PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

169w ago - As a follow-up on our previous article with the spirit of Operation: Mongoose in mind, we are continuing to examine both the Cobra and True Blue PS3 DRM-infected dongles and TB EBOOT files, and welcome any help with this project from other PlayStation 3 developers in the scene!

First let me tell you the following explanation is not a theory or any rumors, it's actually how the USB dongles work to allow different things.

We heard many rumors / theories about the process of the Cobra / True Blue but I didn't see anyone give any big answer about that (I'm not saying I would give you the big answer but the explanation how it works and how to make this possible)

Cobra / True Blue Part 1

Both dongle use syscall / payload (after a big investigation, both dongle also follow the work of graf_chokolo and the functionality of the dongle can be ported into a CFW (not a good idea from some devs I guess)

Cobra / True Blue use a lv1_wrapper (syscall implementation) that can allow to use subroutine function into kernel mode call. Following the dump of the Cobra / True Blue, every subroutine are indicated inside the dump (probably the reason of some clone like JB-King)

What all this mean ?

About the TB Eboot, i come back on what i said recently, the TB Eboot come from original Eboot (don't make any sense that they access to the dev server when have not Eboot on it) the PSN dev don't exist this way... but for related beta development games and testing beta multiplayer mode, interface beta test PSN for games etc... but nothing related to a Eboot.

TB use original Eboot and make their own sign (you can easily generate a new NPDRM sign with a Self/elf)

How can boot the games, the NPDRM Sign made in TB can't be run into a user mode, you would have a error of boot and every program that you resign etc... will not boot into a usermode... that's why we need to use a syscall that can let use into a kernel mode to execute a program that not recognized and authorized by the system. The dongle validates the actual eboot by syscall / subroutine.

For example, I want to have a execute something into the CoreOS but I'm not allowed because I can only execute this on a kernel mode, fine, I use my actual user mode to turn into a kernel mode by using a syscall.

A Syscall can allow you to execute, create, read, load, etc... The limitation of a dongle = the PS3 system, a dongle it's only here to prevent a error that by using redirection and syscall, the dongle give a correct answer that PS3 system execute.

If you check correctly the dump you can see 0x80 -> correspond to the C library, also when you call into kernel mode, the kernel fix the table permission that allow to give big access. You can recognized r1 stack register -> 0xA0 (debugger mode) -> R2 stack status...

Ok you probably gonna ask, what is that ? lol

It's actually a schema / plan from the dongle, the dongle is here to give a strong access to the system that you can execute what you want.

For example the PS2 Emu of Cobra = PS2 self (is not executed into a user mode but kernel mode / debugger mode that) reason why it can be execute under a PS3 Slim retail without following an error system.

How this can help ?

This mean many things, that you don't need any keys to execute under a kernel / debugger mode because anyway the syscall will give you a whole access to the cell execution.

I want to give a simply explanation that everybody can understand, the TB EBoot = Original Eboot from Original game, we not interested by the sce header, etc... we only want the elf header program represent and related to the game execution (like a exe, you patch the exe to be run without cd) here almost the same, we patch the elf with a fake sign can be run into a specific mode without asking anything.

What is weird, graf gave many oriented possibility and no one try to exploit them but only in a business way. Anyway like I said, the dongle is in relation with the PS3 system/Dev_Flash/Core_OS

I'm also working on it and try to do my best to release something strong and free... but my knowledge is limited and I can't do that alone.

Why I explain all that, it's because I want to see also some good dev can work on it with me, actually I want to thanks graf for all this awesome stuff, cfwprophet and all the PS3 scene that support us, I say also thanks to the people who insult me and said I'm a fake... more you said that and more I don't care and offer good stuff

Somebody said he want to be fame, no at all... I don't really care, my family and my gf give me already that by supporting me, it's enough

Anyway I would like this project to encourage PS3 homebrew developers to help out if they can, and also for the work that cfwprophet, me and others are doing on it will be updated here periodically.

PS: Probably go have more explanation and more stuff about it in the next week. Oh yes about the Debug PKG that is available on PSN Dev (it's not related to the TB Eboot)

You can make a Debug PKG yourself by only extracting the ELF, make a Self without NPDRM, leave him Eboot.self and make a PKG without NPDRM, this represent exactly what is a debug PKG (it's a standard Self inside a PKG without NPDRM)


Project: Cobra and True Blue PS3 Dongles, TB EBOOTs Examined

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#792 - technodon - 150w ago
technodon's Avatar
i never tested my dongle updater before release, anyone else tried it? cause puss in boots seems to be the only one game that works it just happened to be the one that i tried? maybe i should start playing the lottery? lol. maybe it has some significance in reverse engineering the dongle though?

#791 - elser1 - 150w ago
elser1's Avatar
i'm a little confused (nothing new there) so does this mean with the pkg i can use a tb dongle once then instal pkg and no longer need dongle?

that would be great if so and if someone would lend/hire me a dongle for a day.. LOL

#790 - Xyth - 150w ago
Xyth's Avatar
Wololo's thoughts are ridiculously nonsense. Who cares if TB team will change encryption scheme. They still want us to believe if someone hacks TB, there will be no more new games. This is the same logic if we share PS3 exploits they can patch it. Who cares if Sony of TB patch their exploits. Of caurse they'll patch it, it is their job to protect their property. But if you call yourself a scene developer you can always comeup wit a new solution. This is what makes a scene The Scene.

