PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

198w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

[Register or Login to view code]


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

[Register or Login to view code]


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

[Register or Login to view code]


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

[Register or Login to view code]


Subsequently, given the value 0x11DE0 to RTOC:

[Register or Login to view code]


A r0 is given the value 0x920:

[Register or Login to view code]


R0 is subtracted from the value of RTOC:

[Register or Login to view code]


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

[Register or Login to view code]


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

[Register or Login to view code]


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

[Register or Login to view code]


It takes having the RTOC stored in the stack 3 arguments that the hook received:

[Register or Login to view code]


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

[Register or Login to view code]


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

[Register or Login to view code]


Upon returning to retrieve the original LR from the stack and returns to the prompt

[Register or Login to view code]



JaicraB on Cobra USB JIG Protection RTOC Trick for PS3

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#213 - mushy409 - 149w ago
mushy409's Avatar
Every developer has the right to protect his/her work by using dongle protection (most of them pretty poor at best).

As seen many o' times over on the GSM scene, dongles are being cracked/hacked/exploited for their contents. It's only a matter of time. Look how quickly all the other dongles were phased out - in what, about 12 months (less I think) we were pretty much dongle free (except FSM)

#212 - ps3hen - 149w ago
ps3hen's Avatar
I'm glad someone can see how much 'work' exists in zadow's releases.

From Wololo (via wololo.net/2012/06/16/ps3-zadows-release-a-useless-repost/): PS3 Zadow's release a useless repost?

Yesterday I posted what appeared to me as a massive breakthrough in the PS3 scene, a bunch of files decrypted from the Cobra dongle, one of the DRM encrypted piracy dongles for firmware 3.55. The files had been released by user zadow28, who seems to have a fairly good reputation on some of the scene’s websites.

I have been contacted since then by several veterans of the PS3 scene, who told me these files are, in essence, garbage.

They didn’t explicitly tell me the word “fake”, but rather, it seems the files posted by Zadow are basically useless information, which in addition has been publicly available for a while. None of them told me “where” that information actually can be found, which for now I interpret as “it is so useless that we will not even bother to tell people where they can find the information in the first place”.

I do not have the tools, the knowledge, or the time to confirm if Zadow28 is a fraud, but I can say I am seeing a pattern I’ve seen in the past on the psp and the vita scene: unknown guy gets semi famous by posting lots of garbage that looks like the real deal, famous devs call him out for a faker, random people start some conspiracy theories about old devs trying to get all the credits, other random people tell the old devs that they should collaborate with the new guy instead of bashing him, old devs have a hard time explaining that it is impossible to collaborate with a dude who has the IQ of a banana. (I’ve been through that so I know how people like kakaroto feel.

So, if I’m to choose a side, I’ll go and trust the old dudes. If they say it’s useless, I guess they’re right.

From defyboy: Thanks but these were mostly available already. With the exception of your IDA DB of course.

ps3devwiki.com/files/Cobra/
ps3devwiki.com/files/reDRM/
ps3devwiki.com/wiki/ReDRM_/_Piracy_dongles

Why do I constantly find things newsed as a release when it's just copies of the stuff the developers made available on the wiki long ago. This isn't a gift for developers, it's another cry for attention. The developers either already have this stuff, or know exactly where to get it.

I made a mirror on the wiki for anyone who wants his files: ps3devwiki.com/files/zadow28/

From euss: At least I won't be needed to give zadow unself/ungpkg with sources and precompiles like his last readself2/3/4/5 fail (so much better to use scetool anyhow)... (which btw are all on wiki, /files and gitorious too)

I do not know who incepted this thread with nonbased remarks about Atmel AVR/Micochips PIC, but they should look closer to the content and what is needed for such target. There is nothing AVR/PIC related inside the filesets, just plain unself/ungpkg'ed files which where ran through IDA and exported i64/db files. It also does not make any sense to even /want/ it as a dongle, because if you have the PPU/SPU changes, it would make alot more sense to distribute it as patches (MFW Builder TCL) or live patcher: payload (payloader3) then a stupid dongle.

From CrashSerious: First, I've had some concerning health issues and haven't touched this for several months. Also, priorities were re-alligned in the process and haven't had a chance to pick it back up. So I have nothing to report... on to the main reason for posting.

I had a big long email started (about halfway done) detailing every file in there and just gave up due to the number of things that were junk.

Mostly, it looks like files we already have, unselfed eboot.bins (congratulations on using unself or scetool), a corrupt ida database, some meaningless/worthless logs and who knows what else.

I did look at the corrupt idb to make sure it actually "looked like"an idb. It actually did at a glaqnce--- so at least it's not like the last time and he was trying to pass off a linux binary as lv0 decrypted or some crap like that... oh wait... he did do that, didn't he defyboy .

Probably a better use of my time if I stopped dissecting the gift any ways. Zadow’s files are still available here if you want to give them a look, but it’s probably not the breakthrough I initially thought it was.

Finally, from flat_z: I am very sad looking at all news sites about ps3... when they keep posting any "shocking" news about such noobs as zadow28 and exposing him as the greatest hacker in the world

#211 - Ezio - 149w ago
Ezio's Avatar
Hmm, cobra dongle payload hasn't been completely reversed by zadow, because he simply doesn't have the skills for doing that stuff, what he released is something anyone can do on their own, so it's of zero utility to get payload hacked.

#210 - niwakun - 149w ago
niwakun's Avatar
yeah, with the improvements he done on MM I think he deserves to work on something that he can get something. He release stuff for free for over a year already, but I do hope that dean wont get mad on us who uses the dongle-less cobra.

#209 - SwordOfWar - 149w ago
SwordOfWar's Avatar
I already have a Cobra, but if this leads us to a hybrid CFW with both features then it will surely be nice to be dongle free again.

#208 - elser1 - 149w ago
elser1's Avatar
i didn't know dean from multiman was behind the cobra dongle and selling it. i dont think its bad at all in his case. he deserves something he gave us multiman for hmm sake.. lol

i won't be using a Z pirate version of cobra out of respect to him but i don't really need cobra anyways. this guy is ding good stuff decrypting the dongles. thanks for the news

#207 - racer0018 - 149w ago
racer0018's Avatar
The perfect Cfw would have them all built into it. But this a start. Good job.

#206 - smokyyuwe - 149w ago
smokyyuwe's Avatar
That's funny. I came on to see if I could find a way to make multiman play ps2 games without the dongle (I have a b/c ps3, so getting the dongle just for backed up ps2 games seems.. a little pointless).

#205 - NTA - 149w ago
NTA's Avatar
I wonder how deank feels about this lol

Quote Originally Posted by BiMode View Post
Does multiman 4.03 support playing ps1/ps2 iso format for regular CFW?


I highly doubt it.

#204 - Transient - 149w ago
Transient's Avatar
What's with that guy's tweets? Is he drunk?