JaicraB on Cobra USB JIG Protection RTOC Trick for PS3

Category: PS3 Hacks & JailBreak By: PS3 News - (jaicrab.blogspot.com)
Tags: jaicrab jaicrab ps3 cobra usb ps3 cobra usb ps3 jig protection cobra usb rtoc trick

98w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

# =============== S U B R U T I O N E

cobra_syscall_sm_shutdown_hook: # CODE XREF: j syscall_379

. Arg_20 September, 0x20
. Arg_28 September, 0x28
. Arg_30 September, 0x30
. Arg_38 September, 0x38
. Arg_40 September, 0x40

mflr% r0
std% r0, arg_20 (% sp)
std% RTOC, arg_28 (% sp)

At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

Using the record that indicates the current execution address (or the next depending on the system)
Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

call x
x:
pop eax

X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

_delta_offset bl

_delta_offset:

At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

li% r0, 0
RTOC li%, 0

Subsequently, given the value 0x11DE0 to RTOC:

RTOC oris%,% RTOC, 1
RTOC ori%,% RTOC, 0x1DE0

A r0 is given the value 0x920:

oris% r0,% r0, 0
ori% r0,% r0, 0x920

R0 is subtracted from the value of RTOC:

SUBF% r0,% r0,% RTOC

Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

RTOC mflr%

To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

RTOC addi%,% RTOC,-0x10

Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

add% RTOC,% RTOC,% r0

It takes having the RTOC stored in the stack 3 arguments that the hook received:

std% r3, arg_30 (% sp)
std% r4, arg_38 (% sp)
std% r5, arg_40 (% sp)

You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

cobra_syscall_sm_shutdown bl

After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

ld% RTOC, arg_28 (% sp)
ld% r3, arg_30 (% sp)
ld% r4, arg_38 (% sp)
ld% r5, arg_40 (% sp)
mfcr% r12
original_syscall_sm_shutdown bl

Upon returning to retrieve the original LR from the stack and returns to the prompt

ld% r0, arg_20 (% sp)
mtlr% r0
blr

# End of function cobra_syscall_sm_shutdown_hook

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

547 Comments - Go to Forum Thread »

#517 - Starchild2k - 8w ago

yes it does!!! I used the PS2U10000 base folder and all I did was rename PS2U10000 folder to a 9 character name (MANHUNT01

#516 - Hernaner28 - 8w ago

Does this allow us to play any PS2 game on our PS3?

#515 - moja - 8w ago

What game files did you use as a base to roll your package? This might help others who are having issues.

#514 - Starchild2k - 8w ago

This works perfectly I already got Manhunt 2 and Scarface working on 4.30.2 REBUG with the 4.40 Spoofer!

#513 - PS3 News - 8w ago

Today PlayStation 3 developer deank has released multiMAN v04.30.00 which now includes support for loading PS2 Classics among the changes outlined below.

Download: LANG_CZ.TXT by [B by sinsizer

MultiMAN v04.30.00 Changelog:

• Added support for various 4.40CFWs
• Added support for loading PS2 Classics (from /dev_hdd0/PS2ISO) (thanks flatz & ing.pereira)

multiMAN ver 04.30.00 BASE (20130324) Includes:

• multiMAN ver 04.30.00 BASE CEX (20130324).pkg
• multiMAN ver 04.30.00 BASE DEX (20130324).pkg
• multiMAN ver 04.30.00 BASE STEALTH (20130324).zip
• Showtime 04.03.100 [CEX].pkg
• Showtime 04.03.100 [DEX].pkg

Also available online and in the WEB column for those who want to test PS2 Classics. What I added to mM is just a simple function to link the iso.bin.enc files to the placeholder app. Whatever it requires is not changed. I don't have any ps2 classics to test anything. mM already has a PS1+PS2 database of almost 4000 covers (already available in the FULL version and online), hence few lines to link the encrypted isos to the placeholders. The haters are barking at the wrong tree.

You need http://www.mediafire.com/?zi9iscna23w4prn (PS2_Classics_Placeholder_R2.rar by CaptainCPS-X) installed and your ps2 classics in /dev_hdd0/PS2ISO as subfolders. It is also available for download in mM's WEB column.

If you don't have memory-cards, mM will create them for you under SAVEDATA subfolder in the game folder.

Use the following structure format:

/dev_hdd0/PS2ISO/Test Game (simple naming format - no cover download)
/dev_hdd0/PS2ISO/Test Game/ISO.BIN.ENC
/dev_hdd0/PS2ISO/Test Game/COVER.JPG (not mandatory, but if present will have higher priority than downloaded covers)
/dev_hdd0/PS2ISO/Test Game/SAVEDATA/SCEVMC0.VME (mM will create it if missing)
/dev_hdd0/PS2ISO/Test Game/SAVEDATA/SCEVMC1.VME (mM will create it if missing)

or even better, the recommended format:

/dev_hdd0/PS2ISO/[SCUS-97194] NFL GameDay 2003 (mM will use the gameID and will download the cover if available)
/dev_hdd0/PS2ISO/[SCUS-97194] NFL GameDay 2003/ISO.BIN.ENC
/dev_hdd0/PS2ISO/[SCUS-97194] NFL GameDay 2003/COVER.JPG (not mandatory, but if present will have higher priority than downloaded cover)
/dev_hdd0/PS2ISO/[SCUS-97194] NFL GameDay 2003/SAVEDATA/SCEVMC0.VME (mM will create it if missing)
/dev_hdd0/PS2ISO/[SCUS-97194] NFL GameDay 2003/SAVEDATA/SCEVMC1.VME (mM will create it if missing)

Basically you only need the ISO.BIN.ENC and nothing else:

/dev_hdd0/PS2ISO/MyPS2Classic/ISO.BIN.ENC

and mM will show "MyPS2Classic" disc icon in the RETRO column. If you name your folder with the game-id, mM will download the cover. If you put "COVER.JPG" next to the iso, mM will use it instead. That's it.

More PlayStation 3 News...