Editing ReDRM / Piracy dongles
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 11: | Line 11: | ||
* It can only play such content which is re-encrypted/resigned with the key supported by the dongle. | * It can only play such content which is re-encrypted/resigned with the key supported by the dongle. | ||
** Such content was limited to already decryptable and debug eboot.bin's. | ** Such content was limited to already decryptable and debug eboot.bin's. | ||
*** Titles in the wild were | *** Titles in the wild were all released by PARADOX (patches) & PARADiSO (full pirated releases). There was also lighttake, which sold full pre-patched pirated Blu-ray discs. It seems possible that they were involved in the TrueBlue production/distribution. Profiting from or otherwise receiving money for re-applying DRM could likely be considered a scam. | ||
*** No public tools exist for 'converting' to TB format (re-encrypting/resigning) - making TB dongle users completely dependent on warez release groups like PARADOX/PARADiSO | *** No public tools exist for 'converting' to TB format (re-encrypting/resigning) - making TB dongle users completely dependent on warez release groups like PARADOX/PARADiSO. | ||
* Content for Firmware v3.55 and lower still works (after all, its just a MFW 3.55) - with some exceptions (in some cases it will even brick the dongle when running certain pieces of homebrew). | * Content for Firmware v3.55 and lower still works (after all, its just a MFW 3.55) - with some exceptions (in some cases it will even brick the dongle when running certain pieces of homebrew). | ||
* Needs the MFW (and cannot work on OFW's, that is why there is no 'power/eject trick') | * Needs the MFW (and cannot work on OFW's, that is why there is no 'power/eject trick') | ||
Line 257: | Line 257: | ||
==== AMS1117 2.851049 - Low Dropout Linear Regulator ==== | ==== AMS1117 2.851049 - Low Dropout Linear Regulator ==== | ||
Datasheet: | Datasheet: | ||
* | * http://www.ps3devwiki.com/files/reDRM/TrueBlue/Datasheets/AMS1117-.pdf | ||
* | * http://www.ps3devwiki.com/files/reDRM/TrueBlue/Datasheets/AMS1117.pdf<!--// http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf //--> <br /> | ||
[[:File:AMS1117 - SOT-223.png]] | [[:File:AMS1117 - SOT-223.png]] | ||
Line 328: | Line 328: | ||
I - Temperature Range: Industrial (-40'C ~ 85'C) | I - Temperature Range: Industrial (-40'C ~ 85'C) | ||
G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)</pre> | G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)</pre> | ||
datasheet: [http://www.winbond.com/NR/rdonlyres/C6366616-2CB7-49F8-A1F9-3BC363DF9480/0/W25X16A.pdf W25X16A.pdf (1.3 MB)] / | datasheet: [http://www.winbond.com/NR/rdonlyres/C6366616-2CB7-49F8-A1F9-3BC363DF9480/0/W25X16A.pdf W25X16A.pdf (1.3 MB)] / http://www.ps3devwiki.com/files/reDRM/Datasheets/W25X16A.pdf <br /> | ||
Note: can use [http://blog.hodgepig.org/busninja/ Bus Ninja] or [http://flashrom.org/Bus_Pirate Bus Pirate] and [http://flashrom.org/Flashrom FlashROM] - <abbr title="In-System Programming (ISP)">ISP</abbr> is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it). | Note: can use [http://blog.hodgepig.org/busninja/ Bus Ninja] or [http://flashrom.org/Bus_Pirate Bus Pirate] and [http://flashrom.org/Flashrom FlashROM] - <abbr title="In-System Programming (ISP)">ISP</abbr> is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it). | ||
Line 360: | Line 360: | ||
==== STM32 F103C8T6 : U2 ==== | ==== STM32 F103C8T6 : U2 ==== | ||
