23w ago - Following up on the
PS3UserCheat and
True Blue unnecessary
DRM-infected dongles being hacked alongside
zadow28's
work, today PlayStation 3 developer
oct0xor shared a video of his OpenCobra Payload which aims to render the current Cobra USB dongle from
Max Louarn useless.
Below are the details from his
blog, as follows: "First I am going to say that this is not going to be an article, just a first blog post and some info about my recent project.
Finally I got my hands on cobra
it was quite a lot of time since I touched this last time. There was s good things happened since then eg. I reverse engineered usercheat and true blue, had done a lot ps3 and not ps3 related hacking. There was a bad things eg. BlueDiskCFW, lv0 leak, a lot of devs leave the scene...
Cobra was for me really "the last" thing I have to do.
The last time when I worked on this I didnt had a dongle, and all what I had was a dump by JaiCraB. I reverse engineered it as much as possible, figure out almost all tricks, encrypton and etc. And figuare out that it reads a lot of data from dongle, and I cant do much without dongle itself. Thats why I put this project to the back burner.
Well... I had never buyed anyone dongle, and I never was not going to. All my dongles was donated (thanks again
) but not that time.
it was hard for me to make this decision but a few days ago cobra finally shipped to me...
3 days and now its all over.
Security is good enough, but not without big security risks. But it still the best crypto/obfuscation what I had seen on ps3. Sony have something to learn from this guys, especially now.
Cobra / True Blue almost identical, have the same source code, if you ever hacked 1 thing, 2nd wouldnt be a problem. The main functionality, honestly, not changed since original jb. Thats a shame. Thats why I cracking them like nuts
On the fourth day I taked a decision to make my own "OpenCobra" payload. only clean code without drm and garbage, to be able to port it to any new firmware, and change/add features. It taked 2 days, 3000 lines of asm, and you had seen the result.
Atm it based on 4.1 payload, plans for future is check/add new features from 4.4/5.0. Port to a new firmware (if cobra will not do this for me), and realize all nice innovations from new version of psp emu, such as better emu accuracy, 3D and etc...
In video you had seen Payload Loader. Thats the all code it has:
install_payload("OpenCobra_41.bin", PAYLOAD_OFFSET); // no comments
// install hooks
...
void sc8_0x9001(const char *path, const char *id) {
lv2syscall8(8, 0x9001, (u64)path, (u64)id, 0, 0, 0, 0, 0);
}
void sc8_0x9002(u8 flag1, u8 flag2, u8 flag3, u8 flag4) {
lv2syscall8(8, 0x9002, flag1, flag2, flag3, flag4, 0, 0, 0); // flag1 - eboot.bin encrypted/decrypted, flag2, flag3, flag4 - not real flags, its a tag related patch.
}
const char *path = "/dev_usb000/PSPISO/CRISIS CORE -FINAL FANTASY VII-.iso";
const char *id = "ULUS-10336";
sc8_0x9001(path, id);
sc8_0x9002(0, 0, 0, 0); This tag related patches handled by mngr. So far I want to move it in payload. First I have to check how it handled in 4.4 / 5.0
Not sure yet when it will be released, if it will be, but we will see.
Keys!
LV2:
7174e18ad8c87a31.... 3.0
2005d05b1ac8a331.... 4.0
3902a14001cd4836.... 4.4
fd905abf25cdc236.... 5.0
APP:
3CFE6288B199F90A.... 3.0
5824D034A3CEED3A.... 4.0
8FA23E557693D4FE.... 4.1
If this subject will be interested for people, maybe I will write a full article about True Blue / Cobra analysis and hacking.
btw: Me and ~ some psp mysterious dark figure ~ reverse engineered algo for generating valid psp isos back to jule. But saves and a lot of games dont work without patching. So cobra's patched emu much better there imho."
