JaicraB on Cobra USB JIG Protection RTOC Trick for PS3

Category: PS3 Hacks & JailBreak By: PS3 News - (jaicrab.blogspot.com)
Tags: jaicrab jaicrab ps3 cobra usb ps3 cobra usb ps3 jig protection cobra usb rtoc trick

97w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

# =============== S U B R U T I O N E

cobra_syscall_sm_shutdown_hook: # CODE XREF: j syscall_379

. Arg_20 September, 0x20
. Arg_28 September, 0x28
. Arg_30 September, 0x30
. Arg_38 September, 0x38
. Arg_40 September, 0x40

mflr% r0
std% r0, arg_20 (% sp)
std% RTOC, arg_28 (% sp)

At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

Using the record that indicates the current execution address (or the next depending on the system)
Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

call x
x:
pop eax

X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

_delta_offset bl

_delta_offset:

At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

li% r0, 0
RTOC li%, 0

Subsequently, given the value 0x11DE0 to RTOC:

RTOC oris%,% RTOC, 1
RTOC ori%,% RTOC, 0x1DE0

A r0 is given the value 0x920:

oris% r0,% r0, 0
ori% r0,% r0, 0x920

R0 is subtracted from the value of RTOC:

SUBF% r0,% r0,% RTOC

Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

RTOC mflr%

To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

RTOC addi%,% RTOC,-0x10

Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

add% RTOC,% RTOC,% r0

It takes having the RTOC stored in the stack 3 arguments that the hook received:

std% r3, arg_30 (% sp)
std% r4, arg_38 (% sp)
std% r5, arg_40 (% sp)

You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

cobra_syscall_sm_shutdown bl

After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

ld% RTOC, arg_28 (% sp)
ld% r3, arg_30 (% sp)
ld% r4, arg_38 (% sp)
ld% r5, arg_40 (% sp)
mfcr% r12
original_syscall_sm_shutdown bl

Upon returning to retrieve the original LR from the stack and returns to the prompt

ld% r0, arg_20 (% sp)
mtlr% r0
blr

# End of function cobra_syscall_sm_shutdown_hook

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

544 Comments - Go to Forum Thread »

#119 - HeyManHRU - 70w ago

Today MultiMAN Cobra Manager (mmCM) version 04.00.00 has been released, and those interested in updating multiMAN without the DRM-infected dongle can now do so as is it not required for non-Cobra multiMAN functionality on the PlayStation 3 console.

Download: multiMAN Cobra Manager (mmCM) v04.00.00 Update (20120112) / http://www.multiupload.com/1J8KF87O38 (184.72 MB) / http://www.multiupload.com/D66AZVM91F (Mirror - 184.72 MB)

Previously multiMAN developer deank stated to the PlayStation 3 scene that he was not in bed with Cobra (aka Max Louarn), however, some PS3 developers such as https://twitter.com/#!/CrashSerious/status/156446073739673600 appear to think otherwise, to quote via Twitter:

"Huge thanks to deank for leaving the scene and selling out to Cobra [/satire]"

Below is the multiMAN Cobra Manager (mmCM) v04.00.00 Full (20120113) changelog, as follows:

13 - 01 - 2012

• Added support for jpg/png covers for BD/DVD ISO files in "Coverflow" mode
• Added PIC1.PNG/SND0.AT3 (background image and music) support to lastGAME and "PSP Launcher" for PSP ISO files
• Improved performance when extracting CSO to ISO and when creating ISO files from folders
• SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)
• Improved "Coverflow" display mode
• Added preparations for experimental support for multi-disc PSX games in CUE+BIN or ISO format for up to 4 discs. ("Required Cobra USB/FW update will be announced when PSX multidisc support is available")
• mmCM 04.00.00 will work without CobraUSB dongle connected (click http://pastie.org/pastes/3174908/text?key=yijeuj1ob9ynfa5tarnvfw for more information). New mmCM users will have to install mmCM 04.00.00 FULL version..

Changelog for non-Cobra users updating from multiMAN 02.09.02 to multiMAN/mmCM 04.00.00:

