Sponsored Links

Sponsored Links

JaicraB on Cobra USB JIG Protection RTOC Trick for PS3


Sponsored Links
164w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:


Subsequently, given the value 0x11DE0 to RTOC:


A r0 is given the value 0x920:


R0 is subtracted from the value of RTOC:


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:


It takes having the RTOC stored in the stack 3 arguments that the hook received:


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:


Upon returning to retrieve the original LR from the stack and returns to the prompt





Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 704 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Ron36's Avatar
#264 - Ron36 - 100w ago
While everyone is awaiting further details on PlayStation 3 Custom Firmware 4.21 from the Red Power Team, today multiMAN was updated to version 04.06.00 followed by v04.06.01 adding PS3 4.21 CFW support among the changes outlined below.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] / [Register or Login to view links] (Mirror)

What's new in multiMAN 04.06.00:

  • multiMAN celebrates 2 years. CONGRATULATIONS!
  • Added support for 4.21CFW (CEX) (syscall 6-10 required):
  • "Standard" BD-Emulator option (sc36) (Hermes not supported yet)
  • Direct Disc Access (LV1&LV2 patched for Storage Manager access)
  • Raw access to optical media (PS1 backups & Showtime access to BD/DVD/CDs)
  • BD-Movie Region Changer
  • BD-Mirror for INT/EXT games

! Not fully tested with Red Power's 4.21CFW (Hermes payload used and syscall 1021 required)

What's new in multiMAN 04.06.01:

  • Added support for 4.21CFW (DEX) (syscalls 6-7 required):
  • "Standard" BD-Emulator option (sc36)
  • BD-Mirror for external / USB games

Finally, below are some related comments on the multiMAN v04.06.00 update as follows:

From Lightyear: multiMAN has supported 4.21 for a LONG time. now it's just CEX 4.21 support... it's really not that different. and deank releasing mm that supports 4.21 does NOT mean a completely 3rd party scene group is working on a new 4.21 CFW! they are not even working with dean... they have their own backup manager, according to their posts. *facepalm*

FWIW, multiman automatically worked on 4.21... dean didn't change anything to make that happen. someone just tested it out and realized it worked. just like PSX support. that was just a native thing that someone just "discovered" was working one day.

From deank: I see no mentions of DEX in the "What's new"/change log, quite the contrary. And - no - the mM update server is not hacked.

I just woke up and read some posts about some chinese shtty dongle for 4.21... Just to make it clear - the mM update has nothing to do with it and doesn't need a dongle if used with 4.21cfw. It is a pure speculation I guess, because there are a lot of people around who won't allow another dongle to surface anyway. I don't believe that their dongle (which I doubt it exists at all) will see the light of any day!

Why do you ask me about their stuff? I don't know any of them nor do I know what they're going to do. Someone leaked a file from their 'promo system' (the eboot.bin they use to launch that old multiMAN version), I took a look at it, I saw what patches they use for 4.21 and implemented some of them in mM and added syscall36. As simple as that - that way nothing is hidden in 'their system/manager' and is available in the regular public mM version. I know for sure that their firmware uses hermes because I saw how the payload and stuff is loaded in that leaked eboot.bin, hence I mentioned it in mM's changelog.

I already posted what I think few pages back. In addition to that - I think it will be a huge mistake if they decide to sell dongles.

I added some additional checks to make mM recognize when it is running on peek/poke-enabled 4.21CFW. Then it adds syscall36 just like it does on 3.55, which means that games should work without patching.

When asked why update MM to a hypothetical 4.21 his reply was quite arrogantly: Because I can, no other reason.

Also from deank when asked why 4.21 CFW support was listed if not fully tested yet: Ah, just don't tell me what and where I should put.

Finally a few weeks later he partially comes clean, revealing what used to be open source code and making the following statement for those interested.

More PlayStation 3 News...

smokyyuwe's Avatar
#263 - smokyyuwe - 101w ago
The latest version for MM is 5.0 if you are using CEX. The latest version for DEX is 5.0.7, I think.

A lot of people are using DEX because it allows you to play games without patching but you lose a lot of homebrew apps.

mgkmgk's Avatar
#262 - mgkmgk - 101w ago
I havent updated my MM for a while - the latest version I can find is mmCM v04.03.02 BASE (20120606)

I see a few pages back multiMAN 04.05.07 DEX Base (20120910)... is this one ONLY for DEX consoles or can I install on my 3.55 CFW.

I been a few pages back but everything seems to be DEX - is this what everyone is using now?

Thanks

Hamilton Zeus's Avatar
#261 - Hamilton Zeus - 101w ago
I have to see it to believe it!

Tepoo's Avatar
#260 - Tepoo - 101w ago
the switch for games seems to be bugged. when i select "get bdemu titles" he loads around 1 minute, then he auto select the game in the first slot and shows that all other slots are empty"

i have a Samsung G2 portable with 640gb, 10slots created through open bd manager and 4 games in the first slots.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News