126w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.
To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.
EXPLAIN RTOC COBRA TRICK
The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.
This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:
# =============== S U B R U T I O N E
cobra_syscall_sm_shutdown_hook: # CODE XREF: j syscall_379
. Arg_20 September, 0x20
. Arg_28 September, 0x28
. Arg_30 September, 0x30
. Arg_38 September, 0x38
. Arg_40 September, 0x40
std% r0, arg_20 (% sp)
std% RTOC, arg_28 (% sp)
At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of bytes in RAM.
In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.
DELTA OFFSET can be used in any system, the procedure is:
Using the record that indicates the current execution address (or the next depending on the system)
Reducing the size of the previous code we use the value obtained from the registry.
Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:
X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.
The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.
At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:
li% r0, 0
RTOC li%, 0
Subsequently, given the value 0x11DE0 to RTOC:
RTOC oris%,% RTOC, 1
RTOC ori%,% RTOC, 0x1DE0
A r0 is given the value 0x920:
oris% r0,% r0, 0
ori% r0,% r0, 0x920
R0 is subtracted from the value of RTOC:
SUBF% r0,% r0,% RTOC
Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:
To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:
RTOC addi%,% RTOC,-0x10
Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:
add% RTOC,% RTOC,% r0
It takes having the RTOC stored in the stack 3 arguments that the hook received:
You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):
After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:
Upon returning to retrieve the original LR from the stack and returns to the prompt
ld% r0, arg_20 (% sp)
# End of function cobra_syscall_sm_shutdown_hook
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
multiMAN v4.04.00 (available through the update option in multiMAN) / http://code.google.com/p/multiman/source/list
Fixed something that annoyed some users of 5x4x5, 4×2 and XBDM display modes: After restart (or going to mmOS and back) game modes 5x4x5, 4×2 and XBDM will display the last selected entry (game/video/music/photo) and will *not* reset to dash mode
Added option to "Default Display Mode" setting: [Disable]; If there is no display-mode-lock it will make mM start in the last used display mode
FTP session timeout set to 1 minute
Added context menu when desktop is selected (to Refresh, Create New Folder, Show Desktop, Reset mmOS, Restore Wallpaper)
Added "Permissions" to context menu when single folder is selected (to reset folder access permissions)
Double clicking on .p3t (PS3 theme) will copy/install the file/theme to PS3 XMB themes system folder (/dev_hdd0/theme); user can later install it from XMB
Added support for creating shortcuts to /net_host PC shares
Folders created on the desktop now open properly
Desktop shortcuts to /ps3_home/video, music and photo now have proper icons and open the virtual folder and not the /dev_hdd0/* one
Desktop shortucts to games/executables (EBOOT.BIN/.SELF) can be used to boot external apps or mount games
Game Compatibility / CFW Related (KMEAW/REBUG/ROGERO 3.55CFWs):
Improved compatibility for the so-called "Black-Screen-Games" (BSG) which *until now* required the "BD-Mirror" option and worked ONLY from external usb HDD (otherwise game would lock/loop/error during load).
Now users of the listed firmwares can use the "BD-Mirror" option for game backups stored in the INTERNAL HDD. It may improve the compatibility of over 100 games (some older titles, some newer), for example AC1 / Colin Dirt 1 / Prince Of Persia / CoD / MW / Tomb Raider, incl. titles which had sound issues.
A partial list of some games that may gain from the new option can be found here:
http://pastie.org/pastes/4115732/text (by GotIt4Free / tortuga-cove.com)
It is now possible to set "BD-Mirror" option for games in Internal HDD and it enables the new functionality. The option works both with PS3 Game Disc in the tray and in discless mode from /app_home.
The option is available in the "Game Settings" menu for each game in the list
Some of the games that have been tested by Tortuga-Cove member GotIt4Free which are now working on Internal HDD are:
AC/DC LIVE: Rock Band
Apache: Air Assault
Assassin's Creed: Brotherhood
Blazing Angels 2: Secret Missions of WWII
Blitz: The League II
Brunswick Pro Bowling
Cabela's Dangerous Adventures
Call of Duty 4: Modern Warfare
Call of Duty: World at War
Cloudy with a Chance of Meatballs
Colin McRae: DiRT
Colin McRae: DiRT 2
Condemned 2: Bloodshot
Dragon Age: Origins
Eat Lead: Return Of Matt Hazard
Enemy Territory: QUAKE Wars
Everybody's Golf: World Tour
F.E.A.R. 2: Project Origin
FAMILY GAME NIGHT 3
Fit in Six
Golden Axe: Beast Rider
Green Day: Rock Band
Hot Shots Golf: Out of Bounds
Iron Man 2
James Bond 007 Quantum of Solace
Man vs Wild
Medal of Honor Airborne
Modern Warfare 2
NBA Ballers: Choosen One
Pinball Hall of Fame: The Williams Collection
Prince of Persia
Prince of Persia: The Forgotten Sands
Prison Break: The Conspiracy
Rapala Fishing Frenzy
Rock Band Song Pack 2
Rock Band Track Pack: Classic Rock
Rock Band Track Pack Volume 2
Rorona No Atelier Arland No Renkinjutsushi
Saints Row 2
SEGA Mega Drive Ultimate Collection
SEGA Superstars Tennis
Shaun White Skateboarding
Shaun White Snowboarding
Sonic & SEGA All-Stars Racing
Sonics Ultimate Genesis Collection
The Godfather The Don's Edition
The Lord of The Rings: Conquest
The Tomb Raider Trilogy
Tom Clancy's Rainbow Six Vegas
Tom Clancy's Rainbow Six Vegas 2
Tom Clancy's SplinterCell Double Agent\
Tomb Raider: Underworld
Williams Pinball Classics
Winter Sports: The Great Tournament 2010
Winter Sports: Go for Gold 2011
World Series of Poker 2008
WWE SmackDown vs. RAW 2011
Zumba Fitness Join The Party
Most of the games listed above used to only work from Ext. HDD and with problems, but with this new release, they should work fine from Internal HDD now and without errors.
