Sponsored Links

Sponsored Links

Project: Cobra and True Blue PS3 Dongles, TB EBOOTs Examined


Sponsored Links
156w ago - As a follow-up on our previous article with the spirit of Operation: Mongoose in mind, we are continuing to examine both the Cobra and True Blue PS3 DRM-infected dongles and TB EBOOT files, and welcome any help with this project from other PlayStation 3 developers in the scene!

First let me tell you the following explanation is not a theory or any rumors, it's actually how the USB dongles work to allow different things.

We heard many rumors / theories about the process of the Cobra / True Blue but I didn't see anyone give any big answer about that (I'm not saying I would give you the big answer but the explanation how it works and how to make this possible)

Cobra / True Blue Part 1

Both dongle use syscall / payload (after a big investigation, both dongle also follow the work of graf_chokolo and the functionality of the dongle can be ported into a CFW (not a good idea from some devs I guess)

Cobra / True Blue use a lv1_wrapper (syscall implementation) that can allow to use subroutine function into kernel mode call. Following the dump of the Cobra / True Blue, every subroutine are indicated inside the dump (probably the reason of some clone like JB-King)

What all this mean ?

About the TB Eboot, i come back on what i said recently, the TB Eboot come from original Eboot (don't make any sense that they access to the dev server when have not Eboot on it) the PSN dev don't exist this way... but for related beta development games and testing beta multiplayer mode, interface beta test PSN for games etc... but nothing related to a Eboot.

TB use original Eboot and make their own sign (you can easily generate a new NPDRM sign with a Self/elf)

How can boot the games, the NPDRM Sign made in TB can't be run into a user mode, you would have a error of boot and every program that you resign etc... will not boot into a usermode... that's why we need to use a syscall that can let use into a kernel mode to execute a program that not recognized and authorized by the system. The dongle validates the actual eboot by syscall / subroutine.

For example, I want to have a execute something into the CoreOS but I'm not allowed because I can only execute this on a kernel mode, fine, I use my actual user mode to turn into a kernel mode by using a syscall.

A Syscall can allow you to execute, create, read, load, etc... The limitation of a dongle = the PS3 system, a dongle it's only here to prevent a error that by using redirection and syscall, the dongle give a correct answer that PS3 system execute.

If you check correctly the dump you can see 0x80 -> correspond to the C library, also when you call into kernel mode, the kernel fix the table permission that allow to give big access. You can recognized r1 stack register -> 0xA0 (debugger mode) -> R2 stack status...

Ok you probably gonna ask, what is that ? lol

It's actually a schema / plan from the dongle, the dongle is here to give a strong access to the system that you can execute what you want.

For example the PS2 Emu of Cobra = PS2 self (is not executed into a user mode but kernel mode / debugger mode that) reason why it can be execute under a PS3 Slim retail without following an error system.

How this can help ?

This mean many things, that you don't need any keys to execute under a kernel / debugger mode because anyway the syscall will give you a whole access to the cell execution.

I want to give a simply explanation that everybody can understand, the TB EBoot = Original Eboot from Original game, we not interested by the sce header, etc... we only want the elf header program represent and related to the game execution (like a exe, you patch the exe to be run without cd) here almost the same, we patch the elf with a fake sign can be run into a specific mode without asking anything.

What is weird, graf gave many oriented possibility and no one try to exploit them but only in a business way. Anyway like I said, the dongle is in relation with the PS3 system/Dev_Flash/Core_OS

I'm also working on it and try to do my best to release something strong and free... but my knowledge is limited and I can't do that alone.

Why I explain all that, it's because I want to see also some good dev can work on it with me, actually I want to thanks graf for all this awesome stuff, cfwprophet and all the PS3 scene that support us, I say also thanks to the people who insult me and said I'm a fake... more you said that and more I don't care and offer good stuff

Somebody said he want to be fame, no at all... I don't really care, my family and my gf give me already that by supporting me, it's enough

Anyway I would like this project to encourage PS3 homebrew developers to help out if they can, and also for the work that cfwprophet, me and others are doing on it will be updated here periodically.

