22w ago - Following up on the
PS3UserCheat and
True Blue unnecessary
DRM-infected dongles being hacked alongside
zadow28's
work, today PlayStation 3 developer
oct0xor shared a video of his OpenCobra Payload which aims to render the current Cobra USB dongle from
Max Louarn useless.
Below are the details from his
blog, as follows: "First I am going to say that this is not going to be an article, just a first blog post and some info about my recent project.
Finally I got my hands on cobra
it was quite a lot of time since I touched this last time. There was s good things happened since then eg. I reverse engineered usercheat and true blue, had done a lot ps3 and not ps3 related hacking. There was a bad things eg. BlueDiskCFW, lv0 leak, a lot of devs leave the scene...
Cobra was for me really "the last" thing I have to do.
The last time when I worked on this I didnt had a dongle, and all what I had was a dump by JaiCraB. I reverse engineered it as much as possible, figure out almost all tricks, encrypton and etc. And figuare out that it reads a lot of data from dongle, and I cant do much without dongle itself. Thats why I put this project to the back burner.
Well... I had never buyed anyone dongle, and I never was not going to. All my dongles was donated (thanks again
) but not that time.
it was hard for me to make this decision but a few days ago cobra finally shipped to me...
3 days and now its all over.
Security is good enough, but not without big security risks. But it still the best crypto/obfuscation what I had seen on ps3. Sony have something to learn from this guys, especially now.
Cobra / True Blue almost identical, have the same source code, if you ever hacked 1 thing, 2nd wouldnt be a problem. The main functionality, honestly, not changed since original jb. Thats a shame. Thats why I cracking them like nuts
On the fourth day I taked a decision to make my own "OpenCobra" payload. only clean code without drm and garbage, to be able to port it to any new firmware, and change/add features. It taked 2 days, 3000 lines of asm, and you had seen the result.
Atm it based on 4.1 payload, plans for future is check/add new features from 4.4/5.0. Port to a new firmware (if cobra will not do this for me), and realize all nice innovations from new version of psp emu, such as better emu accuracy, 3D and etc...
In video you had seen Payload Loader. Thats the all code it has:
install_payload("OpenCobra_41.bin", PAYLOAD_OFFSET); // no comments
// install hooks
...
void sc8_0x9001(const char *path, const char *id) {
lv2syscall8(8, 0x9001, (u64)path, (u64)id, 0, 0, 0, 0, 0);
}
void sc8_0x9002(u8 flag1, u8 flag2, u8 flag3, u8 flag4) {
lv2syscall8(8, 0x9002, flag1, flag2, flag3, flag4, 0, 0, 0); // flag1 - eboot.bin encrypted/decrypted, flag2, flag3, flag4 - not real flags, its a tag related patch.
}
const char *path = "/dev_usb000/PSPISO/CRISIS CORE -FINAL FANTASY VII-.iso";
const char *id = "ULUS-10336";
sc8_0x9001(path, id);
sc8_0x9002(0, 0, 0, 0); This tag related patches handled by mngr. So far I want to move it in payload. First I have to check how it handled in 4.4 / 5.0
Not sure yet when it will be released, if it will be, but we will see.
Keys!
LV2:
7174e18ad8c87a31.... 3.0
2005d05b1ac8a331.... 4.0
3902a14001cd4836.... 4.4
fd905abf25cdc236.... 5.0
APP:
3CFE6288B199F90A.... 3.0
5824D034A3CEED3A.... 4.0
8FA23E557693D4FE.... 4.1
If this subject will be interested for people, maybe I will write a full article about True Blue / Cobra analysis and hacking.
btw: Me and ~ some psp mysterious dark figure ~ reverse engineered algo for generating valid psp isos back to jule. But saves and a lot of games dont work without patching. So cobra's patched emu much better there imho."
Below are some additional pics from his blog which simply states: Usercheat + Cobra = <3
From
flat_z: Here is some explanations to make things more clearer. If you read my twit about ps2_netemu you can see that I reverse-engineered it. It includes almost all things which are required to make custom disc images of original PS2 discs and run them on the PS3 if everything will works fine. So it can lead us to the process of remastering PS2 discs which includes making of ISO.BIN.ENC (the encrypted version of original image which can be read by the PS3), creation and encryption of .VME files (virtual memory cards), ISO.BIN.EDAT (includes the title ID of disc).
