product Sub Code (Model revision)

PSP Product Sub Code
0x01 // Motherboard TA-079 / TA-081 (PSP-10XX 01g) min FW 1.00, Motherboard TMU-002 (DTP-L1500 / DTP-H1500)
0x02 // Motherboard TA-082 / TA-086 (PSP-10XX 01g) min FW 1.00
0x03 // Motherboard TA-085 / TA-088 (PSP-20XX 02g) min FW: 3.60 (TA-085v1), 3.95(TA-088v1 or v2) 4.01 (TA-088v3)
0x04 // Motherboard TA-090 / TA-092 (PSP-30XX 03g) min FW: 4.20, 4.21, 5.03
0x05 // Motherboard TA-091 (PSP-N10XX 05g) min FW 5.70
0x06 // Motherboard TA-093 (PSP-30XX 04g) min FW: 5.70, 6.20 (TA-093v2)
0x07 // Motherboard TA-094 (PSP-N10XX 05g), only exists as prototype
0x08 // Motherboard TA-095 (PSP-30XX 07g and 09g) min: FW 5.70, 6.30, 6.39 (TA-095v2 07g and 09g), ?6.60 (09g)?, sold notably in Hong-Kong/Singapore
0x09 // Motherboard TA-096 / TA-097 (PSP-E10XX 11g) min FW: 6.50 (TA-096), 6.60 (TA-097)

PS3 Product Sub Code
0x01 // Motherboard TMU-520 (DECR-1000(A/J), DEH-Z1010), Motherboard COK-001 (DECHSA00A/J, CECHAxx), all DEH/CBEH consoles until CECHAxx, Motherboard TMU-510 (old DEH)
0x02 // Motherboard COK-001 - CECHBxx
0x03 // Motherboard COK-002 - CECHCxx
0x04 // Motherboard COK-002 or COK-002W (CECHExx), Motherboard COK-002 (GECR-1100)
0x05 // Motherboard SEM-001 - CECHGxx
0x06 // Motherboard DIA-001 - CECHHxx
0x07 // Motherboard DIA-002 - CECHJxx, CECHKxx
0x08 // Motherboard VER-001 - CECHLxx, CECHMxx, CECHPxx, CECHQxx, GECR-1500, Motherboard VERTIGO-02 in DEH-FH1500J-A from mid April 2008
0x09 // Motherboard DYN-001 - CECH-20xx, Motherboard DEB-001 (DECR-1400)
0x0A // Motherboard SUR-001 - CECH-21xx
0x0B // Motherboard JTP-001 or JSD-001 - CECH-25xx
0x0C // Motherboard KTE-001 - CECH-30xx
0x0D // ?Motherboard MPX-001 or MSX-001 or NPX-001 - CECH-40xxB/C v1?
0x0E // ?Motherboard MPX-001 or MSX-001 or NPX-001 - CECH-40xxA v1?
0x0F // ?Motherboard PPX-001 - CECH-40xxB/C v2?
0x10 // ?Motherboard PPX-001 - CECH-40xxA v2?
0x11 // ?Motherboard PQX-001 - CECH-42xxB/C?
0x12 // ?Motherboard PQX-001 - CECH-42xxA?
0x13 // ?Motherboard RTX-001 - CECH-43xxB/C?
0x14 // ?Motherboard RTX-001 - CECH-43xxA?
???? // Motherboard REX-001 (2014 week 30) - CECH-43xx?A/B/C?
0x8F // Unknown DEX Motherboard - Forces arcade HDD keyset.
0x90 // Unknown DEX Motherboard - Forces arcade HDD keyset.