PS: Probably go have more explanation and more stuff about it in the next week. Oh yes about the Debug PKG that is available on PSN Dev (it's not related to the TB Eboot)

You can make a Debug PKG yourself by only extracting the ELF, make a Self without NPDRM, leave him Eboot.self and make a PKG without NPDRM, this represent exactly what is a debug PKG (it's a standard Self inside a PKG without NPDRM)




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 860 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles.
 
#790 - Xyth - 137w ago
Xyth's Avatar
Wololo's thoughts are ridiculously nonsense. Who cares if TB team will change encryption scheme. They still want us to believe if someone hacks TB, there will be no more new games. This is the same logic if we share PS3 exploits they can patch it. Who cares if Sony of TB patch their exploits. Of caurse they'll patch it, it is their job to protect their property. But if you call yourself a scene developer you can always comeup wit a new solution. This is what makes a scene The Scene.

These "It will lead to piracy" and "They can patch it" execuses are just a cover for their fear of Sony.

#789 - technodon - 137w ago
technodon's Avatar
following up on shad__'s excellent work on the modified true blue eboot, i repacked it as a installable pkg and also modified the text so it now reads remove the dongle and press x to return to the xmb. download link here: [Register or Login to view links]

#788 - PS3 News - 138w ago
PS3 News's Avatar
Below is an update from wololo (via wololo.net/2012/06/06/ps3-more-dongles-info-decrypted-by-oct0xor/) dubbed PS3 - More dongles info decrypted by oct0xor (covered a few posts above), as follows:

PS3 hacker oct0xor, who was already behind the base work that led to initial reverse engineering of the True Blue dongle, just twitted that he can decrypt True Blue’s stage2, as well as critical information from other clone dongles.

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me “DongleBreaker” now Thanks to flat_z who was with me all along.

As I said earlier, the people behind True Blue are not amateurs in the hacking scene and could definitely leverage that type of information. Hackers like oct0xor are not fighting against “we don’t know about it until it’s too late” Sony, but against people who regularly check all scene websites, and take action.

I have no doubt that the next True Blue firmwares will change their encryption scheme, and if not, another “magical” dongle will pop up in the months to come, from another random company (the same people who made true blue, of course), with a completely different security system.

That is, unless PS3 hackers completely reverse engineer the system behind the True Blue dongle, in a way that Sony can finally understand how True Blue are able to patch 3.6+ games so easily, and hoping that future games will be protected against the True Blue patches. That would calm down piracy on the PS3, and people who don’t get it will claim that this could kill the PS3 scene.

#787 - jabberosx - 138w ago
jabberosx's Avatar
This is good news. But at the same time ANOTHER frikking dongle is down right shameful. I mean whats the frikking point. arrgghhhhhh I know make more money by pirating from pirates. knowing still doesn't help.

#786 - RobertoSlip - 138w ago
RobertoSlip's Avatar
should be transparent, this would greatly facilitate..

#785 - userix - 138w ago
userix's Avatar
Can I flash back to kmeaw 3.55 after flashing tb cfw 3.55 or is it a one way street ordeal?

#784 - PS3 News - 138w ago
PS3 News's Avatar
Today PlayStation 3 developer Naehrwert has blogged (nwert.wordpress.com/2012/06/02/reversing-tb-part-1-the-vm/) on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:

Thanks to oct0xor (twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

[Register or Login to view code]


In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

[Register or Login to view code]


Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

[Register or Login to view code]


From shad__ on IRC for TB DRM dongle users: [Register or Login to view links]

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC: [Register or Login to view links]
[shad__] Now you can share your dongle with your friends
[shad__] was ~chatzilla@55.219.73.86.rev.sfr.net * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via twitter.com/#!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along.


#783 - PS3 News - 139w ago
PS3 News's Avatar
Below is an update on the True Blue PS3 JB2 Dongle new security packaging, as follows:

30 - 5 – 2012

New packaging for True Blue incorporating security measures and an updated picture identification reference for clones

Due to the recent emergence of clones we are introducing a new packaging system and a security sticker on the dongle itself to help ensure customers receive original True Blue dongles.