• Added function "Create ISO from folder"
• Support for *.0/.31, *.001/.032, *.66600/.66631 split file formats
• Join split files in file manager (select and copy the first file to get the rest joined)
• New display mode "XBDM" - XBOX Dash Clone
• Added option "Detect Game Title in ISO Images" to allow using ISO filenames and *not* scan for game names in local database
• Improved scanning for retro roms/iso and covers (populating the Retro column)
• New THEME format (.thm). One theme - one file. Easy installation within multiMAN/mmCM without going to XMB to install theme pkg files.
• mmTM - Easy to use PC application to create thm files from folders (separate download).
• multiMAN/mmCM will try to read disc volume labels and display in VIDEO column (BD/DVD entry) and in other display modes.
• Added indication (rotating refresh icon next to the column icon) when multiMAN/mmCM is loading/extracting title thumbnails (XMMB mode)
• Added pop-up notifications when new versions of multiMAN/mmCM and Showtime are available for download
• Added pop-up notification when running low on disc space (less than 1GB on internal HDD)
• Added pop-up notification when multiMAN/mmCM successfully connects to nethost folders during startup (/net_host# in File Manager)
• Added support for downloading themes in a background thread (pop-up messages will notify user when download starts and completes)
• Added support for copying big (4+GB) files in File Manager to USB drives. multiMAN/mmCM will split source file when copying to USB.
• Changed option "Link Video Library to Showtime" - it will only create links for XMB Video files, but will not start Showtime
• Added shortcut (virtual folder) "XMB Video Files" when browsing HDD/USB drives in VIDEO column
• Added "Showtime Font Preference" option to select 10 different fonts for SHOWTIME media player (GUI and Subtitles)
• Added support to extract PSP CSO (compressed ISO) files in XMMB/XBDM display modes and File Manager (extracted image is saved in /dev_hdd0/PSPISO)
• Added shortcut to ISO folder when browsing external USB devices (PSP connected with memory stick /ISO folder, containing CSO and ISO files)
• Added music playback fade-out when leaving multiMAN/mmCM
• Added download progress indication in XMMB/XBDM modes - Web column. An entry will show current download filename and percentage of completion.
• Added TextViewer in File Manager (supported files colored in light blue). Supports viewing of ANSI/UTF plain text files.
• TextViewer controls: L1/R1 - PageUp/PageDown, L2/R2 - zoom out/in (50%-250%), R3 - change font, UP/DOWN/LEFT/RIGHT - scroll/pan, L1/R1+SELECT - skip to start/end of file
• Added support for browsing Video, Games, Favorites and Retro (ROMS/PS1/PS2/PSP) in "Coverflow" display mode. Change content mode with UP/DOWN.
• Improved performance when extracting CSO to ISO and when creating ISO files from folders
• SIXAXIS gyroscope affects screensaver mode (wave/tilt the controller to navigate the starfield)
• Improved "Coverflow" display mode

More PlayStation 3 News...

#118 - DeVil3o3 - 71w ago

Originally Posted by cfwprophet

Shame on the coder for patched games. I'm not a skilled programmer but i know that this is just a offset thing to add. And i doubt that he is really working on that, just adding new code but it seems that dean himself is not really interested in. I think that he only implemented the usage of the psp/ps1 emulator and doesn't try to improve the hole thing.

Also we get no information on that kind meaning why this or that don't work. Looks like he still try to put a mass of things into the app without thinking on other things.

Hi cfwprophet, I see your back around. this is multiman for Cobra, this means it is not just deans work so he can't be held 100% responsible for it.

I think honestly dean is doing a great job with multiman and its just sour grapes. Are we talking about same application/coder?

I think his app is one of the best with the best features, and has some of the best after support around. I do not see loads of threads about any serious errors it has caused so i'm not sure why there is negativity on here towards dean.

Maybe he doesn't know these things, maybe he does know and doesn't want to share, I certainly won't be dissing him because of info he may or may not know or info he chooses to keep to himself for whatever reason he might choose. That is his right.

P.S. Have you seen all the improvments he has made to ps1 emulator hack since it came out? And you think he doesnt try to improve things, if that were true we would still be using multiman0001!!

anyway I'm sure if you know about some solution -offset thing to add- that will make these patched ISOs work i'm sure dean will implement it if you can explain a little more, What is this patch to these ISOs that make them different than normal ISOs, I haven't heard about them, maybe dean hasn't either?

#117 - HeyManHRU - 71w ago

Well they still need to get PSP .ISO files fully working, other than that there are really no flaws.

#116 - Bartholomy - 71w ago

The 3 most requested functions, released. Cool

#115 - PS3 News - 71w ago

Below is multiMAN Cobra Manager (mmCM) v03.01.03 Full for those with the dongle alongside the changes in this revision, as follows:

Download: http://www.multiupload.com/GTV3FZAPHY (183.86 MB)

09 - 01 - 2012

• Added download progress indication in XMMB/XBDM modes - Web column. An entry will show current download filename and percentage of completion.
• Added TextViewer in File Manager (supported files colored in light blue). Supports viewing of ANSI/UTF plain text files.
• TextViewer controls: L1/R1 - PageUp/PageDown, L2/R2 - zoom out/in (50%-250%), R3 - change font, UP/DOWN/LEFT/RIGHT - scroll/pan, L1/R1+SELECT - skip to start/end of file
• Added support for browsing Video, Games, Favorites and Retro (ROMS/PS1/PS2/PSP) in "Coverflow" display mode. Change content mode with UP/DOWN.