Sponsored Links

Sponsored Links

JaicraB on Cobra USB JIG Protection RTOC Trick for PS3


Sponsored Links
169w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

[Register or Login to view code]


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

[Register or Login to view code]


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

[Register or Login to view code]


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

[Register or Login to view code]


Subsequently, given the value 0x11DE0 to RTOC:

[Register or Login to view code]


A r0 is given the value 0x920:

[Register or Login to view code]


R0 is subtracted from the value of RTOC:

[Register or Login to view code]


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

[Register or Login to view code]


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

[Register or Login to view code]


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

[Register or Login to view code]


It takes having the RTOC stored in the stack 3 arguments that the hook received:

[Register or Login to view code]


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

[Register or Login to view code]


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

[Register or Login to view code]


Upon returning to retrieve the original LR from the stack and returns to the prompt

[Register or Login to view code]





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 728 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

PS3 News's Avatar
#288 - PS3 News - 102w ago
Today deank has released multiMAN version 04.06.03 (DEX) for those interested with the changes outlined below, as follows:

Download: [Register or Login to view links]

04.06.03 (DEX)

  • Added support for "Shutdown" and "Restart" when PS3 is connected to a wired LAN connection (no PC required)
  • Added support for activating BDEMU slots 4-9 (#5-#10) without the need of a PC (PS3 will reboot after slot is activated)
  • Changed: "Retrieve BDEMU Game Titles" will only check slots 0-3 (#1-#4). For best results use a PC with mmDM or rcp_bdemu.exe + LAN + ProDG
  • Changed: Game list received by mmDM/rcp_bdemu will show empty slots as inactive
  • Added support for 4.21CFW DEX spoofed to 4.25
4.21 Peek & Poke from doggie721:
[code]
Code multiman cfw 4.21 CEX :

==================================================================================================================
LV2: Original 3.55 syscall36 code parts loaded at 0x2E8670 and 0x2D1060 and modified for 4.21CEX CFW as follows:
==================================================================================================================

002E8670 25 73 25 30 31 36 6C 78 25 30 31 36 6C 78 25 30 %s%016lx%016lx%0
002E8680 31 36 6C 78 25 30 31 36 6C 78 25 30 31 36 6C 78 16lx%016lx%016lx
002E8690 25 64 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 %d..............

002E86A0 F8 21 FF 61 7C 08 02 A6 FB 81 00 80 FB A1 00 88 !*a|..?vA.Ava.E
002E86B0 FB E1 00 98 FB 41 00 70 FB 61 00 78 F8 01 00 B0 vn.OvA.pva.x..-
002E86C0 7C 9C 23 78 7C 7D 1B 78 3B E0 00 01 7B FF F8 06 |U#x|}.x;?..{*.
002E86D0 67 E4 00 2E 60 84 87 14 38 A0 00 07 4B D6 60 2D go..`AC.8a..Ka`-
002E86E0 28 23 00 00 40 82 00 4C 67 FF 00 2D 63 FF 11 1C (#..@A.Lg*.-c*..
002E86F0 E8 7F 00 00 28 23 00 00 41 82 00 14 E8 7F 00 08 o..(#..AA..o..
002E8700 38 9D 00 09 4B D6 5F B1 EB BF 00 00 7F A3 EB 78 8Y..Ka_-u..aux
002E8710 4B FD 9E 70 2F 64 65 76 5F 62 64 76 64 00 2F 61 K?p/dev_bdvd./a
002E8720 70 70 5F 68 6F 6D 65 00 00 00 00 00 00 00 00 00 pp_home.........
002E8730 7F A3 EB 78 3B E0 00 01 7B FF F8 06 67 E4 00 2E aux;?..{*.go..
002E8740 60 84 87 1E 38 A0 00 02 4B D6 5F C1 28 23 00 00 `AC.8a..Ka_+(#..
002E8750 40 82 00 28 67 FF 00 2D 63 FF 11 1C E8 7F 00 00 @A.(g*.-c*..o..
002E8760 28 23 00 00 41 82 00 14 E8 7F 00 08 38 9D 00 09 (#..AA..o..8Y..
002E8770 4B D6 5F 45 EB BF 00 00 7F A3 EB 78 4B FD 9E 04 Ka_Eu..auxK?.

