PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

202w ago - Today Spanish PlayStation 3 developer JaicraB has explained the Cobra USB JIG protection RTOC trick implemented for the PS3 against cloning the device.

To quote, roughly translated: Flynn sent me this text explaining this protective carrying the Cobra, I hope it will open the eyes of those interested in reversing the dumps.

EXPLAIN RTOC COBRA TRICK

The JIG Cobra has several protective measures to ensure that your code could not be used correctly even if your code could be dumped.

This trick RTOC in the registry is the first used for this purpose in addition to hinder analysis.
Registration is initially RTOC stored in the battery to keep the RTOC of lv2 and power it back later:

[Register or Login to view code]


At this point we have to explain that the OFFSET DELTA. DELTA OFFSET is a method used in the x86 in its original moments in the creation of computer viruses, to calculate the memory address in which we are in the sea of ​​bytes in RAM.

In the original time a computer virus when I did not know where he was pulled into an executable,
depending on the executable it could be an initial site or another, for it was invented DELTA OFFSET.

DELTA OFFSET can be used in any system, the procedure is:

  • Using the record that indicates the current execution address (or the next depending on the system)
  • Reducing the size of the previous code we use the value obtained from the registry.

Knowing this, and taking for example the x86 processor where the EIP register can not be read directly invented the trick make a call to a "subfunction" which is simply the following line to the call:

[Register or Login to view code]


X86 call instruction saves the top of the stack the address of the next instruction to itself. Thus using pop draw from the top of the stack this value, and stored in eax for example, and having the memory address where we only subtract the above would be missing and we have the exact calculation.

The PowerPC can use this trick using the BL instruction is equivalent (LINK BRANCH), which jumps to a "subfunction" but before you save LR in the record the following address to BL.

[Register or Login to view code]


At this point we see the trick used for the creation of the RTOC of charges at this time. If you look both r0 and RTOC are passed to 0:

[Register or Login to view code]


Subsequently, given the value 0x11DE0 to RTOC:

[Register or Login to view code]


A r0 is given the value 0x920:

[Register or Login to view code]


R0 is subtracted from the value of RTOC:

[Register or Login to view code]


Unlike the PowerPC x86 LR register can be read directly with mflr instruction, we put in RTOC the value obtained by the delta offset:

[Register or Login to view code]


To calculate the delta offset subtract final instructions executed before the delta offset, which were 4, or 16 bytes:

[Register or Login to view code]


Finally we add the value of r0 at the end of the delta offset RTOC, storing the result in the RTOC and this already takes RTOC suitable for this hook:

[Register or Login to view code]


It takes having the RTOC stored in the stack 3 arguments that the hook received:

[Register or Login to view code]


You call the function of the charges where the first argument will check for command 0x8202 (a special command to the usual):

[Register or Login to view code]


After making the necessary steps as charged, the battery recovers the original RTOC, like the arguments the hook received, it executes the original instruction that was overwritten in the syscall entry 379 (in this case) to have our hook, and call the original syscall lv2:

[Register or Login to view code]


Upon returning to retrieve the original LR from the stack and returns to the prompt

[Register or Login to view code]



JaicraB on Cobra USB JIG Protection RTOC Trick for PS3

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.




#415 - BerserkLeon - 127w ago
BerserkLeon's Avatar
What ps3news posted seems to makes sense. I also find it funny that cobra ODE is being developed right after this xk3y for 360 comes out... isn't that amazing? Perhaps they're made by the same people.

Scene should be free. if you need a dongle to load this onto its not all that much better than the original cobra. Also find it amusing that he says the TB dongle and the cobra dongle are very similar, but he didn't notice this until after he 'swallowed his pride' and bought a dongle. Why didn't you notice that when you were diving through the dumps?

I initially thought PS3News was just being paranoid, but something does stink.

#414 - PS4 News - 127w ago
PS4 News's Avatar
Today deank updated to multiMAN v04.16.04 and aldostools also updated to PS3 Tools Collection v2.0.54, which now includes the mmRAS PS3-to-PC Server application that allows users to control a connected PC via multiMAN.

