PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

October 22, 2011 // 11:55 pm - Following up on the initial PS3 JailBreak 2 news comes various PS3 CFW JailBreak 2 and JB2 Updater details today including the examination of an EBOOT.BIN from the Driver: San Francisco Blu-ray Disc in comparison to one from an official PS3 Game (BLES00891) Disc with developments on reverse-engineering the PS3 JB2 file dumps and more below.

To begin, whyudie states the following on the PS3 CFW JailBreak 2 and JB2 Updater for PlayStation 3: I just wanted to share this CFW. This CFW is intended more specifically for Jailbreak 2 dongle only. Most likely will not run well without that dongle. Perhaps some developers out there could investigate this CFW, and develop it even better.

If anyone out there want to install this CFW on your PS3. Do it at your own risk!!

JailBreak 2 Dongle Features

  • Can play backup games that require firmware 3.60 + (Direct boot just like the original games)
  • Only burned BD Disc format with some patches will work. For now, there's no info how to make a backup iso to work with this CFW.
  • Can play backup games from the HDD. PS3 games with FW 3.55 or lower (via internal or external hdd)
  • Only works on the PS3 with official/custom firmware 3.55, not the downgrade PS3.

Password: whyudie

And this is PKG files to upgrade dongle Jailbreak 2:

Password: whyudie

What's your source? Have you make a dump from JB2 Dongle?

From my local game store. I live in Indonesia. And I bought the dongle. And get the bonus cd and the CFW files is from that cd. And that CFW must be installed first on PS3, and upgrade the dongle with that pkg files.

Driver: San Francisco EBOOT from Blu-ray Disc courtesy of lindwurm: (Mirrors) (Mirrors)

Driver: San Francisco EBOOT (BLES00891) from original PS3 game disc courtesy of elser1:

Driver: San Francisco EBOOT (Untested, Generated by SiLENTGame)

UPLAY SELF (Untested, Patched by SiLENTGame)

FIFA 12 EBOOT from Blu-ray Disc courtesy of lindwurm:

Sniper Ghost EBOOT from Blu-ray Disc courtesy of lindwurm:

Sakunchai also states the following on examination of the PS3 JB2 dump: I find 1 point not same in original FW in lv2_kernel.self

Also below are some related PlayStation 3 JB2 files from 3muk and ireggae among others and a preliminary PS3 JB2 RE examination, as follows:

Here is the files changed in the FMW including CORE_OS_PACKAGE.pkg, dev_flash_010.tar.aa.2010_11_27_051337 and dev_flash_016.tar.aa.2010_11_27_051337:

PS3 .PKG File from the dongle, unpacked with an .ELF of the EBOOT included: (Mirror)

PS3 JB2 Reverse Engineering

Below is a preliminary synopsis from moogie via Twitter and and

JB2's dongle updater pkg, its EBOOT.BIN is just an FSELF (fake signed), the Driver: SF eboot fix is also an FSELF, FSELF's are mean't for debug consoles, easier to fself your game, then to actually sign it, you can patch retail FW to run FSELF's, either through the fw, or you can modify PL3, or even, resign the EBOOT.BIN, its nothing special, from the looks of it, they don't have any keys, just debug EBOOT.BIN's.

You don't need that dongle either, just resign the EBOOT.BIN or patch the FW to run FSELF's, their MFW could have these patches, or maybe, their dongle deliver's the patches. I do not know for sure, maybe their dongle does something else entirely, but I know its an FSELF, and you can make that run, without their dongle.

Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's.

Those JB2 eboot.bin stuff, actually isn't debug fself's, but readself says it is its their DRM. Can't be decrypted without their stuff. They have their own keys, which they are signing the EBOOT.BIN's with, I think they are debug eboot's resigned with their stuff.

SELF header

[Register or Login to view code]

Control info

[Register or Login to view code]

Section header

[Register or Login to view code]

Encrypted Metadata

[Register or Login to view code]

ELF header

[Register or Login to view code]

FW Info

PS3 System Software

[Register or Login to view code]

Remarks: needs JB2 dongle as DRM

[Register or Login to view code]

Firmware Changes compared to OFW 3.55:


[Register or Login to view code]


[Register or Login to view code]



Just one patch:

[Register or Login to view code]

This is in lv1_map_htab to allow for RW mapping of all RAM. So who knows how many other lv1 patches are done at runtime.


[Register or Login to view code]

"standard pkg patches"



Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. Contentdisc's contain fself'ed eboot.bin's


  • It does not play 3.6x+/3.7x+ original content (it does not have the keys for it).
  • It can only play such content which is re-encrypted/resigned with their donglekeys.
  • Such content will be limited to those already decryptable and debug eboot.bin's.
  • Content for 3.55 and lower still work (after all, its just a MFW 3.55)
  • Needs the MFW (and cannot work on OFW's, that is why there is 'no power/eject trick')
  • If you are using special firmwares now, they will not be compatible with this one. e.g.
  • Incompatible with: OtherOS++, Cobra, pre 3.50 etc.

