23w ago - Following up on the
PS3UserCheat and
True Blue unnecessary
DRM-infected dongles being hacked alongside
zadow28's
work, today PlayStation 3 developer
oct0xor shared a video of his OpenCobra Payload which aims to render the current Cobra USB dongle from
Max Louarn useless.
Below are the details from his
blog, as follows: "First I am going to say that this is not going to be an article, just a first blog post and some info about my recent project.
Finally I got my hands on cobra
it was quite a lot of time since I touched this last time. There was s good things happened since then eg. I reverse engineered usercheat and true blue, had done a lot ps3 and not ps3 related hacking. There was a bad things eg. BlueDiskCFW, lv0 leak, a lot of devs leave the scene...
Cobra was for me really "the last" thing I have to do.
The last time when I worked on this I didnt had a dongle, and all what I had was a dump by JaiCraB. I reverse engineered it as much as possible, figure out almost all tricks, encrypton and etc. And figuare out that it reads a lot of data from dongle, and I cant do much without dongle itself. Thats why I put this project to the back burner.
Well... I had never buyed anyone dongle, and I never was not going to. All my dongles was donated (thanks again
) but not that time.
it was hard for me to make this decision but a few days ago cobra finally shipped to me...
3 days and now its all over.
Security is good enough, but not without big security risks. But it still the best crypto/obfuscation what I had seen on ps3. Sony have something to learn from this guys, especially now.
Cobra / True Blue almost identical, have the same source code, if you ever hacked 1 thing, 2nd wouldnt be a problem. The main functionality, honestly, not changed since original jb. Thats a shame. Thats why I cracking them like nuts
On the fourth day I taked a decision to make my own "OpenCobra" payload. only clean code without drm and garbage, to be able to port it to any new firmware, and change/add features. It taked 2 days, 3000 lines of asm, and you had seen the result.
Atm it based on 4.1 payload, plans for future is check/add new features from 4.4/5.0. Port to a new firmware (if cobra will not do this for me), and realize all nice innovations from new version of psp emu, such as better emu accuracy, 3D and etc...
In video you had seen Payload Loader. Thats the all code it has:
install_payload("OpenCobra_41.bin", PAYLOAD_OFFSET); // no comments
// install hooks
...
void sc8_0x9001(const char *path, const char *id) {
lv2syscall8(8, 0x9001, (u64)path, (u64)id, 0, 0, 0, 0, 0);
}
void sc8_0x9002(u8 flag1, u8 flag2, u8 flag3, u8 flag4) {
lv2syscall8(8, 0x9002, flag1, flag2, flag3, flag4, 0, 0, 0); // flag1 - eboot.bin encrypted/decrypted, flag2, flag3, flag4 - not real flags, its a tag related patch.
}
const char *path = "/dev_usb000/PSPISO/CRISIS CORE -FINAL FANTASY VII-.iso";
const char *id = "ULUS-10336";
sc8_0x9001(path, id);
sc8_0x9002(0, 0, 0, 0); This tag related patches handled by mngr. So far I want to move it in payload. First I have to check how it handled in 4.4 / 5.0
Not sure yet when it will be released, if it will be, but we will see.
Keys!
LV2:
7174e18ad8c87a31.... 3.0
2005d05b1ac8a331.... 4.0
3902a14001cd4836.... 4.4
fd905abf25cdc236.... 5.0
APP:
3CFE6288B199F90A.... 3.0
5824D034A3CEED3A.... 4.0
8FA23E557693D4FE.... 4.1
If this subject will be interested for people, maybe I will write a full article about True Blue / Cobra analysis and hacking.
btw: Me and ~ some psp mysterious dark figure ~ reverse engineered algo for generating valid psp isos back to jule. But saves and a lot of games dont work without patching. So cobra's patched emu much better there imho."
Below are some additional pics from his blog which simply states: Usercheat + Cobra = <3
From
flat_z: Here is some explanations to make things more clearer. If you read my twit about ps2_netemu you can see that I reverse-engineered it. It includes almost all things which are required to make custom disc images of original PS2 discs and run them on the PS3 if everything will works fine. So it can lead us to the process of remastering PS2 discs which includes making of ISO.BIN.ENC (the encrypted version of original image which can be read by the PS3), creation and encryption of .VME files (virtual memory cards), ISO.BIN.EDAT (includes the title ID of disc).
The only thing which is not currently known is the format of decrypted CONFIG file (I can decrypt the file and encrypt it back but it have a complex format). It is optional and can be empty but I'm afraid that some games requires it to run on the PS3. My plan was the creation of PS2 remastering tool and I wanted to share it. Although I even not sure will it work or no but there are many chances that it will.
But something happened before I started to do it. My HDD on the laptop died and I have all information regarding PS3 on it. Although I was able to restore some important files but not all. So I need a time to buy components for a new computer and build it. For the same reason, I have a delay on my real job (I'm working as a free-lancer) so I will going to do my job before I start to do something new for PS3.