Finally for Rebug CFW support deank has made available a quick update: Start multiMAN by holding L2+R2 and then go to the UPDATE menu and re-download the update.
Every developer has the right to protect his/her work by using dongle protection (most of them pretty poor at best).
As seen many o' times over on the GSM scene, dongles are being cracked/hacked/exploited for their contents. It's only a matter of time. Look how quickly all the other dongles were phased out - in what, about 12 months (less I think) we were pretty much dongle free (except FSM)
I'm glad someone can see how much 'work' exists in zadow's releases.
From Wololo (via wololo.net/2012/06/16/ps3-zadows-release-a-useless-repost/): PS3 Zadow's release a useless repost?
Yesterday I posted what appeared to me as a massive breakthrough in the PS3 scene, a bunch of files decrypted from the Cobra dongle, one of the DRM encrypted piracy dongles for firmware 3.55. The files had been released by user zadow28, who seems to have a fairly good reputation on some of the scene’s websites.
I have been contacted since then by several veterans of the PS3 scene, who told me these files are, in essence, garbage.
They didn’t explicitly tell me the word “fake”, but rather, it seems the files posted by Zadow are basically useless information, which in addition has been publicly available for a while. None of them told me “where” that information actually can be found, which for now I interpret as “it is so useless that we will not even bother to tell people where they can find the information in the first place”.
I do not have the tools, the knowledge, or the time to confirm if Zadow28 is a fraud, but I can say I am seeing a pattern I’ve seen in the past on the psp and the vita scene: unknown guy gets semi famous by posting lots of garbage that looks like the real deal, famous devs call him out for a faker, random people start some conspiracy theories about old devs trying to get all the credits, other random people tell the old devs that they should collaborate with the new guy instead of bashing him, old devs have a hard time explaining that it is impossible to collaborate with a dude who has the IQ of a banana. (I’ve been through that so I know how people like kakaroto feel.
So, if I’m to choose a side, I’ll go and trust the old dudes. If they say it’s useless, I guess they’re right.
From defyboy: Thanks but these were mostly available already. With the exception of your IDA DB of course.
Why do I constantly find things newsed as a release when it's just copies of the stuff the developers made available on the wiki long ago. This isn't a gift for developers, it's another cry for attention. The developers either already have this stuff, or know exactly where to get it.
I made a mirror on the wiki for anyone who wants his files: ps3devwiki.com/files/zadow28/
From euss: At least I won't be needed to give zadow unself/ungpkg with sources and precompiles like his last readself2/3/4/5 fail (so much better to use scetool anyhow)... (which btw are all on wiki, /files and gitorious too)
I do not know who incepted this thread with nonbased remarks about Atmel AVR/Micochips PIC, but they should look closer to the content and what is needed for such target. There is nothing AVR/PIC related inside the filesets, just plain unself/ungpkg'ed files which where ran through IDA and exported i64/db files. It also does not make any sense to even /want/ it as a dongle, because if you have the PPU/SPU changes, it would make alot more sense to distribute it as patches (MFW Builder TCL) or live patcher: payload (payloader3) then a stupid dongle.
From CrashSerious: First, I've had some concerning health issues and haven't touched this for several months. Also, priorities were re-alligned in the process and haven't had a chance to pick it back up. So I have nothing to report... on to the main reason for posting.
I had a big long email started (about halfway done) detailing every file in there and just gave up due to the number of things that were junk.
Mostly, it looks like files we already have, unselfed eboot.bins (congratulations on using unself or scetool), a corrupt ida database, some meaningless/worthless logs and who knows what else.
I did look at the corrupt idb to make sure it actually "looked like"an idb. It actually did at a glaqnce--- so at least it's not like the last time and he was trying to pass off a linux binary as lv0 decrypted or some crap like that... oh wait... he did do that, didn't he defyboy .
Probably a better use of my time if I stopped dissecting the gift any ways. Zadow’s files are still available here if you want to give them a look, but it’s probably not the breakthrough I initially thought it was.
Finally, from flat_z: I am very sad looking at all news sites about ps3... when they keep posting any "shocking" news about such noobs as zadow28 and exposing him as the greatest hacker in the world
Hmm, cobra dongle payload hasn't been completely reversed by zadow, because he simply doesn't have the skills for doing that stuff, what he released is something anyone can do on their own, so it's of zero utility to get payload hacked.
yeah, with the improvements he done on MM I think he deserves to work on something that he can get something. He release stuff for free for over a year already, but I do hope that dean wont get mad on us who uses the dongle-less cobra.