002D1060 25 64 25 73 25 30 31 36 6C 78 25 30 31 36 6C 6C %d%s%016lx%016ll
002D1070 78 25 30 31 36 6C 6C 78 25 73 25 73 25 30 38 78 x%016llx%s%s%08x
002D1080 25 64 25 31 64 25 31 64 25 31 64 41 41 41 0A 00 %d%1d%1d%1dAAA..

002D1090 F8 21 FF 31 7C 08 02 A6 F8 01 00 E0 FB E1 00 C8 !*1|..?..?vn.L
002D10A0 38 81 00 70 4B EE 08 E5 3B E0 00 01 7B FF F8 06 8A.pK?.o;?..{*.
002D10B0 67 FF 00 2D 63 FF 11 1C E8 7F 00 00 2C 23 00 00 g*.-c*..o..,#..
002D10C0 41 82 00 0C 38 80 00 27 4B D9 32 4D 38 80 00 27 AA..8A.'K-2M8A.'
002D10D0 38 60 08 00 4B D9 2E 05 F8 7F 00 00 E8 81 00 70 8`..K-....oA.p
002D10E0 4B D7 D5 D5 E8 61 00 70 38 80 00 27 4B D9 32 29 K+--oa.p8A.'K-2)
002D10F0 E8 7F 00 00 4B D7 D5 E9 E8 9F 00 00 7C 64 1A 14 o..K+-uo?..|d..
002D1100 F8 7F 00 08 38 60 00 00 EB E1 00 C8 E8 01 00 E0 ..8`..un.Lo..?
002D1110 38 21 00 D0 7C 08 03 A6 4E 80 00 20 80 00 00 00 8!.|..?NA. A...
002D1120 00 59 18 00 80 00 00 00 00 59 18 09 00 00 00 00 .Y..A....Y......
002D1130 80 00 00 00 00 2D 10 90

Lv2Syscall2(7, 0x80000000002E86D0ULL, 0x67E4002E60848714ULL ); // 2E86D0 oris r4, r31, 0x2E // 67 E4 00 2E 60 84 87 14 // (/dev_bdvd) // 2E86D4 ori r4, r4, 0x8714
Lv2Syscall2(7, 0x80000000002E86DCULL, 0x4BD6602D28230000ULL ); // 2E86DC bl strncmp_sub_4E708 // 4B D6 60 2D 28 23 00 00
Lv2Syscall2(7, 0x80000000002E86E8ULL, 0x67FF002D63FF111CULL ); // 2E86E8 oris r31, r31, 0x2D // 67 FF 00 2D 63 FF 11 1C // 2E86EC ori r31, r31, 0x111C
Lv2Syscall2(7, 0x80000000002E8704ULL, 0x4BD65FB1EBBF0000ULL ); // 2E8704 bl strcpy_sub_4E6B4 // 4B D6 5F B1 EB BF 00 00
Lv2Syscall2(7, 0x80000000002E8710ULL, 0x4BFD9E702F646576ULL ); // 2E8710 b loc_2C2580 // 4B FD 9E 70 2F 64 65 76 // hook_return
Lv2Syscall2(7, 0x80000000002E873CULL, 0x67E4002E6084871EULL ); // 2E873C oris r4, r31, 0x2E // 67 E4 00 2E 60 84 87 1E // (/app_home) // 2E8740 ori r4, r4, 0x871E
Lv2Syscall2(7, 0x80000000002E8748ULL, 0x4BD65FC128230000ULL ); // 2E8748 bl strncmp_sub_4E708 // 4B D6 5F C1 28 23 00 00
Lv2Syscall2(7, 0x80000000002E8754ULL, 0x67FF002D63FF111CULL ); // 2E8754 oris r31, r31, 0x2D // 67 FF 00 2D 63 FF 11 1C // 2E8758 ori r31, r31, 0x111C
Lv2Syscall2(7, 0x80000000002E8770ULL, 0x4BD65F45EBBF0000ULL ); // 2E8770 bl strcpy_sub_4E6B4 // 4B D6 5F 45 EB BF 00 00
Lv2Syscall2(7, 0x80000000002E877CULL, 0x4BFD9E047461636BULL ); // 2E877C b loc_2C2580 // 4B FD 9E 04 74 61 63 6B // hook_return

