Sponsored Links

Sponsored Links

JaicraB on Cobra USB JIG Protection RTOC Trick for PS3


Sponsored Links
186w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

[Register or Login to view code]


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

[Register or Login to view code]


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

[Register or Login to view code]


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

[Register or Login to view code]


Subsequently, given the value 0x11DE0 to RTOC:

[Register or Login to view code]


A r0 is given the value 0x920:

[Register or Login to view code]


R0 is subtracted from the value of RTOC:

[Register or Login to view code]


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

[Register or Login to view code]


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

[Register or Login to view code]


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

[Register or Login to view code]


It takes having the RTOC stored in the stack 3 arguments that the hook received:

[Register or Login to view code]


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

[Register or Login to view code]


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

[Register or Login to view code]


Upon returning to retrieve the original LR from the stack and returns to the prompt

[Register or Login to view code]





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 1255 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#405 - PS3 News - 110w ago
PS3 News's Avatar
Following up on the PS3UserCheat and True Blue unnecessary DRM-infected dongles being hacked alongside zadow28's work, today PlayStation 3 developer oct0xor shared a video of his OpenCobra Payload which aims to render the current Cobra USB dongle from Max Louarn useless.

Below are the details from his [Register or Login to view links], as follows: "First I am going to say that this is not going to be an article, just a first blog post and some info about my recent project.

Finally I got my hands on cobra it was quite a lot of time since I touched this last time. There was s good things happened since then eg. I reverse engineered usercheat and true blue, had done a lot ps3 and not ps3 related hacking. There was a bad things eg. BlueDiskCFW, lv0 leak, a lot of devs leave the scene...

Cobra was for me really "the last" thing I have to do.

The last time when I worked on this I didnt had a dongle, and all what I had was a dump by JaiCraB. I reverse engineered it as much as possible, figure out almost all tricks, encrypton and etc. And figuare out that it reads a lot of data from dongle, and I cant do much without dongle itself. Thats why I put this project to the back burner.

Well... I had never buyed anyone dongle, and I never was not going to. All my dongles was donated (thanks again ) but not that time.

it was hard for me to make this decision but a few days ago cobra finally shipped to me...

3 days and now its all over.

Security is good enough, but not without big security risks. But it still the best crypto/obfuscation what I had seen on ps3. Sony have something to learn from this guys, especially now.

Cobra / True Blue almost identical, have the same source code, if you ever hacked 1 thing, 2nd wouldnt be a problem. The main functionality, honestly, not changed since original jb. Thats a shame. Thats why I cracking them like nuts





On the fourth day I taked a decision to make my own "OpenCobra" payload. only clean code without drm and garbage, to be able to port it to any new firmware, and change/add features. It taked 2 days, 3000 lines of asm, and you had seen the result.

Atm it based on 4.1 payload, plans for future is check/add new features from 4.4/5.0. Port to a new firmware (if cobra will not do this for me), and realize all nice innovations from new version of psp emu, such as better emu accuracy, 3D and etc...

In video you had seen Payload Loader. Thats the all code it has:

[Register or Login to view code]

This tag related patches handled by mngr. So far I want to move it in payload. First I have to check how it handled in 4.4 / 5.0

Not sure yet when it will be released, if it will be, but we will see.

Keys!

[Register or Login to view code]

If this subject will be interested for people, maybe I will write a full article about True Blue / Cobra analysis and hacking.

btw: Me and ~ some psp mysterious dark figure ~ reverse engineered algo for generating valid psp isos back to jule. But saves and a lot of games dont work without patching. So cobra's patched emu much better there imho."

Below are some additional pics from his blog which simply states: Usercheat + Cobra = data, 0x38, 1);
_hexdump(" ECDSA R ", 0x38, s->R, 0x14, 1);
_hexdump(" ECDSA S ", 0x4C, s->S, 0x14, 1);
_hexdump(" ECDSA PUB", 0x60, s->pub, 0x28, 1);
_hexdump(" UNK ", 0x88, s->unk, 0x20, 1);
_hexdump(" OMAC ", 0xA8, s->omac, 0x10, 1);
_hexdump(" PADDING ", 0xB8, s->padding, 0x08, 1);
printf("\n");
}

/*!
* \brief Verify section.
* \param s Section.
* \param c Curve.
* \return Verify result.
*/
int verify_section(section_t *s, curve_t *c)
{
u8 hash[0x14];
u8 _R[21] = {0}, _S[21] = {0};

memcpy(_R + 1, s->R, 20);
memcpy(_S + 1, s->S, 20);

sha1(s->data, 0x38, hash);
ecdsa_set_curve(c->p, c->a, c->b, c->N, c->Gx, c->Gy);
ecdsa_set_pub(s->pub);
return ecdsa_verify(hash, _R, _S);
}