PS Vita Product Sub Code
0x02 // Prototype CEX - never seen on any device yet except in the OS. Maybe CEM-3000E3.
0x03 // Prototype DevKit (Tool DVT1) - Motherboard IRT-001 (0-835-167-02) (Prototype DevKit DVT1 internal System Debugger DEM-3000G)
0x04 // Prototype DevKit - never seen on any device yet except in the OS. Special DevKit forever activated.
0x05 // Prototype DevKit (Tool DVT2) - Motherboard IRT-001 (0-835-167-04) (Prototype DevKit DVT2 internal System Debugger DEM-3000H)
0x07 // Prototype CEX - never seen on any device yet except in the OS.
0x09 // Prototype DevKit - Motherboard IRT-002 (Tool NEW EVT1 DEM-3000K). Maybe also DEM-3000JEC.
0x0A // Prototype DEX - CEM-3000NE2 with min FW 0.990.
0x0B // Prototype DevKit - Motherboard IRT-002 (0-851-973-06) (Tool NEW DVT1 DEM-3000L) - Prototype DEX - Motherboard IRS-002 (CEM-3000ND1) with min FW 0.996
0x0C // Prototype - never seen on any device yet except in the OS.
0x0D // Prototype DevKit - Motherboard IRT-002 (0-851-973-07) (Tool NEW DVT2 DEM-3000P) - factory FW 0.996
0x0E // Prototype - never seen.
0x0F // Prototype CEX - Motherboard IRS-002 (0-845-846-U10) (CEM-3000NP1) - Prototype DevKit - Motherboard IRT-002 (0-851-973-10) (Prototype DevKit DEM-3000JEC) - Prototype TestKit - Motherboard IRS-002 (1-883-949-11) (TEFV-1000PV1).
0x10 // FAT - Motherboard IRS-002 (1-883-949-11) (PCH-10XX / PCH-11XX / TestKit PTEL-10XX) or Motherboard IRT-002 (1-884-714-11) (DevKit PDEL-10XX) - factory FW 1.00 or 1.03
0x11 // FAT - Motherboard IRS-1001 (?1-886-596-11?) (PCH-11XX) factory FW 1.81, min FW 1.80, 2012-09
0x12 // FAT - Motherboard IRS-1001 (1-886-596-11) (PCH-10XX) factory FW 1.81, min FW 1.80, 2012-09
0x14 // SLIM - Motherboard USS-1001 (1-887-458-11) (PCH-20XX / TestKit PTEL-20XX) - factory FW 2.50, 2013-06
0x18 // SLIM - Motherboard USS-1002 (1-894-783-11) (PCH-20XX / TestKit PTEL-20XX) - factory FW 3.50 or 3.65, 2015-05
0x201 // PS TV - Motherboard DOL-1001 (1-888-648-21) (VTE-10XX) - factory FW 2.60 (?or 2.50?) white units 2013-10, factory FW 3.20 black units year 2014
0x202 // PS TV - Motherboard DOL-1002 (1-???-???-??) (VTE-10XX) - factory FW 3.30 black units year 2015
0x408 // PS TV DevKit (Tool) - never seen on any device yet except in the OS.
0x602 // PS TV Prototype TestKit (Dolce DVT WLAN DEX) - Motherboard DOL-1001 (0-DOL-001-U3A) (CEM-3000P01 / THV-1000 D1) - factory FW 2.50, white color

PS4 Product Sub Code
// SA%c-%c%02x%s%s
// HAC-%c%02x%s
// NV%c-%c%02x%s%s
// ALPHA-%c%02x
// (GKO)
// -BEP
// -BAP
// -BEO
// -BAO
// -BEOT
?0x01? // Motherboard SYRUP-11 - SRP-11 (0-000-000-11) 2012 week ?31? -  Prototype DevKit
// Motherboard SYRUP-12?
// Motherboard CAVERN-G01?
// Motherboard CAVERN-T01?
// Motherboard CAVERN-T02?
// Motherboard CAVERN-T03?
// Motherboard CAVERN-T04?
// Motherboard CAVERN-T05?
// Motherboard CAVERN-T06?
// Motherboard CAVERN-K01?
// Motherboard CAVERN-K02?
// Motherboard CAVERN-K03?
0x05 // Motherboard CAVERN-K04 - CVN-K04 (0-000-000-11) 2012 week 50 - Prototype DevKit DEHT-AW01AK-K5?
// Motherboard CAVERN-K05?
// Motherboard CAVERN-K06?
// Motherboard CAVERN-K11?
// Motherboard CAVERN-K12 - CVN-K12 (0-000-000-15) - Prototype DevKit DUH-D1000xA?
// Motherboard CAVERN-R01?
// Motherboard CAVERN-001 - CVN-001 (1-889-207-12) - DevKit DUH-D1000xA?
// Motherboard SAA-T01?
// Motherboard SAA-T02?
// Motherboard SAA-K01?
// Motherboard SAA-K02?
// Motherboard SAA-K23 (0-000-000-13) - Prototype Consumer CUH-10xx?
// Motherboard SAA-R01?
// Motherboard SAB-K02 (0-000-000-05) - Prototype Consumer CUH-11xx?
0x10 // Fat chassis A - Motherboard SAA-001 - Consumer CUH-10xx - TestKit DUH-T1000AA
0x11 // Fat chassis B - Motherboard SAB-001 - Consumer CUH-11xx - TestKit DUH-T1100AA
0x12 // Fat chassis C - Motherboard SAC-001 - Consumer CUH-12xx - TestKit DUH-T1200AA
0x13 // Slim chassis D - Motherboard SAD-001 / SAD-002 / SAD-003 - Consumer CUH-20xx - TestKit DUH-T20xx
0x14 // Slim chassis E - Motherboard SAE-001 / SAE-002 / SAE-003 / SAE-004 - Consumer CUH-21xx
?0x15? // Slim chassis F - Motherboard SAF-003 / SAF-004 / SAF-006 - Consumer CUH-22xx
// Motherboard T-HAK-NFS-11 (0-361-897-01) - Prototype Pro DevKit DUT-DBW00JK-S0?
0x210 // Pro DevKit chassis - Motherboard HAC-001 (1-981-411-11) - Pro DevKit DUH-D7000JA with Communication Processor BDT-010 (1-981-412-11)
0x211 // Pro chassis A - Motherboard NVA-001 - Consumer CUH-70xx (seen on units shipped with FW 3.70-4.70) - Pro TestKit DUH-T70xx
0x212 // Pro chassis B - Motherboard NVB-003 / NVB-004 - Consumer CUH-71xx
0x213 // Pro chassis C - Motherboard NVG-001 / NVG-002 - NVG-003 - Consumer CUH-72xx
*/