Lv2Syscall2(7, 0x80000000002D10A4ULL, 0x4BEE08E53BE00001ULL ); // 2D10A4 bl pathdup_from_user_1B1988 // 4B EE 08 E5 3B E0 00 01
Lv2Syscall2(7, 0x80000000002D10B0ULL, 0x67FF002D63FF111CULL ); // 2D10B0 oris r31, r31, 0x2D // 67 FF 00 2D 63 FF 11 1C // 2D10B4 ori r31, r31, 0x111C
Lv2Syscall2(7, 0x80000000002D10C8ULL, 0x4BD9324D38800027ULL ); // 2D10C8 bl free_sub_64314 // 4B D9 32 4D 38 80 00 27
Lv2Syscall2(7, 0x80000000002D10D4ULL, 0x4BD92E05F87F0000ULL ); // 2D10D4 bl alloc_sub_63ED8 // 4B D9 2E 05 F8 7F 00 00
Lv2Syscall2(7, 0x80000000002D10E0ULL, 0x4BD7D5D5E8610070ULL ); // 2D10E0 bl strcpy_sub_4E6B4 // 4B D7 D5 D5 E8 61 00 70

Lv2Syscall2(7, 0x80000000002D10ECULL, 0x4BD93229E87F0000ULL ); // 2D10EC bl free_sub_64314 // 4B D9 32 29 E8 7F 00 00
Lv2Syscall2(7, 0x80000000002D10F4ULL, 0x4BD7D5E9E89F0000ULL ); // 2D10F4 bl strlen_sub_4E6DC // 4B D7 D5 E9 E8 9F 00 00
Lv2Syscall2(7, 0x80000000002D1130ULL, 0x80000000002D1090ULL ); // 2D1130 .long syscall_lv2_syscall_36 // 80 00 00 00 00 2D 10 90 // sc36 vector

Lv2Syscall2(7, 0x80000000002C2558ULL, 0x480261487C0802A6ULL ); // 2C2558 b sub_2E86A0 // hook open
Lv2Syscall2(7, 0x800000000035BDC8ULL, 0x80000000002D1130ULL ); // enable syscall36

2E8714 aDev_bdvd: .string "/dev_bdvd"
2E871E aApp_home: .string "/app_home"

2D111C free/alloc address pointer -> (set by functions)
2D1130 syscall36 address pointer -> 0x80000000002D1090

==================================================================================================================

LV2: Additional patches for PARAM.SFO and access permissions

Lv2Syscall2(7, 0x8000000000057020ULL, 0x63FF003D60000000ULL ); // fix 8001003D error
Lv2Syscall2(7, 0x80000000000570E4ULL, 0x3FE080013BE00000ULL ); // fix 8001003E error

Lv2Syscall2(7, 0x8000000000057090ULL, 0x419E00D860000000ULL );
Lv2Syscall2(7, 0x8000000000057098ULL, 0x2F84000448000098ULL );

Lv2Syscall2(7, 0x800000000005AA54ULL, 0x2F83000060000000ULL );
Lv2Syscall2(7, 0x800000000005AA68ULL, 0x2F83000060000000ULL );

==================================================================================================================

LV1: Remove LV2 memory protection (syscall8/9=lv1 peek/poke) HV_START_OFFSET_421 = 0x370A28

Lv2Syscall2(9, HV_START_OFFSET_421 + 0, 0x0000000000000001ULL);
Lv2Syscall2(9, HV_START_OFFSET_421 + 8, 0xe0d251b556c59f05ULL);
Lv2Syscall2(9, HV_START_OFFSET_421 + 16, 0xc232fcad552c80d7ULL);
Lv2Syscall2(9, HV_START_OFFSET_421 + 24, 0x65140cd200000000ULL);

==================================================================================================================

LV1: Storage Manger Access Rights (enable)

Lv2Syscall2(9, 0x16f758, 0x7f83e37860000000ULL);
Lv2Syscall2(9, 0x16f77c, 0x7f85e37838600001ULL);
Lv2Syscall2(9, 0x16f7f4, 0x7f84e3783be00001ULL);
Lv2Syscall2(9, 0x16f7fc, 0x9be1007038600000ULL);

