65w ago - Today /GriFFin reports that OxweB has apparently leaked the True Blue PS3 disc BCA codes (although curiously a source wasn't specified), however, they are now conveniently deemed useless as the DRM-infected USB dongle itself.
To quote: When the True Blue dongle first launched last year, it was originally using 'special' blu-ray discs to play games, instead of just DRMencoded eboots on the HDD.
But even after all the Paradox releases, there was a few games that only were available still on 'special' blu-ray discs. Over the course of last year, various groups try to figure out how to copy these discs, as they were sadly pirate stores that wish to sell them to their customers. Finally have much research the BD-Rom marks called 'BCA Codes' were figured out so they could by copied on normal blu-ray burner.
And now an person by the name 'OxweB' has leaked them onto the 'net, as basically they are useless now, but still it is part of sad scene PS3 history!
These are BCA codes off the TB discs (the barcode on the inner part of the disc).
You to can read them off the disc yourself with a scanner or magnifying glass, they are in binary format (skinny line = 0, Fat line = 1). Binary to HEX and there you go, a code almost ready to be stamped on to a BD-R.
*Note - It's not that simple for regular retail games as there is still the PIC Zone to contend with.
**Note - I realize these aren't overly useful but it's information which is all worth it in the long run.
Finally, in related news from GoD]oF[WaR (via nextgenupdate.com/forums/playstation-3-exploits-hacks/583397-bca.html#post4685403) to quote:
I have done more research on BCA codes, they seem to be the new protection put on games, meaning with these values they can be cracked, and possibly pirated to even non-jailbroken systems.
For those unaware, BCA is the new protection utilized in newer games and with a future editor you can have the BCA codes to use with the a loader which can patch games to run without the needed keys.
There will be a patch released for each game, which is basically 64 bytes of BCA data in the form of a separate text file, that will come with the ISO file (this obviously only applies to scene releases)
IF you have access to a retail copy of the game, then you can obtain the BCA code yourself to patch the game.
Changelog, roughly translated:
New IOS 38 base. dev/mload with powerful features and EHCI driver based in interruptions and more stable
Support for DVD USB Devices: It can run only DVD backups from .iso (original don't work because DVD drivers don't support the Wii format). Remember you must insert a DVD to work at start the program.
Support for BCA datas. You can add it from .ISO offset 0x100 (64 bytes). If this area is filled with zeroes it use one BCA by default (NSMB compatible).
New ioctl 0xda function supported in dip_plugin and new option added for
DVD mode to read the BCA Datas from the original DVD
Support to load games from DVD with alternative DOL (press '2' without
USB device or press the DVD icon from the upper-right corner in the selection game screen)
Support for SD and USB FAT/FAT32: Now you can use cheats codes and loads alternative .dol from the USB 2.0 device (FAT partition is required)
Added alternative dol loader (now support for 5+ dols) for games as Red Steel and othrers (see readme.txt) , New error 002 patch and videomode autodetection patch (for PAL2NTSC, NTSC2PAL and NTSC2PAL60 (use F. PAL60 for this))
Added direct access for Dol Alternative selection
You can load differents ehcmodule.elf from sd:/apps/uloader/
Parental control added: by default the password is 00000 (the last 0 is the 'ENTER', so you can program as new password as XXXX0 ). You can change it from special menu pressing HOME. You can exits from the password box pressing B. Parental control list the last 8 games launched with date/time, enables the password box and fix a new password. Now 00000 disables the Parental Control
Support for covers (less than 200KB 160x224). You can download from internet or adquire covers from the curren tfolder in the SD automatically
Added one option to delete PNG icons/covers
Some bugs fixed (bug with no modchip game instal, for examplel)
Support for multiples WBFS partitions (max 4).
Possiblity to use the alternative cIOS 223 (only to launch games)
Added one option to rename games
Added one option to record the cheats selected from txt files
New usb code and more!
The above thread gives information on BCA codes for the Wii, which could also apply to PS3 games in the same way. Meaning these BCA codes could lead to easily pirating games on all consoles who utilize the BCA algorithm.
After further research, I am under the suspicion that these BCA codes are in fact a lead to playing pirated games (3.60+ games burned to BD/Launched via USB or external HDD - played on 3.55 WITHOUT CFW) possibly on current firmwares with a real developer at hand.
Basically these BCA codes could lead to playing these burned ISO images on 3.55 (No CFW; without 3.60+ keys) and possibly current firmwares.
The BCA codes that True Blue "leaked" are actually the codes to games that have been tested and work on 3.55 OFW. With the use of a new true blue dongle (JB2/Jailbreak2), games played off the BD without 3.60+ keys.
The games that have been tested are the ones listed below;
Driver san Fransisco
God of war Origin
Sniper ghost warrior
Games that are in process of being tested;
Batman Arkham City
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
i have a true blue will do my best to get a dump for you to proceed where we were stuck for a long time but no it seems like we are going uphill again thanks shadoxi for starting this elf dumper , amazing work cheers triple thumbs up
Then we know the section headers start at 0x17EC228
Last section STRTAB:
ELF64 Section Headers:
Idx Name Type Flags Address Offset Size ES Align LK
029 0001 STRTAB --- 00000000 017EC0F7 0000012C 0000 00000001 000
So elf ends at 0x17EC0F7 + 0x12C. We add padding to 0x17EC228, and insert clean elf64 section headerd dump from original eboot.bin, right? Or does this dump ELF+section headers+some extra stuff we can cut off?
Anybody care to post a dumped elf (raw, with this tool) so i can look at it?
Following up on the previous update, today I am releasing my True Blue USB dongle PS3 ELF dumper which works with any PlayStation 3 Firmware greater than 3.56 to dump the encrypted TB EBOOT / ELF files once they are loaded.
Original 355 -> ok
True Blue CFW v2 -> ok
There are some bugs (size of dump ...) but it works. It's ELF dumper from memory and it work with True Blue cfw v2 and any 3.55 firmware because it doesn't use lv2 peek/poke.
Warning: It will not brick your ps3. But I am not responsible for any damage.
Enable dev_blind with multiman
copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it "orignal_libsysutil_np_trophy.sprx"
copy my modified "libsysutil_np_trophy.sprx" to /dev_blind/sys/external/
load a True blue game from multiman
run your game
wait few minutes (if you get black screen after 3 minutes reboot ps3)
go to ftp
in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
copy and rename it with another name.
Howto uninstall patch - Two ways:
You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx
Or update in recovery mode
Thanks to: Ps3dev
1 - Install TB ELF Dumper first as stated in its readme file.
2 - Start Multiman, it will make a dump of multiman eboots, so you must delete it first by browsing to dev_hdd0 then delete all DUMPEDEBOOT.BIN files you found there.
3 - Back to multiman game selection then select any TB game then launch it.
4 - Start the game from XMB then wait for some times until game start.
5 - Exit game now then start multiman again then browse to dev_hdd0 and now you must found a decrypted game dump.
From PlayStation 3 developer deank (via pastebin.com/avcM5iuU) comes a revision as follows:
write_message("Dumping ELF from RAM...\n");
uint64_t ptr= 0x00010000ULL; //ELF offset in RAM;
uint64_t sizeelf = 35*1024*1024; //Need a way to get size of ELF
for(uint8_t i=0; i
the thing here is that they didn't tell anything about the dongle itself, maybe they already pawned the dongle's security chip (ATMEL that is) and they didn't tell it publicly so once TB released something new (security or algo or something), DUPLEX, N0DRM or whatever can do the same to piss off the TB makers again and again.
As always, if TB makers decided to do it all over again with new hardware to support their new security system, a lot of existing TB users will be pissed off for sure.