Download: multiMAN v04.16.04 Update CEX (20121218) (2.57 MB) / multiMAN v04.16.04 Update CEX (20121218) (Mirror) / multiMAN v04.16.04 Update CEX (20121218) (Mirror #2) / installPKG.pkg (486.47 KB) / PS3 Tools Collection 2.0.54

multiMAN 04.16.04 is available online now:

  • Improved speed when copying games/files from/to USB HDDs
  • Improved speed when copying games from PS3 Game Discs
  • Improved speed when copying/browsing folders via FTP (LIST/MLSD)
  • Added support for up to 99 pkg files in the [* Install Package Files] queue
  • [* Install Package Files] function will scan /dev_hdd0/PKGTMP and will MOVE the queued pkg files from this folder (saving HDD space by not copying to temp location)
  • mmOS will now honor the "Verify USB Games" setting when starting games from icons/shortcuts/game-folder
  • Scanning for active USB storage devices is now performed in the background and will speed up loading games on 4.xxCFW
  • Verifying games in now performed in the background (when possible) to avoid delays when loading games

The last one means that mM will scan your USB game folders in the background. It if manages to scan a game at least once you'll never be bothered with 'Verifying data...' again Along with the background scanning of usb devices it is now "Press [X] and game is loaded..."

I hope you like that... Let me know if you have any issues.

From aldostools: I just updated the mmRAS Server 01.01.02 with new features:

  • It now allows to configure a white list of allowed IP that can connect to your computer. (F6)
  • The server port can be configured from the popup menu on the system tray. (F2)
  • Minor optimizations in the code.
  • Added support up to 8 concurrent clients (clients can be multiMAN or mmRAS client for PC)

I also updated Bruteforce Save Data to version 1.3.3 with some suggestions from haru3173

#413 - smokyyuwe - 127w ago
smokyyuwe's Avatar
It's about time. I'd really like to be able to play some backups of old PS2 games I have.

#412 - phuqt - 127w ago
phuqt's Avatar
Can we play games from nas now because it was a new feature in mm a few updates back only for cobra though, now that we have the payload we should be able to get this in a cfw

#411 - elser1 - 127w ago
elser1's Avatar
good news. i really dislike these people and their dongle rip offs.

#410 - seeman - 127w ago
seeman's Avatar
i hope rogero gets influenced by this to create a new cfw!!! with 431 keys... old packmanager... and the new cobra psp function...

i think sooner or later we will see this on our ps3...

#409 - StanSmith - 127w ago
StanSmith's Avatar
I'm just hoping I can still use this dongle for something in the future instead of holding the door open with it. I'm wondering if I can flash it with Cobras firmware or can I flash it to use as a FSM dongle?

This OpenCobra payload sounds great, lets hope it can work with Rebug or other CFW firmwares.

#408 - PS4 News - 127w ago
PS4 News's Avatar
Agreed, and sadly it's amazing how many people don't catch on to this recurring pattern through the years either

Max Louarn and Paul Owen have Gary Wayne Bowser (aka GaryOPA) plug a product on his Divineo / Xecuter funded domains, cash in on it for several months from unsuspecting PS3 scene users, then it fades to black after an alias (ie NoDRM, etc) mysteriously cracks it and releases patches and so on to make it work without needing to buy their 'disposable' product any longer... ironically just in time for their next endeavor to get underway, rinse and repeat all over (they forget to wash, dirty gits )

Its amazing they have been able to get away with this con job so long, but I guess when they buy up scene devs in the process (ie deank, who to this day denies it only fooling himself LOL ) it ensures they have a constant influx of users to keep their customer base stocked and ready to plug new 'disposable' products again to. Welcome to the PlayStation 3 scene!

#407 - dsavage - 127w ago
dsavage's Avatar
who gives a crap about ode ? lol wtf.

this is not worthless... long as rogero or rebug can make a cfw with cobra built-in this will be pretty damn cool.

looking foward to it.

#406 - kalberto - 127w ago
kalberto's Avatar
useless to crack it now, because cobra will be releasing ODE and TB was RIP.