U2 <br /> | U2 <br /> | ||
datasheet: [ | datasheet: [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Datasheets/stm32_f103c8t6.pdf stm32_f103c8t6.pdf (1.38 MB)] | ||
===== Pinout STM32 F103C8T6 LQFP48 ===== | ===== Pinout STM32 F103C8T6 LQFP48 ===== | ||
<div style="float:right">[[File:STM32 F103C8T6 - LQFP48.png|200px|thumb|left|STMicroelectronics STM32 F103C8T6 - LQFP48 package]]</div> | <div style="float:right">[[File:STM32 F103C8T6 - LQFP48.png|200px|thumb|left|STMicroelectronics STM32 F103C8T6 - LQFP48 package]]</div> | ||
Line 702: | Line 702: | ||
= Downloads = | = Downloads = | ||
== First release (1.0/2.1) == | == First release (1.0/2.1) == | ||
* MFW: [ | * MFW: [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Firmware/Jailbreak2.CFW.rar Jailbreak2.CFW.rar (172.34 MB)]<!--//http://www.filesonic.nl/file/2688912531/Jailbreak2.CFW.zip (password: whyudie)//--> | ||
** Alternative FW compatible with the PSJB2/TrueBlue dongle DRM lock-in : [http://rebug.me REBUG 3.55.2 TB EDITION] / [ | ** Alternative FW compatible with the PSJB2/TrueBlue dongle DRM lock-in : [http://rebug.me REBUG 3.55.2 TB EDITION] / [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Firmware/3.55.2_TBE_Links.rar 3.55.2_TBE_Links.rar] | ||
* Dongle Updater v2.1: [ | * Dongle Updater v2.1: [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.1/dongle-updater.pkg dongle-updater.pkg (2.1 MB)]<!--//http://www.filesonic.nl/file/2689038911/JB2.Dongle.Updater.zip (password: whyudie)//--> | ||
== Update 2.2 == | == Update 2.2 == | ||
* Dongle Updater v2.2: | * Dongle Updater v2.2: http://www.ps3devwiki.com/files/TrueBlue/Updates/TrueBlueUpdate-2.2/ | ||
== FW Info (1.0/2.1) == | == FW Info (1.0/2.1) == | ||
Line 776: | Line 776: | ||
http://www.ps3hax.net/2012/03/finally-jb-king-cracks-v2-5-update/ | http://www.ps3hax.net/2012/03/finally-jb-king-cracks-v2-5-update/ | ||
http://www.ps3devwiki.com/files/reDRM/JBKing/Updates/JBKing%202.5/ | |||
=Content discs= | =Content discs= | ||
Line 849: | Line 849: | ||
== Paradox TB == | == Paradox TB == | ||
Note: Releases seen in the wild are full BD content prepatched for TrueBlue. We are only interested in documenting/reversing, so please don't post full links (only stripped). | Note: Releases seen in the wild are full BD content prepatched for TrueBlue. We are only interested in documenting/reversing, so please don't post full links (only stripped). | ||
* [ | * [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Patches/portal_2_BLUS30732_TB.rar portal_2_BLUS30732_TB.rar (78.04 MB)] | ||
=== EBOOT.BIN details === | === EBOOT.BIN details === | ||
Line 857: | Line 857: | ||
== FW Changes (1.0/2.1) == | == FW Changes (1.0/2.1) == | ||
Compared to OFW 3.55: | Compared to OFW 3.55: | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Firmware/analysis/ofw-vs-jb2.rar ofw-vs-jb2.rar (4.18 MB)] | ||
====EULA.xml==== | ====EULA.xml==== | ||
<pre> <str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> </pre> | <pre> <str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> </pre> | ||
Line 885: | Line 885: | ||
only 1 function change, and a section added <br /> | only 1 function change, and a section added <br /> | ||
sub_28fe30 is replaced <small>1)</small><br /> | sub_28fe30 is replaced <small>1)</small><br /> | ||
the new section is loaded at 0x80000000007f0000 (which is where those payloads are being loaded) [ | the new section is loaded at 0x80000000007f0000 (which is where those payloads are being loaded) [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Firmware/analysis/lv2_kernel.bin lv2_kernel.bin (6.41 KB)] | ||