P.S. I see many questions about compatibility. You don't need a backward compatible PS3 console to run PS2 games through ps2_netemu because it is software emulator and doesn't require any PS2 hardware components. Also I think that ps2_netemu is more better and stable than ps2_softemu but this statement requires testing.
Finally, from
naehrwert (via twitter.com/naehrwert) comes some related Cobra ODE EID0 information (ECDSA from pastie.org/6169158) , as follows:
/*
* Copyright (c) 2012-2013 by naehrwert
* This file is released under the GPLv2.
*/
#include <stdio.h>
#include "types.h"
#include "sha1.h"
#include "ecdsa.h"
/*! EID0 section entry. */
typedef struct _section
{
u8 data[0x38];
u8 R[0x14];
u8 S[0x14];
u8 pub[0x28];
u8 unk[0x20];
u8 omac[0x10];
u8 padding[0x08];
} section_t;
/*! ECDSA curve. */
typedef struct _curve
{
u8 p[20];
u8 a[20];
u8 b[20];
u8 N[21];
u8 Gx[20];
u8 Gy[20];
} curve_t;
/*! EID0 Section 0 - 1. */
u8 section0_1[0xC0] = {
//Paste a decrypted EID0 section 0 here.
};
/*! EID0 Section 0 - 2. */
u8 section0_2[0xC0] = {
//Paste a different (!) decrypted EID0 section 0 here.
};
/*! One sexy curve. */
u8 curve0[0x79] = {
//SHA1: https://twitter.com/naehrwert/status/286745714434899968
//(9035B33F58DFAEF389FD49187F93C4FC2D2DD268)
};
/*!
* \brief Hexdump, dummy.
*/
void _hexdump(const char *name, u32 offset, u8 *buf, int len, int print_addr)
{
int i, j, align = strlen(name) + 1;
printf("%s ", name);
if(print_addr)
printf("%08X: ", offset);
for(i = 0; i < len; i++)
{
if(i % 16 == 0 && i != 0)
{
printf("\n");
for(j = 0; j < align; j++)
putchar(' ');
if(print_addr)
printf("%08X: ", offset + i);
}
printf("%02X ", buf[i]);
}
printf("\n");
}
/*!
* \brief Dump section info.
* \param name Name.
* \param s Section.
*/
void dump_section(const char *name, section_t *s)
{
printf("Section%s:\n", name);
_hexdump(" DATA ", 0x00, s->data, 0x38, 1);
_hexdump(" ECDSA R ", 0x38, s->R, 0x14, 1);
_hexdump(" ECDSA S ", 0x4C, s->S, 0x14, 1);
_hexdump(" ECDSA PUB", 0x60, s->pub, 0x28, 1);
_hexdump(" UNK ", 0x88, s->unk, 0x20, 1);
_hexdump(" OMAC ", 0xA8, s->omac, 0x10, 1);
_hexdump(" PADDING ", 0xB8, s->padding, 0x08, 1);
printf("\n");
}
/*!
* \brief Verify section.
* \param s Section.
* \param c Curve.
* \return Verify result.
*/
int verify_section(section_t *s, curve_t *c)
{
u8 hash[0x14];
u8 _R[21] = {0}, _S[21] = {0};
memcpy(_R + 1, s->R, 20);
memcpy(_S + 1, s->S, 20);
sha1(s->data, 0x38, hash);
ecdsa_set_curve(c->p, c->a, c->b, c->N, c->Gx, c->Gy);
ecdsa_set_pub(s->pub);
return ecdsa_verify(hash, _R, _S);
}
//Maybe you're lucky?!
int main()
{
dump_section("0_1", (section_t *)section0_1);
dump_section("0_2", (section_t *)section0_2);
printf("sig. 1 verified: %s\n", verify_section((section_t *)section0_1, (curve_t *)curve0) ? "yay" : "nay");
printf("sig. 2 verified: %s\n", verify_section((section_t *)section0_2, (curve_t *)curve0) ? "yay" : "nay");
printf("R_1 == R_2: %s\n", memcmp(((section_t *)section0_1)->R, ((section_t *)section0_2)->R, 0x14) ? "nay 
" : "yay ");
getchar();
return 0;
} 
While this is definitely interesting news, odds are it's just a ploy for the
Cobra Team to release a new dongle that will be 'required' for their upcoming
PS3 4.3x CFW unfortunately or the
PS3 ODE in order to further line their pockets with PlayStation 3 sceners' hard-earned cash once again... as always, time will tell for sure.
cool game look forward for this game...
ff10, ff10-2, ff12, resident evil outbreak, resident evil outbreak file2, resident evil dead aim and residen evil gun survivor 2!
but first i need to find the isos first LOL
Can I copy my JAP Ps2 imports to play on my US PS3?