These "It will lead to piracy" and "They can patch it" execuses are just a cover for their fear of Sony.

#789 - technodon - 150w ago
technodon's Avatar
following up on shad__'s excellent work on the modified true blue eboot, i repacked it as a installable pkg and also modified the text so it now reads remove the dongle and press x to return to the xmb. download link here: http://www.putlocker.com/file/6B780406C00FD776

#788 - PS4 News - 150w ago
PS4 News's Avatar
Below is an update from wololo (via wololo.net/2012/06/06/ps3-more-dongles-info-decrypted-by-oct0xor/) dubbed PS3 - More dongles info decrypted by oct0xor (covered a few posts above), as follows:

PS3 hacker oct0xor, who was already behind the base work that led to initial reverse engineering of the True Blue dongle, just twitted that he can decrypt True Blue’s stage2, as well as critical information from other clone dongles.

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me “DongleBreaker” now Thanks to flat_z who was with me all along.

As I said earlier, the people behind True Blue are not amateurs in the hacking scene and could definitely leverage that type of information. Hackers like oct0xor are not fighting against “we don’t know about it until it’s too late” Sony, but against people who regularly check all scene websites, and take action.

I have no doubt that the next True Blue firmwares will change their encryption scheme, and if not, another “magical” dongle will pop up in the months to come, from another random company (the same people who made true blue, of course), with a completely different security system.

That is, unless PS3 hackers completely reverse engineer the system behind the True Blue dongle, in a way that Sony can finally understand how True Blue are able to patch 3.6+ games so easily, and hoping that future games will be protected against the True Blue patches. That would calm down piracy on the PS3, and people who don’t get it will claim that this could kill the PS3 scene.

#787 - jabberosx - 151w ago
jabberosx's Avatar
This is good news. But at the same time ANOTHER frikking dongle is down right shameful. I mean whats the frikking point. arrgghhhhhh I know make more money by pirating from pirates. knowing still doesn't help.

#786 - RobertoSlip - 151w ago
RobertoSlip's Avatar
should be transparent, this would greatly facilitate..

#785 - userix - 151w ago
userix's Avatar
Can I flash back to kmeaw 3.55 after flashing tb cfw 3.55 or is it a one way street ordeal?

#784 - PS4 News - 151w ago
PS4 News's Avatar
Today PlayStation 3 developer Naehrwert has blogged (nwert.wordpress.com/2012/06/02/reversing-tb-part-1-the-vm/) on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:

Thanks to oct0xor (twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

[Register or Login to view code]


In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

[Register or Login to view code]


Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

[Register or Login to view code]


From shad__ on IRC for TB DRM dongle users: EBOOT.BIN

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC: http://www.mediafire.com/?z42clbkhjju1khy
[shad__] Now you can share your dongle with your friends
[shad__] was ~chatzilla@55.219.73.86.rev.sfr.net * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via twitter.com/#!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along.


#783 - PS4 News - 151w ago
PS4 News's Avatar
Below is an update on the True Blue PS3 JB2 Dongle new security packaging, as follows:

30 - 5 – 2012

New packaging for True Blue incorporating security measures and an updated picture identification reference for clones

Due to the recent emergence of clones we are introducing a new packaging system and a security sticker on the dongle itself to help ensure customers receive original True Blue dongles.

Firstly, a new blister pack with a label over the blister will be introduced, as shown below. This provides several measures for the user to identify if the True Blue device received is likely to be original.

Note the unique security patterns in silver which are difficult to counterfeit, due to the colour variations on the background colours, materials used and complexity of the pattern itself. If the label appears to be stretched or appears to have been used before, then careful attention should be paid to the security sticker on the dongle itself.

s3nint3!
The security sticker adhered to the dongle itself (shown below), partially covering the cap will provide the user with an indication of whether or not the dongle has been tampered with before delivery. Therefore, if the portion of the sticker covering the dongle cap has been broken, then it is possible that the dongle may have been tampered with. If this is the case, please use the TrueBlue 2.7 firmware as a means to check the authenticity of the dongle.

If the word clone appears in the PS3 XMB where the TrueBlue 2.7 version number is stated, then you should contact your reseller for assistance. Security stickers are designed with a number of security considerations in mind and are very difficult to reproduce exactly. This will aid retailers and end users in determining whether the product received is an original.

s3nint3!
Some original True Blue dongles are in the supply chain yet to be sold, which do not have the new packaging. If you receive a True Blue dongle without the new packaging, then simply use the True Blue 2.7 firmware to identify whether or not it is an original. Details can be found on the information page and inside the 2.7 firmware download package on the downloads page.

Finally, we are updating the picture references for users to identify whether their PCB is an original True Blue or a CLONE. We have released several revisions of the True Blue PCB’s which are shown below. The recent CLONE posing as True Blue in a similar casing is also shown below and referenced as CLONE. If you have received one of these clones instead of the original True Blue you ordered, then you should contact the retailer who you purchased it from for a refund.