PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

166w ago - Following up on the previous True Blue (TB) PS3 JailBreak 2 (JB2) DRM-infected dongle news comes a WIP update from Shadoxi on dumping and decrypting the TB and Cobra payloads below, as follows:

Download: TB / Cobra Payloads (2.84 MB) / TB / Cobra Payloads (2.84 MB - Mirror) / TB / Cobra Payloads (2.84 MB - Mirror) / PS3 True Blue MFW (172.19 MB)

I have figured out where the payload is located of the TB and Cobra dongles. You can find it at offset @360000 in lv2_kernel and 7f0000 in PS3 memory. According to the PS3 Developer Wiki (ps3devwiki.com/index.php/ReDRM_/_Piracy_dongles) the LV2 dump payload at 0x7f0000 has also been decrypted @ LV2 dump 0x7f0000 (pastebin.com/3VG76HQs)

Drag and drop payload in IDA and load it in Binary file mode, Processor type PPC.Press "C" to convert in ASM code.

First of all you need to edit the header of lv2_kernel.self (from CFW TrueBlue) at offset 0x1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself tool from fail0verflow. Open lv2_kernel.elf with IDA Pro (in binary file mode), go to offset 360000 and press "C" to convert to asm code.

TrueBlue use some HVCALL:

  • lv1_insert_htab_entry
  • lv1_undocumented_function_114
  • lv1_undocumented_function_115
  • lv1_allocate_device_dma_region
  • lv1_map_device_dma_region
  • lv1_net_start_tx_dma
  • lv1_net_control
  • lv1_panic (shutdown ps3 when TB is unplugged)

This payload do some HVCALL:

  • lv1_insert_htab_entry (map lv1)
  • lv1_allocate_device_dma_region (?)
  • lv1_map_device_dma_region (?)
  • lv1_net_start_tx_dma (?)
  • lv1_net_control (?)
  • lv1_panic (shutdown ps3 when TrueBlue dongle is unplugged)
  • lv1_undocumented_function_114 (map lv1)
  • lv1_undocumented_function_115 (unmap lv1)

We needed to dump lv2 and lv1 memory when the dongle is plugged in, so I created a modified TB CFW with peek and poke syscall. It works fine !

Finally, from the MFW_TrueBLue.zip ReadMe file: Warning this mfw can brick your dongle !!!

  • First install PS3PEEKTEST.pkg
  • Install MFW TrueBlue firmware in recovery mode
  • Start ps3peektest

If Peek Result is equal to 10 and true blue light is green -> work.


True Blue (TB) and Cobra PS3 JB2 DRM Dongle Payloads WIP

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!


  • Sponsored Links




#792 - technodon - 150w ago
technodon's Avatar
i never tested my dongle updater before release, anyone else tried it? cause puss in boots seems to be the only one game that works it just happened to be the one that i tried? maybe i should start playing the lottery? lol. maybe it has some significance in reverse engineering the dongle though?

#791 - elser1 - 150w ago
elser1's Avatar
i'm a little confused (nothing new there) so does this mean with the pkg i can use a tb dongle once then instal pkg and no longer need dongle?

that would be great if so and if someone would lend/hire me a dongle for a day.. LOL

#790 - Xyth - 150w ago
Xyth's Avatar
Wololo's thoughts are ridiculously nonsense. Who cares if TB team will change encryption scheme. They still want us to believe if someone hacks TB, there will be no more new games. This is the same logic if we share PS3 exploits they can patch it. Who cares if Sony of TB patch their exploits. Of caurse they'll patch it, it is their job to protect their property. But if you call yourself a scene developer you can always comeup wit a new solution. This is what makes a scene The Scene.

These "It will lead to piracy" and "They can patch it" execuses are just a cover for their fear of Sony.

#789 - technodon - 150w ago
technodon's Avatar
following up on shad__'s excellent work on the modified true blue eboot, i repacked it as a installable pkg and also modified the text so it now reads remove the dongle and press x to return to the xmb. download link here: http://www.putlocker.com/file/6B780406C00FD776

#788 - PS4 News - 151w ago
PS4 News's Avatar
Below is an update from wololo (via wololo.net/2012/06/06/ps3-more-dongles-info-decrypted-by-oct0xor/) dubbed PS3 - More dongles info decrypted by oct0xor (covered a few posts above), as follows:

PS3 hacker oct0xor, who was already behind the base work that led to initial reverse engineering of the True Blue dongle, just twitted that he can decrypt True Blue’s stage2, as well as critical information from other clone dongles.

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC.

You really can call me “DongleBreaker” now Thanks to flat_z who was with me all along.

As I said earlier, the people behind True Blue are not amateurs in the hacking scene and could definitely leverage that type of information. Hackers like oct0xor are not fighting against “we don’t know about it until it’s too late” Sony, but against people who regularly check all scene websites, and take action.

I have no doubt that the next True Blue firmwares will change their encryption scheme, and if not, another “magical” dongle will pop up in the months to come, from another random company (the same people who made true blue, of course), with a completely different security system.

That is, unless PS3 hackers completely reverse engineer the system behind the True Blue dongle, in a way that Sony can finally understand how True Blue are able to patch 3.6+ games so easily, and hoping that future games will be protected against the True Blue patches. That would calm down piracy on the PS3, and people who don’t get it will claim that this could kill the PS3 scene.