Download: http://www.mediafire.com/?3xcz5om17zacnya / http://www.mediafire.com/?116a12awyjndo09 / http://www.mediafire.com/?jq0quoy1q3w8oh6 (3.1 Expert with PS2 CDVD plugin) / http://ps3tools.aldostools.org/ps2classics_GUI.rar / http://gitorious.ps3dev.net/ps2classic / http://www.mirrorcreator.com/files/KCPWIXEI/ps2ctool_v1.zip_links by CrUmp / http://www.mirrorcreator.com/files/0MHERO80/ps2classic-bccb879.zip_links by u$er / https://dl.dropbox.com/u/31400110/PS2SOUNDS/Templates.zip by DEREKTROTTER
Now it doesn't need root key to vmc stuff and now vmc decryption and encryption is working great, added ISO9660 checks and LIMG check and creation. Thanks to flatz, aldo and many others.
Usage:
iso:
ps2classic d [cex/dex] [klicensee] [encrypted image] [out data] [out meta]
ps2classic e [cex/dex] [klicensee] [iso] [out data] [real out name] [CID]
ps2classic vd [cex/dex] [vme file] [out vmc]
ps2classic ve [cex/dex] [vmc file] [out vme]
PS2Classic Final Changelog:
• ISO9660 Check
• LIMG Support (Check / Creation)
• VMC Decryption / Encryption fixed with the help of flatz by making new py script to rehash stuff so i can port it and now without. the need to use a root key to encrypt or decrypt your vmc's, thanks to aldo too by helping me in the process.
• Now you see the progress being maded by decryption or encryption, so is more easy to wait.
Deciphering virtual memory card
If you don't want to use this cmd version is better to wait to the new version of Aldo Gui tool because it will have this added and some better gui improvements. Thanks to flatz, aldo and many others helping in the process.
Here also included something for those who want to modify or ripearlas isos more easily and are functional in the PS3. The process is very easy and simple using Expert 1.3 since the 2.0 version tends to have flaws with these images ISO9660 corrupting and ends.
Ripping or modification of any PS2 game
1. Crack the ps2classic ISO.BIN.ENC with great command line or GUI aldo.
2. Expert Runs 1.03 and continues to work the following order:
• Extract LBA
• Extract files (It will extract every file from the game in a folder with the iso name)
Now you can make your changes to the game(But obviusly you cannot just delete stuff because the LBA has an order you need to make some dummy file and rename it to the file you want to delete for example), you can mod everything too if the game have some modding tools for sure like gta sa, vc, etc.
• Rebuild files (Now it will make a ISO with the game folder extracted previusly modified)
• Rebuild LBA
3. Just encrypt that Game ISO modified with new tools like this new ps2classic command line tool or with new Aldo gui Ps2classic tool with new changes (Because this tools will now remake the LIMG section too). Now use the new ISO.BIN.ENC on the PS3 and check your changes.
Greetings
From CrUmp comes a PS2 ISO Renaming Tool called PS3CTool v1 (linked above) for PS2Classic v 1.0 with details below, as follows:
I only test with my mac. if you install python 2.7 on windows this should work too. i don't know if it's ok to put key file in this, so I didn't include it. put your ps2.key file in the same location, and include this folder in your $PATH like:
PATH=$PATH:/path_to_this_folder.
export PATH
The best way to play your PS2 games on your PS3 console is to convert them into PS2 Classic Games. With Multiman and PS2Classic container, you can have unlimited PS2ISOs loaded into your PS3. With [gameID] Game Title naming convention, Multiman will download the game cover if avaliable.
This tool finds gameID from within PS2ISO, and compare with online database to rename the ISO file names
This script works with ps2classic command line tool to make it more convenience to convert mass ISOs.
usage:
ps2ctool.py {option} isofile
ps2ctool.py isofile
ps2ctool.py netrename isofile
ps2ctool.py ALL ps2classic
ps2ctool.py isofile:
to rename an ISO file, adding [XXXX-00000] to the filename.
To rename ISO file with sonyindex.com database entry, in '[DISCID] FILENAME' format
ALL: in a folder to process every ISO under that folder, including subfolders. It will move ISO files to current folder, and re-name iso filenames against the database entries.
Finally, from u$er comes some proper PS2Classic Tool binaries (linked above) who states the following:
Hey there, i've compiled a set of PS2Classic binaries for you based on the latest changes. if you don't like using cmd-line apps, you can replace the one in PS2Classic GUI with this one.
ps2classic (bccb879)
GPLv3
gitorious.ps3dev.net/ps2classic
written by user
algo by flatz
both linux and windows binaries shouldn't have any dependencies. cywin-1.dll is NOT needed which should speed up the file operations
NOTE: please remember to release source code if you distribute binaries. if you made any changes to the source code you have to provide the modified source code ofc.
More PlayStation 3 News...
Will test with my Fatal Frame 2 backup and update...
Well, Fatal Frame 2 works as well. This is exciting! I might test a couple more games from my PS2 library, but this is pretty cool so far. Definitely will extend the life of my phat, although the emulation doesn't seem perfect - does anyone know how to brighten up the screen a bit?