//Maybe you're lucky?!
int main()
{
dump_section("0_1", (section_t *)section0_1);
dump_section("0_2", (section_t *)section0_2);
printf("sig. 1 verified: %s\n", verify_section((section_t *)section0_1, (curve_t *)curve0) ? "yay" : "nay");
printf("sig. 2 verified: %s\n", verify_section((section_t *)section0_2, (curve_t *)curve0) ? "yay" : "nay");
printf("R_1 == R_2: %s\n", memcmp(((section_t *)section0_1)->R, ((section_t *)section0_2)->R, 0x14) ? "nay " : "yay ");
getchar();
return 0;
}[/code] While this is definitely interesting news, odds are it's just a ploy for the Cobra Team to release a new dongle that will be 'required' for their upcoming PS3 4.3x CFW unfortunately or the PS3 ODE in order to further line their pockets with PlayStation 3 sceners' hard-earned cash once again... as always, time will tell for sure.

More PlayStation 3 News...

#404 - StanSmith - 111w ago
StanSmith's Avatar
I've downgraded back to MultiMan 4.13 and its so much smoother and faster. All 4.14-16 bring is slower, jumpier and buggier gui. All the problems I've been having recently have been due to the updates. DeanK can you revert the GUI back to how it was prior 4.14 as thats when the bugs started and it started to suck. I only have it on 8.4 and it is so much faster and smoother on 4.13. Go have a try yourself and see how slow and laggy its become.

#403 - PS6 - 111w ago
PS6's Avatar
thanks a lot, this is for 3.55?

#402 - PS3 News - 111w ago
PS3 News's Avatar
Today deank has updated multiMAN to version 04.16.03 which includes improved GUI / loading speeds among the changes below.

Download: [Register or Login to view links] (2.56 MB) / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] (Mirror #3) / [Register or Login to view links] (Mirror #4) / [Register or Login to view links] (Mirror #5) / [Register or Login to view links] by winch03200

Changelog: Here is the minor 04.16.03 update which will change your mM experience forever:

  • Improved overall speed of all functions and GUI
  • Data Test/Verify functions now take fraction of the time compared to previous versions
  • Improved 'Verifying data' of USB games by a factor of 50
  • Improved scan before copying a game/folder
  • Improved loading folders in mmOS
  • Improved just a bit deleting games/folders
  • Greatly improved loading content when browsing PS3 HDD/USB drives in game modes
  • Loading Retro ROM/Video/Photo and ISO folders while browsing PS3 HDD/USB is now about 15 times faster
  • Added "Friendly" name option in "Settings"/"Network Servers" for /net_host parties
  • Fixed over-scrolling when browsing through large number of entries
  • Increased max number of entries in game modes by 50% to 3072 (from 2048)
  • The first time you load this version it will take 2-3 seconds longer, but next mM starts will show the GUI in a split second.

The update for CEX/DEX/STEALTH is now available online.

p.s. A big "thanks" goes to all of you who supported multiMAN the last couple of months and before. Thank you!

Also this afternoon I added some more improvements:

  • Improved speed when copying games/files from/to USB HDDs
  • Improved speed when copying games from PS3 Game Discs
  • Improved speed when copying/browsing folders via FTP (LIST/MLSD)

#401 - StanSmith - 111w ago
StanSmith's Avatar
I think to play other formats and to play via LAN you need the dongle.

#400 - miandad - 111w ago
miandad's Avatar
guys any one know how to play games throw LAN with multiman?

#399 - tonyqc - 111w ago
tonyqc's Avatar
Below is multiMAN version 04.16.02 UPD CEX (20121216) with the changes from deank as follows:

Download: [Register or Login to view links] (2.57 MB) / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] (Mirror #3) / [Register or Login to view links] (Mirror #4) / [Register or Login to view links] by HAIDER

There is a 04.16.02 version available online (cex/dex/stealth).

  • A show-off version so you can find out what speeds is multiMAN capable of

p.s. You will notice a great performance boost which affects nearly all mM functions (including copy/delete/verify/scanning for games/GUI/loading of images/coverart, faster remote-access, etc).

#398 - miandad - 111w ago
miandad's Avatar
thx but using mm_ras sharing folder any idea?

#397 - richdotward - 111w ago
richdotward's Avatar
Mm does support this but only if you have a dongle and on their 3.55 cfw. Shame.

Rich

Sent from my GT-I9000 using Tapatalk 2.

#396 - Muhammad54 - 111w ago
Muhammad54's Avatar
No. Multiman could launch it. But your CFW needs to see those games in certain locations.

 

Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News

Sponsored Links