#787 - jabberosx - 151w ago
jabberosx's Avatar
This is good news. But at the same time ANOTHER frikking dongle is down right shameful. I mean whats the frikking point. arrgghhhhhh I know make more money by pirating from pirates. knowing still doesn't help.

#786 - RobertoSlip - 151w ago
RobertoSlip's Avatar
should be transparent, this would greatly facilitate..

#785 - userix - 151w ago
userix's Avatar
Can I flash back to kmeaw 3.55 after flashing tb cfw 3.55 or is it a one way street ordeal?

#784 - PS4 News - 151w ago
PS4 News's Avatar
Today PlayStation 3 developer Naehrwert has blogged (nwert.wordpress.com/2012/06/02/reversing-tb-part-1-the-vm/) on reversing the TB (True Blue JB2 PS3 Dongle) Part 1: The VM with details below, to quote:

Thanks to oct0xor (twitter.com/#!/oct0xor) we could get our hands on the decrypted TB payload (stage 2). Of course the first thing to do is to fire it up in IDA, our favourite tool of the trade. The entry code of the payload looks like this:

[Register or Login to view code]


In the first loop it will relocate itself using 0x1337C0DE as an identifier for the upper 32 bits and rewrite that to the actual base. The disassembly above was already loaded using 0x1337C0DE00000000 as base. While scrolling through the data section at the end of the payload one quickly figures out that the RTOC is 0x1337C0DE00017E40.

As I was analyzing the code I found a sub that was basically just a really big switch with random looking case values. Once I reversed the sub at 0x1337C0DE00002578 and some of the following ones and analyzed their usage in the switch sub, I knew that I was looking at a fricking virtual machine.

[Register or Login to view code]


Paranoid TB developers even used XOR-tables to obfuscate the VM instructions and data. The virtual machine is mostly stack based but the instructions let you work using registers too. The next thing to do is to reverse all the instructions and write a disassembler and emulator. Here (pastie.org/4015202) is some code to unscramble the embeded vm binary for further investigation. I’m going to write more about this topic in the future.

[Register or Login to view code]


From shad__ on IRC for TB DRM dongle users: EBOOT.BIN

[shad__] if it can help, you can play tb eboot without tb plugged in. Just, patch sys_sm_shutdown call in TB update pkg and unplugg Tb dongle then press x to exit.It will exit without reset lv1 and lv2.
[shad__] POC: http://www.mediafire.com/?z42clbkhjju1khy
[shad__] Now you can share your dongle with your friends
[shad__] was ~chatzilla@55.219.73.86.rev.sfr.net * New Now Know How

Also this weekend Team E3DIY claim that they have also managed to run all PlayStation 3 games on 3.55 PS3 CFW (similar to TB/JB2) but they will likely peddle another dongle to do it unfortunately instead of a free PS3 scene solution.

Finally from oct0xor (via twitter.com/#!/oct0xor):

ps3usercheat skip r4=%x,r5=%x main_EBOOT.BIN main_vsh.self

I can decrypt TrueBlue Stage 2, Cobra EBOOT.BIN, ps3usercheat cheatlist.dat and lv2 stage 1 and 2, right on PC. pic.twitter.com/b2awqYLv

You really can call me "DongleBreaker" now Thanks to flat_z who was with me all along.


#783 - PS4 News - 152w ago
PS4 News's Avatar
Below is an update on the True Blue PS3 JB2 Dongle new security packaging, as follows:

30 - 5 – 2012

New packaging for True Blue incorporating security measures and an updated picture identification reference for clones

Due to the recent emergence of clones we are introducing a new packaging system and a security sticker on the dongle itself to help ensure customers receive original True Blue dongles.

Firstly, a new blister pack with a label over the blister will be introduced, as shown below. This provides several measures for the user to identify if the True Blue device received is likely to be original.

Note the unique security patterns in silver which are difficult to counterfeit, due to the colour variations on the background colours, materials used and complexity of the pattern itself. If the label appears to be stretched or appears to have been used before, then careful attention should be paid to the security sticker on the dongle itself.


The security sticker adhered to the dongle itself (shown below), partially covering the cap will provide the user with an indication of whether or not the dongle has been tampered with before delivery. Therefore, if the portion of the sticker covering the dongle cap has been broken, then it is possible that the dongle may have been tampered with. If this is the case, please use the TrueBlue 2.7 firmware as a means to check the authenticity of the dongle.

If the word clone appears in the PS3 XMB where the TrueBlue 2.7 version number is stated, then you should contact your reseller for assistance. Security stickers are designed with a number of security considerations in mind and are very difficult to reproduce exactly. This will aid retailers and end users in determining whether the product received is an original.


Some original True Blue dongles are in the supply chain yet to be sold, which do not have the new packaging. If you receive a True Blue dongle without the new packaging, then simply use the True Blue 2.7 firmware to identify whether or not it is an original. Details can be found on the information page and inside the 2.7 firmware download package on the downloads page.

Finally, we are updating the picture references for users to identify whether their PCB is an original True Blue or a CLONE. We have released several revisions of the True Blue PCB’s which are shown below. The recent CLONE posing as True Blue in a similar casing is also shown below and referenced as CLONE. If you have received one of these clones instead of the original True Blue you ordered, then you should contact the retailer who you purchased it from for a refund.