Firstly, a new blister pack with a label over the blister will be introduced, as shown below. This provides several measures for the user to identify if the True Blue device received is likely to be original.

Note the unique security patterns in silver which are difficult to counterfeit, due to the colour variations on the background colours, materials used and complexity of the pattern itself. If the label appears to be stretched or appears to have been used before, then careful attention should be paid to the security sticker on the dongle itself.

s3nint3!
The security sticker adhered to the dongle itself (shown below), partially covering the cap will provide the user with an indication of whether or not the dongle has been tampered with before delivery. Therefore, if the portion of the sticker covering the dongle cap has been broken, then it is possible that the dongle may have been tampered with. If this is the case, please use the TrueBlue 2.7 firmware as a means to check the authenticity of the dongle.

If the word clone appears in the PS3 XMB where the TrueBlue 2.7 version number is stated, then you should contact your reseller for assistance. Security stickers are designed with a number of security considerations in mind and are very difficult to reproduce exactly. This will aid retailers and end users in determining whether the product received is an original.

s3nint3!
Some original True Blue dongles are in the supply chain yet to be sold, which do not have the new packaging. If you receive a True Blue dongle without the new packaging, then simply use the True Blue 2.7 firmware to identify whether or not it is an original. Details can be found on the information page and inside the 2.7 firmware download package on the downloads page.

Finally, we are updating the picture references for users to identify whether their PCB is an original True Blue or a CLONE. We have released several revisions of the True Blue PCB’s which are shown below. The recent CLONE posing as True Blue in a similar casing is also shown below and referenced as CLONE. If you have received one of these clones instead of the original True Blue you ordered, then you should contact the retailer who you purchased it from for a refund.


#782 - PS3 News - 140w ago
PS3 News's Avatar
Today True Blue PS3 JB2 v2.7 Firmware has been released for those with the dongle, with details below as follows:

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] (Mirror #3)

24 - 5 – 2012

True Blue dongle firmware v2.7 has been released.

Changes include:

  • True Blue dongle authenticity status displayed on PS3 XMB system information screen
  • Fixed yet another important game compatibility issue affecting recent 4.xx games

The authenticity status display can be used to determine if your True Blue dongle is either authentic or a clone.

For further details, see the information page. How do I know if I have a TB clone?

Q: How can I verify that my True Blue is authentic and not a clone?

A: Install True Blue dongle firmware v2.7 or later.

Then in the PS3 XMB, navigate to Settings -> System Settings -> System Information. Next to the "System Software" version will be information relating to your True Blue dongle. If your dongle is authentic then it will display something like "True Blue v2.7" (this will vary depending on the version of the dongle firmware you have installed).

If your dongle is a clone then it will display "True Blue CLONE" as shown in the following image:

s3nint3!
True Blue Payload v2.7

Download: True Blue Payload v2.7

Payload (2.7)

located in unself'ed eboot.bin @ offset:

[Register or Login to view code]


TB_payload_27.bin (382 KB): [Register or Login to view links]

[Register or Login to view code]


#781 - PS3 News - 140w ago
PS3 News's Avatar
Today True Blue has issued another warning about a TB PS3 dongle clone, as follows:

21 - 5 - 2012

A new clone has appeared (item.taobao.com/item.htm?id=13491601183) using a very similar external housing to that of True Blue. However, after removing the clone PCB from its exterior casing it becomes evident that there are a number of major differences:

  • Actel used is A3P125 instead of larger A3P250 used on True Blue.
  • Clone uses a cheap MCU and cheap dip type crystal in addition to cheaper Actel instead of full Actel integration in the original True Blue design
  • Clone has a tact switch which the original does not require, and switch can only be accessed by pulling PCB out of the case
  • Actel logic on clone is based on partial guess work of the original and will not function correctly in future updates
  • PCB circuit design is highly congested, with numerous visual differences evident, such as programming pads for the MCU and addiional resistors/caps

Please refer to the pictures shown below, to compare the original and clone.

A new software update will be made publicly available in the next few days which will allow users to differentiate original from clone by performing a firmware update.

 

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Advertising - Affiliates - Contact Us - PS3 Downloads - PS3 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 3 News