Below are some additional pics from his blog which simply states: Usercheat + Cobra = <3
From
flat_z: Here is some explanations to make things more clearer. If you read my twit about ps2_netemu you can see that I reverse-engineered it. It includes almost all things which are required to make custom disc images of original PS2 discs and run them on the PS3 if everything will works fine. So it can lead us to the process of remastering PS2 discs which includes making of ISO.BIN.ENC (the encrypted version of original image which can be read by the PS3), creation and encryption of .VME files (virtual memory cards), ISO.BIN.EDAT (includes the title ID of disc).
The only thing which is not currently known is the format of decrypted CONFIG file (I can decrypt the file and encrypt it back but it have a complex format). It is optional and can be empty but I'm afraid that some games requires it to run on the PS3. My plan was the creation of PS2 remastering tool and I wanted to share it. Although I even not sure will it work or no but there are many chances that it will.
But something happened before I started to do it. My HDD on the laptop died and I have all information regarding PS3 on it. Although I was able to restore some important files but not all. So I need a time to buy components for a new computer and build it. For the same reason, I have a delay on my real job (I'm working as a free-lancer) so I will going to do my job before I start to do something new for PS3.
P.S. I see many questions about compatibility. You don't need a backward compatible PS3 console to run PS2 games through ps2_netemu because it is software emulator and doesn't require any PS2 hardware components. Also I think that ps2_netemu is more better and stable than ps2_softemu but this statement requires testing.
Finally, from
naehrwert (via twitter.com/naehrwert) comes some related Cobra ODE EID0 information (ECDSA from pastie.org/6169158) , as follows:
/*
* Copyright (c) 2012-2013 by naehrwert
* This file is released under the GPLv2.
*/
#include <stdio.h>
#include "types.h"
#include "sha1.h"
#include "ecdsa.h"
/*! EID0 section entry. */
typedef struct _section
{
u8 data[0x38];
u8 R[0x14];
u8 S[0x14];
u8 pub[0x28];
u8 unk[0x20];
u8 omac[0x10];
u8 padding[0x08];
} section_t;
/*! ECDSA curve. */
typedef struct _curve
{
u8 p[20];
u8 a[20];
u8 b[20];
u8 N[21];
u8 Gx[20];
u8 Gy[20];
} curve_t;
/*! EID0 Section 0 - 1. */
u8 section0_1[0xC0] = {
//Paste a decrypted EID0 section 0 here.
};
/*! EID0 Section 0 - 2. */
u8 section0_2[0xC0] = {
//Paste a different (!) decrypted EID0 section 0 here.
};
/*! One sexy curve. */
u8 curve0[0x79] = {
//SHA1: https://twitter.com/naehrwert/status/286745714434899968
//(9035B33F58DFAEF389FD49187F93C4FC2D2DD268)
};
/*!
* \brief Hexdump, dummy.
*/
void _hexdump(const char *name, u32 offset, u8 *buf, int len, int print_addr)
{
int i, j, align = strlen(name) + 1;
printf("%s ", name);
if(print_addr)
printf("%08X: ", offset);
for(i = 0; i < len; i++)
{
if(i % 16 == 0 && i != 0)
{
printf("\n");
for(j = 0; j < align; j++)
putchar(' ');
if(print_addr)
printf("%08X: ", offset + i);
}
printf("%02X ", buf[i]);
}
printf("\n");
}
/*!
* \brief Dump section info.
* \param name Name.
* \param s Section.
*/
void dump_section(const char *name, section_t *s)
{
printf("Section%s:\n", name);
_hexdump(" DATA ", 0x00, s->data, 0x38, 1);
_hexdump(" ECDSA R ", 0x38, s->R, 0x14, 1);
_hexdump(" ECDSA S ", 0x4C, s->S, 0x14, 1);
_hexdump(" ECDSA PUB", 0x60, s->pub, 0x28, 1);
_hexdump(" UNK ", 0x88, s->unk, 0x20, 1);
_hexdump(" OMAC ", 0xA8, s->omac, 0x10, 1);
_hexdump(" PADDING ", 0xB8, s->padding, 0x08, 1);
printf("\n");
}
/*!
* \brief Verify section.