<small>note 1) : * ''the 28fe30 function is replaced with OFW code during exploit execution (which is why it is OFW, when there is no dongle). That 28fe30 function mounts dev_flash, so they are in control before even dev_flash loads. When lv2 loads dev_flash, the exploit is triggered which, among the things it does, is replace the function with the proper one to mount dev_flash, then branchs to it and boot continues.''</small> | <small>note 1) : * ''the 28fe30 function is replaced with OFW code during exploit execution (which is why it is OFW, when there is no dongle). That 28fe30 function mounts dev_flash, so they are in control before even dev_flash loads. When lv2 loads dev_flash, the exploit is triggered which, among the things it does, is replace the function with the proper one to mount dev_flash, then branchs to it and boot continues.''</small> | ||
Line 920: | Line 920: | ||
== 2.1 == | == 2.1 == | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.1/dongle-updater.pkg TrueBlueUpdate-2.1/dongle-updater.pkg] | ||
Dongle is released with 1.0, this PKG is used to update the dongle to 2.1 | Dongle is released with 1.0, this PKG is used to update the dongle to 2.1 | ||
Line 935: | Line 935: | ||
002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | 002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.1/TB_dongle_payload.bin TrueBlueUpdate-2.1/TB_dongle_payload.bin (2 MB)] | ||
SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | ||
Line 1,422: | Line 1,422: | ||
True Blue Dongle Update v2.2 - Initial worldwide release | True Blue Dongle Update v2.2 - Initial worldwide release | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.2/TrueBlueUpdate-2.2.pkg TrueBlueUpdate-2.2/TrueBlueUpdate-2.2.pkg] | ||
SHA1: 504D53CD6EDFA3382510CCB40CE49F802073FBD4 // MD5: A09CBCD5B3AEC31B07D974BEB4AC21FE // CRC32: 82F977CC // CRC16: 92D4 | SHA1: 504D53CD6EDFA3382510CCB40CE49F802073FBD4 // MD5: A09CBCD5B3AEC31B07D974BEB4AC21FE // CRC32: 82F977CC // CRC16: 92D4 | ||
Line 1,433: | Line 1,433: | ||
0007B588 00072EF0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 0007B588 00072EF0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.2/TB_payload_2.2.bin payload2-2.bin (459.75 KB)] | ||
SHA1: 69953C9CF60E67E798A22C1016ABCB44A1D42CDF // MD5: F0826BA059B352BC6100647DB7EFDE5F // CRC32: 4B3C2132 // CRC16: 8181 | SHA1: 69953C9CF60E67E798A22C1016ABCB44A1D42CDF // MD5: F0826BA059B352BC6100647DB7EFDE5F // CRC32: 4B3C2132 // CRC16: 8181 | ||
Line 2,229: | Line 2,229: | ||
== 2.3 == | == 2.3 == | ||
True Blue Dongle Update v2.3 - [ | True Blue Dongle Update v2.3 - [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.3/TrueBlueUpdate-2.3.pkg /TrueBlueUpdate-2.3/TrueBlueUpdate-2.3.pkg] | ||
* Fixed games requiring "BD Mirror" | * Fixed games requiring "BD Mirror" | ||
* True Blue firmware version is now displayed on the XMB "System Information" screen | * True Blue firmware version is now displayed on the XMB "System Information" screen | ||
Line 2,245: | Line 2,245: | ||
0007BD88 000736F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 0007BD88 000736F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.3/payload_2.3.bin payload_2.3.bin (461.75 KB)] | ||
SHA1: DD8C3302F5F2394B2A0D907DE972AFB8E94DB0B5 // MD5: 7E4C3C6D7BA24375D3BE83074D882E0A // CRC32: 7D748CE8 // CRC16: 4A3B | SHA1: DD8C3302F5F2394B2A0D907DE972AFB8E94DB0B5 // MD5: 7E4C3C6D7BA24375D3BE83074D882E0A // CRC32: 7D748CE8 // CRC16: 4A3B | ||
