126w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.
To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.
EXPLAIN RTOC COBRA TRICK
The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.
This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:
# =============== S U B R U T I O N E
cobra_syscall_sm_shutdown_hook: # CODE XREF: j syscall_379
. Arg_20 September, 0x20
. Arg_28 September, 0x28
. Arg_30 September, 0x30
. Arg_38 September, 0x38
. Arg_40 September, 0x40
std% r0, arg_20 (% sp)
std% RTOC, arg_28 (% sp)
At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of bytes in RAM.
In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.
DELTA OFFSET can be used in any system, the procedure is:
Using the record that indicates the current execution address (or the next depending on the system)
Reducing the size of the previous code we use the value obtained from the registry.
Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:
X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.
The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.
At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:
li% r0, 0
RTOC li%, 0
Subsequently, given the value 0x11DE0 to RTOC:
RTOC oris%,% RTOC, 1
RTOC ori%,% RTOC, 0x1DE0
A r0 is given the value 0x920:
oris% r0,% r0, 0
ori% r0,% r0, 0x920
R0 is subtracted from the value of RTOC:
SUBF% r0,% r0,% RTOC
Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:
To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:
RTOC addi%,% RTOC,-0x10
Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:
add% RTOC,% RTOC,% r0
It takes having the RTOC stored in the stack 3 arguments that the hook received:
You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):
After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:
Upon returning to retrieve the original LR from the stack and returns to the prompt
ld% r0, arg_20 (% sp)
# End of function cobra_syscall_sm_shutdown_hook
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
The waiting is finally over and we are pleased to present the 1.8 release which fix issue from the last release.
Increase version number and recompiled 1.7 to avoid a compiler bug which caused MCU to crash
Fix crash when application finishes
Less strict IRD verification that caused valid IRD files to appear as invalid
Added support for IRD file format version 8
Added support for files bigger than 4GB in IRD generated iso
We have also updated the user manual to 1.8 to reflect the MCU version and change concerning creation of ISO's. Enjoy
Thanks a lot.. also an update from the Cobra Team:
Current status is that IRD support for genps3iso is finished and has been sent to webmaster and should be online in the next couple of days. This will go online with the fixed genps3extra for the more than 100 games in video category, and firmware 1.7 which increases stealth for IRD generated iso.
We are now currently handling ps1 disc support, but there is no ETA for the moment for that feature. The disc dumping bug is also being worked on in parallel. It will require an update to the FPGA images as the bug is in the FPGA so it is being handled by other members of the team. I do not have an estimate on when the fix will be available but I know it is currently being worked on.
i just created a whole mod pack... everything you need is inside! with easy to install zip files and a easy guide!!!
download contains these files... CFW, multiman, webman, system manager with fan utility, custom game tab with multiman, xmbm+ and my games, flag files for faster usb booting tools for pc (fan utility, retroxmb for ps2 psp and rom pkg, netsrv for nethosting) and a how to install txt file!
Also below is PS3WebTemp 1.0 (aldostools.org/temp/PS3WebTemp.rar) by aldostools, who states:
This is a small semi-transparent web window that stays always on top. It can connect to your PS3 console to monitor the CPU and RSX information. Requires webMAN 1.16 running on a 4.46 COBRA 7.0 compatible CFW. The plugin and instructions are included in the XMB Manager+ (mod).
This is my modified version of the XMB Manager+ originally released by Team XMBM+. It has some new or different features and a different order of the icons. This version XMBM+ (mod) includes the files & instructions to have webMAN 1.07 and XMBM+ running on 4.46 COBRA 7.0.
This is a fork of the official XMBM+ that I originally developed for personal use on 3.55 Kmeaw. Now I adapted the category_games.xml to work with webMAN + XMB Manager Plus on 4.46 COBRA 7.0
DeanK for the awesome webftp_server.sprx
COBRA's lead developer for the release of the unofficial Cobra 7.0
user for PRX LOADER
Team XMBM+: andreus (coding), bitsbubba (coding, themes), DeViL303 (coding, POC/WIP) ps3Hen (coding, 4.00 port), aldostools (coding), CloneD (themes), Berion (logos)
dreamcat4 for the suggested .xml method and exofreak for his POC release of launch games through XMB using webMAN.
UPDATE #1 (Nov. 7th - v0.22.005)
Changes in 0.22.005:
Added a new section with quick links to webMAN functions:
Refresh My Games
UPDATE #2 (Nov. 7th - v0.22.006)
Changes in 0.22.006:
Added the PS VITA application utility and Online storage icons to Game Data Manager;
Added "Retail" (webMAN list) to Game Manager > By type > Games.
Also updated category_game.xml: moved XMBM+ icon between "Install Package Files" and "My Games".
UPDATE #3 (Nov. 2013 - v0.0.22.008)
Mod by aldostools
UPDATE #4 (Nov. 24th - v0.22.009)
Added a quick link to monitor PS3 temperature of CPU and RSX and to restart PS3 (requires webMAN 1.18).
Autoboot Control Fan Utility for Cobra 7.00 Tutorial by atreyu187
Install this software, I am sure you can source this part without me. Cobra 4.46 7.00 Rogero Hybrid CFW, Mulitman 4.50.04 & Last Game [Cobra] to start.
Then you need to install XMB Manager+ 0.22.006 (mod) for COBRA 7.0 and here is the supplied install guide for this application slightly modified.