Hardware Dongle

Below are some pictures of the PS3 JailBreak 2 (JB2) aka True Blue dongole disassembled using an Actel ProASIC3 A3P250 - FPGA, a 24.000 MHz Crystal and a AMS1117 2.851049 Low Dropout Linear Regulator.


Actel ProASIC3 A3P250 - FPGA

[Register or Login to view code]

File: VQ100.png (below)
128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals:

Pinout A3P250 VQ100

[Register or Login to view code]

24.000 MHz Crystal

CLK for Actel

AMS1117 2.851049 - Low Dropout Linear Regulator

Datasheet: /

File: AMS1117 - SOT-223.png (below)

A 47 (unreferenced 5pin IC) - 5-pin SOT5 A 47 pinout

[Register or Login to view code]

Winbond 25X16AVS1G (SPI Flash 16Mbit) - 8-pin TSSOP Winbond 25X16A SOIC-8 pinout

[Register or Login to view code]

datasheet: W25X16A.pdf
[Register or Login to view code]

Sony PlayStation 3 hacker Mathieulh has also made some comments via IRC today on how the PS3 JailBreak 2 works with a follow-up HERE for those interested.

From PatrickBatman on the PS3 JB2 device, to quote:

It seems the ps3jb2 loads masterdiscs with fself, with the algo provided and the right keyyou can decrypt said masterdiscs images right on pc and grab the fself files.

[Register or Login to view code]

That's the algo for masterdiscs, ps3gen.dll has the static keys for masterdiscs. You can also get it from sv_iso the sdk tool that generates masterdisc images.

Then you take the decrypted fself and resign it for 3.55 with makeself then swap eboot. I think it should be somewhere in the in the 3.60 SDK but I'm not finding it, but that's where the master disc stuff is.

Finally, upon examination several users including DanyL, TheLostDeathKnight and bubbleboy have stated that the JB2 doesn't use a new PlayStation 3 exploit nor contain PS3 3.6+ keys, and that the dongle is only used as identification for activating the patch.

For those curious, patching the appldr keys has been done but not made public back with the PS3 3.56 keys so it isn't unfamiliar to most PlayStation 3 developers but unfortunately it is patchable by Sony. A brief outline of the process involved is below, as follows:

Obtain PS3 Debug EBOOT file from Sony's Developer Network via Debug console by one of the following methods:

  • Boot up your PS3 to the XMB, make sure in debug settings that NP environment is set to “sp-int” or “prod-qa”, sign into PSN (with sp-int or prod-qa credentials, you can use the quick sign-up), and launch the game. If your in luck, it will say an update is available – download it!
  • To get the URL you have a few options. You could either sniff out the connection with something like Wireshark - that takes a bit more setup. Other times the URL is actually passed right to dtccons - so make sure you have the debugging windows open. Or, you could use any number of the PS3 Proxy applications to grab the link.
  • Those who know their PS3 Game's Title ID and are seeking PS3 Game Update Packages can now use this simple guide to grab them while they last.

  • Patch Retail PS3 Firmware to run a Debug EBOOT file
  • Dump and burn the PS3 3.60+ games to BD-DVD with the included Debug EBOOT file
  • Add the DRM to the PS3 MFW / CFW that JB2 uses and validate it via the dongle

The above process will likely continue to work until Sony locks down the PS3 Debug EBOOT files.

PS3 JB2 Keys

The encryption keys for PS3 Debug Discs utilized by the PS3 JB2 method can be found below.

Download: PS3 Keys / GIT

[Register or Login to view code]

PS3 CFW JailBreak 2 and JB2 Updater RE for PlayStation 3 Details

PS3 CFW JailBreak 2 and JB2 Updater RE for PlayStation 3 Details

PS3 CFW JailBreak 2 and JB2 Updater RE for PlayStation 3 Details

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew PS4 Downloads.

#792 - technodon - June 12, 2012 // 7:10 pm
technodon's Avatar
i never tested my dongle updater before release, anyone else tried it? cause puss in boots seems to be the only one game that works it just happened to be the one that i tried? maybe i should start playing the lottery? lol. maybe it has some significance in reverse engineering the dongle though?

#791 - elser1 - June 12, 2012 // 10:41 am
elser1's Avatar
i'm a little confused (nothing new there) so does this mean with the pkg i can use a tb dongle once then instal pkg and no longer need dongle?

that would be great if so and if someone would lend/hire me a dongle for a day.. LOL

#790 - Xyth - June 12, 2012 // 9:29 am
Xyth's Avatar
Wololo's thoughts are ridiculously nonsense. Who cares if TB team will change encryption scheme. They still want us to believe if someone hacks TB, there will be no more new games. This is the same logic if we share PS3 exploits they can patch it. Who cares if Sony of TB patch their exploits. Of caurse they'll patch it, it is their job to protect their property. But if you call yourself a scene developer you can always comeup wit a new solution. This is what makes a scene The Scene.