LV2: Enable SM syscalls from GameOS

Lv2Syscall2(7, 0x80000000002E7920ULL, (uint64_t) 0x40 8000000000001788 -> 800000000000171C syscall8 peeklv1
800000000035BCF0 -> 8000000000001790 -> 800000000000173C syscall9 pokelv1
800000000035BCF8 -> 8000000000001798 -> 800000000000175C syscall10 hvfunc=%r10

0000170C E8 63 00 00 4E 80 00 20 F8 83 00 00 4E 80 00 20 oc..NA. A..NA.
0000171C 7C 08 02 A6 F8 01 00 10 39 60 00 B6 44 00 00 22 |..?...9`.D.."
0000172C 7C 83 23 78 E8 01 00 10 7C 08 03 A6 4E 80 00 20 |A#xo...|..?NA.
0000173C 7C 08 02 A6 F8 01 00 10 39 60 00 B7 44 00 00 22 |..?...9`.D.."
0000174C 38 60 00 00 E8 01 00 10 7C 08 03 A6 4E 80 00 20 8`..o...|..?NA.
0000175C 7C 08 02 A6 F8 01 00 10 7D 4B 53 78 44 00 00 22 |..?...}KSxD.."
0000176C E8 01 00 10 7C 08 03 A6 4E 80 00 20 80 00 00 00 o...|..?NA. A...
0000177C 00 00 17 0C 80 00 00 00 00 00 17 14 80 00 00 00 ....A.......A...
0000178C 00 00 17 1C 80 00 00 00 00 00 17 3C 80 00 00 00 ....A......

niwakun's Avatar
#287 - niwakun - 104w ago
Ok i'm not really sure about the temperatures showing on Multiman, I got CECHA.

70-75 C For CPU
57 C for GPU

Yeah, It's like that, whether I played a game or not, Idling will drop the CPU temp to 70 C but GPU is not even changing it's value.

Tested playing Tales of Xillia, Hatusune Miku 2nd, Naruto Generations, watched animes over showtime and whatsnot. Summing up of 5 hours session.

TheZander's Avatar
#286 - TheZander - 104w ago
I recently converted m PS3 to dex I have Rogero v2 installed also the latest multiman with DEX.

I thought I fixed RE 6 but when I try to mount it. DEX GM gives me guff and says that the EBOOT needs to be signed wtih 3.6 keys or lower. At which point I am stuck because I already overwrote the stock eboot with the one inside that update pkg.

Any help would be helpful. I have also messed around with ps3gen but that just gives me errors.

Actually I just set to "ignore decrypt errors" and it seemed to mount. Then I go to reset my PS3 trough ProDG and the PS3 never makes a full reset. It just goes off and eventually ProDG times out.

I installed 4.11 dex since then. Now I can get to show up in XMB but when I select it tells me 8001003E Insert Disk. I have already made a package thing and unpackaged it and repackage it and installed it. Am I missing a step in the Game Mounter process?

PS3 News's Avatar
#285 - PS3 News - 104w ago
Today mmCM v04.06.02 BasePlus (20121002) is released (CEX only) with the changes outlined below, as follows:

Download: [Register or Login to view links] (69.28 MB)

02 - 10 - 2012

mmCM ver 04.06.02 BasePlus Changelog:

  • Added option in "Settings" - "Show Temperature Data" in Clock area (Disable/Enable/Auto (thanks to Mysis and 3141card_)

Full Changelog: pastie.org/4898298

[Register or Login to view code]


PS3 News's Avatar
#284 - PS3 News - 104w ago
Today MultiMAN v04.06.02 was released with the addition of a Software CPU / GPU Temperature Sensor for those interested by deank with some mods by 3141card, Mysis and haz367 (via ps3devwiki.com/wiki/Thermal) below. multiMAN 04.06.02 now supports Farenheit (in addition to Celsius), simply use L2+R2 on startup of multiMAN to enter in Debug Mode, and update again.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] by 3141card / [Register or Login to view links] / [Register or Login to view links] by haz367

multiMAN 04.06.02 Changelog:

  • Added option in "Settings" - "Show Temperature Data" in Clock area (Disable/Enable/Auto) (thanks to Mysis and 3141card_)





From condorstrike: syscall:

sys_game_get_temperature int sys_game_get_temperature(0/1,uint32_t *temperature)
HV System Manager access - ServiceID 13 (TEMPERATURE)

This syscall is always being used by the PS3, so if it overheats it then just sends a syscall 379 and the PS3 will shut off.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News