The only thing which is not currently known is the format of decrypted CONFIG file (I can decrypt the file and encrypt it back but it have a complex format). It is optional and can be empty but I'm afraid that some games requires it to run on the PS3. My plan was the creation of PS2 remastering tool and I wanted to share it. Although I even not sure will it work or no but there are many chances that it will.
But something happened before I started to do it. My HDD on the laptop died and I have all information regarding PS3 on it. Although I was able to restore some important files but not all. So I need a time to buy components for a new computer and build it. For the same reason, I have a delay on my real job (I'm working as a free-lancer) so I will going to do my job before I start to do something new for PS3.
P.S. I see many questions about compatibility. You don't need a backward compatible PS3 console to run PS2 games through ps2_netemu because it is software emulator and doesn't require any PS2 hardware components. Also I think that ps2_netemu is more better and stable than ps2_softemu but this statement requires testing.
Finally, from
naehrwert (via twitter.com/naehrwert) comes some related Cobra ODE EID0 information (ECDSA from pastie.org/6169158) , as follows:
/*
* Copyright (c) 2012-2013 by naehrwert
* This file is released under the GPLv2.
*/
#include <stdio.h>
#include "types.h"
#include "sha1.h"
#include "ecdsa.h"
/*! EID0 section entry. */
typedef struct _section
{
u8 data[0x38];
u8 R[0x14];
u8 S[0x14];
u8 pub[0x28];
u8 unk[0x20];
u8 omac[0x10];
u8 padding[0x08];
} section_t;
/*! ECDSA curve. */
typedef struct _curve
{
u8 p[20];
u8 a[20];
u8 b[20];
u8 N[21];
u8 Gx[20];
u8 Gy[20];
} curve_t;
/*! EID0 Section 0 - 1. */
u8 section0_1[0xC0] = {
//Paste a decrypted EID0 section 0 here.
};
/*! EID0 Section 0 - 2. */
u8 section0_2[0xC0] = {
//Paste a different (!) decrypted EID0 section 0 here.
};
/*! One sexy curve. */
u8 curve0[0x79] = {
//SHA1: https://twitter.com/naehrwert/status/286745714434899968
//(9035B33F58DFAEF389FD49187F93C4FC2D2DD268)
};
/*!
* \brief Hexdump, dummy.
*/
void _hexdump(const char *name, u32 offset, u8 *buf, int len, int print_addr)
{
int i, j, align = strlen(name) + 1;
printf("%s ", name);
if(print_addr)
printf("%08X: ", offset);
for(i = 0; i < len; i++)
{
if(i % 16 == 0 && i != 0)
{
printf("\n");
for(j = 0; j < align; j++)
putchar(' ');
if(print_addr)
printf("%08X: ", offset + i);
}
printf("%02X ", buf[i]);
}
printf("\n");
}
/*!
* \brief Dump section info.
* \param name Name.
* \param s Section.
*/
void dump_section(const char *name, section_t *s)
{
printf("Section%s:\n", name);
_hexdump(" DATA ", 0x00, s->data, 0x38, 1);
_hexdump(" ECDSA R ", 0x38, s->R, 0x14, 1);
_hexdump(" ECDSA S ", 0x4C, s->S, 0x14, 1);
_hexdump(" ECDSA PUB", 0x60, s->pub, 0x28, 1);
_hexdump(" UNK ", 0x88, s->unk, 0x20, 1);
_hexdump(" OMAC ", 0xA8, s->omac, 0x10, 1);
_hexdump(" PADDING ", 0xB8, s->padding, 0x08, 1);
printf("\n");
}
/*!
* \brief Verify section.
* \param s Section.
* \param c Curve.
* \return Verify result.
*/
int verify_section(section_t *s, curve_t *c)
{
u8 hash[0x14];
u8 _R[21] = {0}, _S[21] = {0};
memcpy(_R + 1, s->R, 20);
memcpy(_S + 1, s->S, 20);
sha1(s->data, 0x38, hash);
ecdsa_set_curve(c->p, c->a, c->b, c->N, c->Gx, c->Gy);
ecdsa_set_pub(s->pub);
return ecdsa_verify(hash, _R, _S);
}
//Maybe you're lucky?!
int main()
{
dump_section("0_1", (section_t *)section0_1);
dump_section("0_2", (section_t *)section0_2);
printf("sig. 1 verified: %s\n", verify_section((section_t *)section0_1, (curve_t *)curve0) ? "yay" : "nay");
printf("sig. 2 verified: %s\n", verify_section((section_t *)section0_2, (curve_t *)curve0) ? "yay" : "nay");
printf("R_1 == R_2: %s\n", memcmp(((section_t *)section0_1)->R, ((section_t *)section0_2)->R, 0x14) ? "nay 
" : "yay ");
getchar();
return 0;
} 
While this is definitely interesting news, odds are it's just a ploy for the
Cobra Team to release a new dongle that will be 'required' for their upcoming
PS3 4.3x CFW unfortunately or the
PS3 ODE in order to further line their pockets with PlayStation 3 sceners' hard-earned cash once again... as always, time will tell for sure.