These "It will lead to piracy" and "They can patch it" execuses are just a cover for their fear of Sony.

#789 - technodon - June 12, 2012 // 9:00 am
technodon's Avatar
following up on shad__'s excellent work on the modified true blue eboot, i repacked it as a installable pkg and also modified the text so it now reads remove the dongle and press x to return to the xmb. download link here:

#788 - PS4 News - June 7, 2012 // 11:40 am
PS4 News's Avatar
Below is an update from wololo (via dubbed PS3 - More dongles info decrypted by oct0xor (covered a few posts above), as follows:

PS3 hacker oct0xor, who was already behind the base work that led to initial reverse engineering of the True Blue dongle, just twitted that he can decrypt True Blue’s stage2, as well as critical information from other clone dongles.

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me “DongleBreaker” now Thanks to flat_z who was with me all along.

As I said earlier, the people behind True Blue are not amateurs in the hacking scene and could definitely leverage that type of information. Hackers like oct0xor are not fighting against “we don’t know about it until it’s too late” Sony, but against people who regularly check all scene websites, and take action.

I have no doubt that the next True Blue firmwares will change their encryption scheme, and if not, another “magical” dongle will pop up in the months to come, from another random company (the same people who made true blue, of course), with a completely different security system.

That is, unless PS3 hackers completely reverse engineer the system behind the True Blue dongle, in a way that Sony can finally understand how True Blue are able to patch 3.6+ games so easily, and hoping that future games will be protected against the True Blue patches. That would calm down piracy on the PS3, and people who don’t get it will claim that this could kill the PS3 scene.

#787 - jabberosx - June 4, 2012 // 5:30 pm
jabberosx's Avatar
This is good news. But at the same time ANOTHER frikking dongle is down right shameful. I mean whats the frikking point. arrgghhhhhh I know make more money by pirating from pirates. knowing still doesn't help.

#786 - RobertoSlip - June 3, 2012 // 4:24 pm
RobertoSlip's Avatar
should be transparent, this would greatly facilitate..

#785 - userix - June 3, 2012 // 3:51 pm
userix's Avatar
Can I flash back to kmeaw 3.55 after flashing tb cfw 3.55 or is it a one way street ordeal?

#784 - PS4 News - June 2, 2012 // 4:15 pm
PS4 News's Avatar
Today PlayStation 3 developer Naehrwert has blogged ( on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:

Thanks to oct0xor (!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

[Register or Login to view code]

In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

[Register or Login to view code]

Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here ( is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

[Register or Login to view code]

From shad__ on IRC for TB DRM dongle users: EBOOT.BIN

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC:
[shad__] Now you can share your dongle with your friends
[shad__] was [email protected] * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along.

#783 - PS4 News - May 30, 2012 // 9:05 am
PS4 News's Avatar
Below is an update on the True Blue PS3 JB2 Dongle new security packaging, as follows:

30 - 5 – 2012

New packaging for True Blue incorporating security measures and an updated picture identification reference for clones

Due to the recent emergence of clones we are introducing a new packaging system and a security sticker on the dongle itself to help ensure customers receive original True Blue dongles.

Firstly, a new blister pack with a label over the blister will be introduced, as shown below. This provides several measures for the user to identify if the True Blue device received is likely to be original.

Note the unique security patterns in silver which are difficult to counterfeit, due to the colour variations on the background colours, materials used and complexity of the pattern itself. If the label appears to be stretched or appears to have been used before, then careful attention should be paid to the security sticker on the dongle itself.

The security sticker adhered to the dongle itself (shown below), partially covering the cap will provide the user with an indication of whether or not the dongle has been tampered with before delivery. Therefore, if the portion of the sticker covering the dongle cap has been broken, then it is possible that the dongle may have been tampered with. If this is the case, please use the TrueBlue 2.7 firmware as a means to check the authenticity of the dongle.

If the word clone appears in the PS3 XMB where the TrueBlue 2.7 version number is stated, then you should contact your reseller for assistance. Security stickers are designed with a number of security considerations in mind and are very difficult to reproduce exactly. This will aid retailers and end users in determining whether the product received is an original.

Some original True Blue dongles are in the supply chain yet to be sold, which do not have the new packaging. If you receive a True Blue dongle without the new packaging, then simply use the True Blue 2.7 firmware to identify whether or not it is an original. Details can be found on the information page and inside the 2.7 firmware download package on the downloads page.

Finally, we are updating the picture references for users to identify whether their PCB is an original True Blue or a CLONE. We have released several revisions of the True Blue PCB’s which are shown below. The recent CLONE posing as True Blue in a similar casing is also shown below and referenced as CLONE. If you have received one of these clones instead of the original True Blue you ordered, then you should contact the retailer who you purchased it from for a refund.