/* Factory code

It is a code representing the factory location. By extension, it also represents if the console has been or is being refurbished/diagnosed, as it is done in a special servicing center.

Some people called console_id[8] chassis_check and used the formula: factory_code = chassis_check >> 2;

0: invalid, static dummy value in PSP Kicho & Dencho Program, static dummy value on Reference Tool PS3s when serial flash is corrupted, one CECH-21xx
1: Japan manufacture -> many PS3 DevKit and TestKit, some PS3 CECHCxx, PS Vita DEM, PDEL, some CEM (CEM-3000NE2)
2: China manufacture 1 -> PSP-10XX 01g
3: China manufacture 2 -> PSP-20XX 02g, PSP-30XX 03g, some PSP-30XX 04g, PSP-30XX 07g and 09g, PSP-N10XX 05g, PS Vita PCH, PS Vita PTEL, all PS TV, many Consumer PS4, all PS4 PRO
4: China manufacture 3 -> some PSP-30XX 04g, PSP-E10XX 11g, many Consumer PS3 between CECHAxx and CECH-43xx, many PS4 DevKit and TestKit, many Consumer PS4
5: ?China? -> many Consumer PS3 between CECHGxx and CECH-43xx
6: Manaus Industrial Pole (PIM) in Brazil since 2013 -> many PS3 Super Slim Brazil with Product Sub Code 0xF, 0x11, 0x13
35: Japan Diagnosis Center 1 -> detected by OS as Diag/QA on PSP
36: Japan Diagnosis Center 2 -> detected by OS as Diag on PS Vita CEX JP and PS4 Test
61: Servicing Center 2 -> ?Consumer PS Vita?, refurbished PS3, PS3 DECR-1000A
62: Servicing Center 1 (having Kicho & Dencho Program) -> refurbished PSP PSP-10XX 01g
?63: Servicing Center 0? (value never seen but should exist)
*/

/* Ps Flags

On PSP, Ps Flags are 8 bitflags, stored in PSID in the upper bits of serial_no only when PSP has Diag Factory Code (35: Japan Diagnosis Center 1). They are a sort of QA flags. For reference, on PS3 and PS Vita, QA flags are stored in Syscon NVS. Kicho & Dencho Program default PSID has all Ps Flags set.

There is no evidence of usage of these Ps Flags area in PSID on PS3, PS Vita and PS4 even when the console is Diag. When PSP PSID has Diag Factory Code, there can be only 262,144 serial numbers by chassis and region, instead of 67,108,864 because 8 bits of serial_no are taken by Ps Flags.
*/

/* ConsoleId Bruteforce

With all the knowledge acquired on this page, bruteforcing a ConsoleId requires never more than 8 bytes of tries and usually 7 bytes.

The worst-case size for bruteforce, if one is given enough information about the console (chassis and region), is near of 58 bits (7 bytes and 2 bits) which represents the serial_no and the random_stamp. However, serial_no is incremental and clustered by (Product Code, Product Sub Code) couple (?by Factory Code too?). Moreover, statistics about its maximum value, estimated by the number of consoles sold, can reduce serial_no to 22 bits (about 4 millions of CECH-3001/CECH-3015). So ConsoleId most-optimized worst-case bruteforce is 54 bits (6 bytes and 6 bits) by assuming that the 4 highest bits of serial_no are zeroes and by bruteforcing from low serial_no to high serial_no.
*/