* \param s Section.
* \param c Curve.
* \return Verify result.
*/
int verify_section(section_t *s, curve_t *c)
{
u8 hash[0x14];
u8 _R[21] = {0}, _S[21] = {0};
memcpy(_R + 1, s->R, 20);
memcpy(_S + 1, s->S, 20);
sha1(s->data, 0x38, hash);
ecdsa_set_curve(c->p, c->a, c->b, c->N, c->Gx, c->Gy);
ecdsa_set_pub(s->pub);
return ecdsa_verify(hash, _R, _S);
}
//Maybe you're lucky?!
int main()
{
dump_section("0_1", (section_t *)section0_1);
dump_section("0_2", (section_t *)section0_2);
printf("sig. 1 verified: %s\n", verify_section((section_t *)section0_1, (curve_t *)curve0) ? "yay" : "nay");
printf("sig. 2 verified: %s\n", verify_section((section_t *)section0_2, (curve_t *)curve0) ? "yay" : "nay");
printf("R_1 == R_2: %s\n", memcmp(((section_t *)section0_1)->R, ((section_t *)section0_2)->R, 0x14) ? "nay 
" : "yay ");
getchar();
return 0;
} 
While this is definitely interesting news, odds are it's just a ploy for the
Cobra Team to release a new dongle that will be 'required' for their upcoming
PS3 4.3x CFW unfortunately or the
PS3 ODE in order to further line their pockets with PlayStation 3 sceners' hard-earned cash once again... as always, time will tell for sure.
hi im new as well...
Download: http://www.sendspace.com/file/x6qtvr (725.67 KB)
• bdRESET6
• gameDATA6
• lastGAME6
• stDISC4
All support: 3.55 CEX/DEX, 4.21 CEX/DEX, 4.30 CEX/DEX, 4.31CEX, 4.40CEX. These four tools are also available in mM's WEB column.
Download: http://www.sendspace.com/file/8qkcl5 (109.04 KB)
Contains modified source and PS3 executable "ps2classics.self". It can be used by any PS3 application to convert a regular disc PS2 ISO to ISO.BIN.ENC.
Can be used as easy as:
char* launchargv[8];
memset(launchargv, 0, sizeof(launchargv));
launchargv[0] = (char*)malloc( 2); strcpy(launchargv[0], "e");
launchargv[1] = (char*)malloc( 4); strcpy(launchargv[1], "cex");
launchargv[2] = (char*)malloc(i3); strcpy(launchargv[2], klc_path );
launchargv[3] = (char*)malloc(i1); strcpy(launchargv[3], iso_path1);
launchargv[4] = (char*)malloc(i2); strcpy(launchargv[4], iso_path2);
launchargv[5] = (char*)malloc(12); strcpy(launchargv[5], "ISO.BIN.ENC");
launchargv[6] = (char*)malloc(37); strcpy(launchargv[6], "2P0001-PS2U10000_00-0000111122223333");
launchargv[7] = NULL;
_Exitspawn(ps2classics, (char* const*)launchargv, NULL, NULL, 0, 1001, SYS_PROCESS_PRIMARY_STACK_SIZE_1M);
Where iso_path1 is the source iso, iso_path2 is the destination encrypted iso.bin.enc and klc_path is the path to the klicense.
I just tested it (launching a regular ISO in mM, it spawns the ps2classics.self and creates the encrypted ISO + a folder structure) - everything seems ok. It needs a nice progress bar, improved I/O by using async read/write and you're good to go. It doesn't support 4GB+ files, but properly adds missing info for CD ISO files.
Basically with mM you can dump your PS2 game disc, load it in the RETRO column, it will convert it to ps2classic in a minute or two and you can load it with ps2-classics-placeholder. I'll release a test mM later.
Showtime 04.03.128 by Andreas Oman is now available (for mM and as standalone in the WEB column).
Download: http://www.sendspace.com/file/wwrggi (5.68 MB) / http://www.sendspace.com/file/q7hgg0 (5.74 MB)