1.) Copy webftp_server.sprx (version 1.11) to the root of /dev_hdd0/ Latest version is always here: deanbg.com/webftp_server.sprx (I ran into troubles with the settings not working for me on this version so I have uploaded the first build of v1.1 here for you all if the latest doesn't work for you (http://www.mediafire.com/download/gpj8pwarn0xl8qs/webftp_server.sprx)
P.S. Settings are saved as /dev_hdd0/tmp/wmconfig.bin if you need to "start fresh" in case of errors. Just delete with XMBM+, Comgenie's Filemanager or mM.
2.) Copy the included boot_plugins.txt to the root of /dev_hdd0/
3.) Copy the included category_game.xml to /dev_blind/vsh/resource/explore/xmb/ (Or you can install this one to remove app_home & IPF: http://www.mediafire.com/?i9adczgif9hon0q)
4.) Install the included xmbmanplus_hdd.pkg
5.) Install update XMB Manager+ (mod) for COBRA 7.0 (v 0.22.006): aldostools.org/xmbextras.pkg
6.) Reboot your PS3 after install is all done to start fresh with your new FTP/Webserver working upon boot up
8.)Turn of "Disc Auto Start" under System Settings. Disc Auto Start (http://manuals.playstation.net/document/en/ps3/current/settings/discboot.html) on Settings > System Settings.
9.) FTP Control Fan Utility v2.00 AUTOBOOT.ISO to /dev_hdd0/PS3ISO My build has a nice new logo instead of the tired looking "official" logo I think suits the system better. Or if you don't like that aldos made one as well that can be found here (ps3tools.aldostools.org/faniso.rar) as well with the old logo.
10.) Install PSNinja v4 and open the app and press X on "Make Files Read Only" this way "Last Game" will stay as Control Fan Utility AUTOBOOT.ISO upon every boot. Or you can do this manually by FTP and going to /dev_hdd0/last_game.txt and right clicking on the file and go to properties. Then choose "Read Only" attribute with FTP client. This can also be done if you FTP txt file to HDD and right click, again go to properties and check "Read-Only" and then press "Apply" and FTP the file back over.
11.) This I am going to borrow from aldos as well as he is the one that helped me get mine setup and running.
1. Turn ON the Disc Auto Start on Settings > System Settings.
2. Go to My Games > webMAN Setup and select the devices to scan, mark all the settings in the 2nd section and at least 5 and three seconds in the 3rd and 4th sections. (I choose 0 for both as I don't use a USB drive, boot times increase dramatically so the lower the better for your "Auto Boot Times" which DeanK might give us in future updates to his fine app. It has seen more action this month then just about mM's existence and we thank him for that. It was two simple plugins that got combined)
3. Press Save on the browser and restart the PS3.
Every time that you start the PS3, the AUTOBOOT.ISO will be launched. All you have to do is press Triangle to exit.
Note about my AUTOBOOT.ISO file. Once you exit the app in "Payload" mode the LED will turn yellow allowing you to know the payload is in effect. If you choose any of the other "Modes" the LED will return to normal. I did this so one would know if in fact the settings in fact took place after exit as it is hard to tell sound wise.
Again if you do not like this option aldos made a Control Fan Utility AUTOBOOT.ISO as well that does not have the yellow LED indicator at all but in order for "Mode 2" settings to stay upon exit one must press "Start" button to set that mode to work upon exit.
And that is it folks you can boot your PS3, set your fan speed right away and have fun gaming knowing your precious PS3.5 is nice and cool to go along with all the neat new features Cobra has unleashed upon the CFW world.
From CaptainCPS-X: Try this one (psiso_tool_test_1.rar) and let me know if you still have the hanging problem:
I have created this quick GUI for the command line tool made by CaptainCPS-X that allows us to patch the PS3 ISO images that were not created with genPS3ISO or multiMAN, and make them to work on COBRA 7.0 CFW. Thanks to CaptainCPS-X for this useful tool.
Fan Control Utility (ISO/No GUI) 2.01a by aldostools
This is an unofficial version of Fan Control Utility by Estwald that auto-quits immediately to XMB after set the fan policy. Hold X for 10 seconds to enable the GUI. The settings will be saved in the internal HDD, if the included PKG is installed and dev_hdd0/game/CTRLFAN00/fan_speed.dat exists.
Note: The AUTOBOOT.ISO for COBRA 7 auto-quits. There are 2 PKG files: one has no GUI, the other always shows the GUI.
Credits: Thanks to Estwald for the PS3L1GHT environment and the open source project. Thanks to HABIB for the payloads for 4.46/4.50. This is my first compilation of an application for PS
Fan Control Utility 2.01a- Changelog
Released under GNU General Public License - Read COPYING
Version 2.01a Modified by Aldo Vargas (aka aldostools) / aldostools.org / pstools.aldostools.org
Changelog for 2.01a:
1. Fix: Saved setting now should be loaded properly
2. Added L1/R1 to switch modes and CIRCLE to exit to XMB
3. Hold L2/R2 to start the GUI with the current fan speed values
4. Added text blinking when setting is saved (Saved mode to a new file to keep compatibility with earlier versions)
Changelog for 2.01:
1. Added auto-quit ("nogui") (GUI is displayed holding X for 10 seconds while the program starts)
2. Changed code to always read settings from /dev_hdd0/game/CTRLFAN00/fan_speed.dat (if the file exists)
3. Changed background color to dark blue
4. Converted to ISO
Version 2.00 Modified by HABIB (aka smhabib) at tortuga-cove
1. added 4.46 cex
2. added 4.50 cex
3. added 4.41 dex (not tested now cause no dex here)
4. added dex 4.46 (not tested cause no dex here.dex 4.46=rebug rex 4.46 dex mode)
Official Version 1.7 by by Estwald (aka Hermes) at elotrolado