No.
do you have a ps3??
Yes 
Download: http://www.sendspace.com/file/jjl7sz (104.59 MB) / http://www.mediafire.com/download.php?te2qr187bcb59jg (Mirror) / http://www.sendspace.com/file/7yvm3k (2.57 MB) / http://www.mediafire.com/download.php?a9hoasn3f3vzf75 (Mirror) / http://www.sendspace.com/file/i4idgq (39.17 MB)
More Mirrors (via mateogodlike.com/2013/05/ps3-multiman-044000-upd-base-cex-dex.html):
• http://www.sendspace.com/file/nfrten (2.57 MB)
• http://www.sendspace.com/file/quendw (37.17 MB)
• http://www.sendspace.com/file/akq53q (32.44 MB)
• http://www.sendspace.com/file/8x5f7t (34.98 MB)
To quote: Dean has come through and updated multiMAN to version 4.40.00. This quick update makes it compatible with REBUG's released 4.41 LITE CFW As well as any future 4.41 CFW's that are eventually released.
Changelog:
• Added support for 4.41 CFW
• All specific features (like BD Movie region Change, BD-Mirror, DYNAREC, PS1 BIN+ISO backups, PS2 Classics, discless, etc) work.
multiMAN ver 04.40.00 BASE (20130502).zip (104.59 MB) Includes:
• multiMAN ver 04.40.00 BASE CEX (20130502).pkg (37 MB)
• multiMAN ver 04.40.00 BASE DEX (20130502).pkg (32 MB)
• multiMAN ver 04.40.00 BASE STEALTH (20130502).zip (35 MB)
Note: If you ran multiMAN on 4.41 before this update, you will need to re-enable the BD-ROM emulator (bottom option in settings) and restart multiMAN for it to work.
Note 2: lastGAME, gameDATA and stDISC won't work. bdRESET should still work. The function in mM for ext.game data works. If you have gameDATA installed you can switch back to HDD mode.
Update: Dean has compiled a new mM compatible version of Showtime. Showtime 04.03.211 [CEX] for multiMAN: Replace it (via FTP or mmOS) in /dev_hdd0/game/BLES80608/USRDIR/sys/:
Download: http://www.sendspace.com/file/q15z38 (5.89 MB) / http://www.sendspace.com/file/phuhrb (5.93 MB) / http://www.sendspace.com/file/jjo6kf (5.99 MB)
Update 2: multiMAN ver 04.40.00 BASE CEX (20130503).pkg is also now available above with the following additions:
• Updated Showtime for mM to 04.03.211
• Updated PS1 Emulator (ps1_emu.self) to 4.41 (it will be used on 4.40 and 4.41 CFWs)
• Updated PS1_NET Emulator (ps1_netemu.self) to 4.41 (it will be used on 4.40 and 4.41 CFWs)
Now mM will use ps1_emu/ps1_netemu from 4.41OFW (patched of course) when launching PS1 ISO/BIN+CUE backups if your PS3 is running 4.40CFW/4.41CFW. I didn't change the mM version, but if you wish better PS1 backups compatibility and newer Showtime - update to this BASE version.
You can install this version either from scratch or update any installed mM version.
Finally, mMTools has also been updated for PS3 4.41 CFW with details below, as follows:
And here are the remaining tools:
Download: http://www.sendspace.com/file/hwwr3s (722.63 KB)
Included:
• lastGAME6.pkg (requires mM 04.40.00 if used for PS1 backups)
• gameDATA6.pkg
• bdRESET6.pkg
• stDISC4.pkg
All tools should now support 4.41 CFW. Older firmwares 3.55 / 4.21 / 4.30 / 4.31 / 4.40 (CEX / DEX) are supported, too.
The server issue is that there is no more a server. You should have no problems playing retro roms with any mM version.
More PlayStation 3 News...