Line 2,274: | Line 2,274: | ||
== 2.4 == | == 2.4 == | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.4/TrueBlueUpdate-2.4.pkg TrueBlueUpdate-2.4/TrueBlueUpdate-2.4.pkg] | ||
=== Payload (2.4) === | === Payload (2.4) === | ||
located in unself'ed eboot.bin @ offset: | located in unself'ed eboot.bin @ offset: | ||
Line 2,283: | Line 2,283: | ||
000A3620 0009AEFF 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 000A3620 0009AEFF 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.4/payload_2.4.bin payload_2.4.bin (619.75 KB)] | ||
SHA1: C062057BFBE4A0DF6C6C6E1B33C7561BC859C23F // MD5: 69FC4CE04DD4255A0BEEF4C2168F0AB0 // CRC32: 1C9EE18 // CRC16: 85DE | SHA1: C062057BFBE4A0DF6C6C6E1B33C7561BC859C23F // MD5: 69FC4CE04DD4255A0BEEF4C2168F0AB0 // CRC32: 1C9EE18 // CRC16: 85DE | ||
IDA DB: [ | IDA DB: [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.4/EBOOT_SHT_fixed.i64 EBOOT_SHT_fixed.i64 (3.01 MB)] | ||
== 2.5 == | == 2.5 == | ||
Line 2,292: | Line 2,292: | ||
start: 8600, end: 63e00, size: 5b800 | start: 8600, end: 63e00, size: 5b800 | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.5/EBOOT,BIN.elf TrueBlueUpdate-2.5/EBOOT,BIN.elf] | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.5/update_data_2.5.bin TrueBlueUpdate-2.5/update_data_2.5.bin] | ||
== 2.61 == | == 2.61 == | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.61/TrueBlueUpdate-2.61.pkg TrueBlueUpdate-2.61.pkg] | ||
=== Payload (2.61) === | === Payload (2.61) === | ||
located in unself'ed eboot.bin @ offset: | located in unself'ed eboot.bin @ offset: | ||
Line 2,306: | Line 2,306: | ||
00066F58 0005E7F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 00066F58 0005E7F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.61/payload_2.61.bin payload_2.61.bin (378 KB)] | ||
SHA1: 7CEA46601B717912D6A434CA2C164E0A9B890825 // MD5: 1114BC3061581FC592A3797B340FD545 // CRC32: B66F50FD // CRC16: B685 | SHA1: 7CEA46601B717912D6A434CA2C164E0A9B890825 // MD5: 1114BC3061581FC592A3797B340FD545 // CRC32: B66F50FD // CRC16: B685 | ||
IDA DB: [ | IDA DB: [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.61/TrueBlueUpdate-2.61.idc TrueBlueUpdate-2.61.idc (203 KB)] | ||
== 2.62 == | == 2.62 == | ||
Line 2,320: | Line 2,320: | ||
0005E7F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 0005E7F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.62/payload_2.62.bin payload_2.62.bin (378 KB)] | ||
SHA1: C5D37456FD5E59CFB648C82BBBE3FD95875E7C49 // MD5: 870C58F2CEC6BDB0ACF43EDD459ECD1C // CRC32: 35B2B2CA // CRC16: E3DE | SHA1: C5D37456FD5E59CFB648C82BBBE3FD95875E7C49 // MD5: 870C58F2CEC6BDB0ACF43EDD459ECD1C // CRC32: 35B2B2CA // CRC16: E3DE | ||
Line 2,332: | Line 2,332: | ||
00067fc8 0005F7F0 D9 5A C0 45 E8 78 E6 C6 16 0A 98 10 1B CA 52 3B ÙZÀEèxæÆ..˜..ÊR; | 00067fc8 0005F7F0 D9 5A C0 45 E8 78 E6 C6 16 0A 98 10 1B CA 52 3B ÙZÀEèxæÆ..˜..ÊR; | ||
[ | [http://www.ps3devwiki.com/files/reDRM/TrueBlue/Updates/TrueBlueUpdate-2.7/TB_payload_27.bin TB_payload_27.bin (382 KB)] | ||
SHA1: 107A4E37471D58E79B6F8A884FF09DD3A5F83DD0 // MD5: 495970F92139F966BF78E43509BB7C38 // CRC32: FBA0FCEB // CRC16: AD81 | SHA1: 107A4E37471D58E79B6F8A884FF09DD3A5F83DD0 // MD5: 495970F92139F966BF78E43509BB7C38 // CRC32: FBA0FCEB // CRC16: AD81 | ||
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> | {{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude> |