Editing ReDRM / Piracy dongles
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]][[Category:Hardware]] | |||
=Description= | =Description= | ||
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it. | |||
Contentdisc's contain fself'ed eboot.bin's. <br /> | |||
Hardwarewise, there are many simularities with [[PS3Cobra_Payload_Reverse_Engineering#Hardware_Dongle|PS3Cobra]] | |||
== | == Debunking == | ||
* '''If the content works with the dongle, that means the original content also works (without the dongle) | * '''If the content works with the dongle, that means the original content if resigned for 3.55 also works (without the dongle)!''' | ||
* | * No PSN (OFW and [[KaKaRoTo Kind of ´Jailbreak´]] do) | ||
* | * Cannot use special features for PS Vita (OFW and [[KaKaRoTo Kind of ´Jailbreak´]] can) | ||
* | |||
* It can only play such content which is re-encrypted/resigned with | * It does not play 3.6x+/3.7x+/4.x+ original content (it does not have the keys for it). | ||
** Such content | * It can only play such content which is re-encrypted/resigned with their donglekey. | ||
*** | ** Such content will be limited to those already decryptable and debug eboot.bin's. | ||
** | *** At this moment, only a few titles in the wild released: | ||
* Content for | **** all by PARADOX (patches)/PARADiSO (full pirated releases) and lighttake that sells full prepatched pirated BD-discs, which makes it seem they are into the money/DRM scam or otherwise profiting from releasing for it. | ||
* Needs the MFW (and cannot work on OFW's, that is why there is no | **** Because the resellers profit from selling discs, those titles will not be released by PARADOX (patches)/PARADiSO (full pirated releases) | ||
**** You can hear daily 'more games today' and still see nothing released for 5+ days in a row | |||
** no public tools exist for 'converting' to TB format (re-encryption/resigning) - making you completely dependant of releasegroups like PARADOX/PARADiSO. | |||
* Content for 3.55 and lower still work (after all, its just a MFW 3.55) - with some exceptions (in some cases it will even brick the dongle when running those homebrew) | |||
* Needs the MFW (and cannot work on OFW's, that is why there is 'no power/eject trick') | |||
* Cannot be used for downgraded consoles (which rely on lv1 syscon hashcheck patches) | * Cannot be used for downgraded consoles (which rely on lv1 syscon hashcheck patches) | ||
* If you are using special | * If you are using special firmwares now, they will not be compatible with this one. e.g. Incompatible with: | ||
** OtherOS++ | ** OtherOS++ | ||
** Proper MFW's | ** Proper MFW's | ||
Line 256: | Line 261: | ||
CLK for Actel <br /> | CLK for Actel <br /> | ||
==== AMS1117 2.851049 - Low Dropout Linear Regulator ==== | ==== AMS1117 2.851049 - Low Dropout Linear Regulator ==== | ||
Datasheet: | Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf <br /> | ||
[[:File:AMS1117 - SOT-223.png]] | [[:File:AMS1117 - SOT-223.png]] | ||
Line 284: | Line 287: | ||
|- | |- | ||
|} | |} | ||
==== Winbond 25X16AVSIG (SPI Flash 16Mbit) ==== | ==== Winbond 25X16AVSIG (SPI Flash 16Mbit) ==== | ||
Line 328: | Line 298: | ||
I - Temperature Range: Industrial (-40'C ~ 85'C) | I - Temperature Range: Industrial (-40'C ~ 85'C) | ||
G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)</pre> | G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)</pre> | ||
datasheet: [http://www. | datasheet: [http://www.multiupload.com/P2833U5SOW W25X16A.pdf (1.3 MB)] <br /> | ||
Note: can use [http://blog.hodgepig.org/busninja/ Bus Ninja] or [http://flashrom.org/Bus_Pirate Bus Pirate] and [http://flashrom.org/Flashrom FlashROM] - <abbr title="In-System Programming (ISP)">ISP</abbr> is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it). | Note: can use [http://blog.hodgepig.org/busninja/ Bus Ninja] or [http://flashrom.org/Bus_Pirate Bus Pirate] and [http://flashrom.org/Flashrom FlashROM] - <abbr title="In-System Programming (ISP)">ISP</abbr> is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it). | ||
Line 352: | Line 322: | ||
|- | |- | ||
|} | |} | ||
====Test Points==== | |||
<div style="float:right">[[File:Psjb2-Trueblue-TESTPOINTS.jpg|200px|thumb|left|PSJB2/TrueBlue - Testpoints to Winbond SPI flash]]<br /></div> | |||
<pre>W - Winbond | |||
There are test points on the dongle that provice full pin access to the Winbond chip, be careful soldering to them since it is easy to pull off a test point.<br> | |||
<br> | |||
==== | == Dongle 2.0 == | ||
Supposed to be massproduced instead of manually soldered like the 1.0 dongle. Not seen in the wild yet. | |||
datasheet: [ | |||
===== Pinout STM32 F103C8T6 LQFP48 ===== | == Dongle Clones == | ||
<div style="float:right">[[File:STM32 F103C8T6 - LQFP48.png|200px|thumb|left|STMicroelectronics STM32 F103C8T6 - LQFP48 package]]</div> | |||
<div style="height:250px; overflow:auto"> | * JB-King is a "copy-cat" clone by dongle makers in China. (some have claimed by the makers of PS3Go) | ||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | |||
|- bgcolor="#cccccc" | <table width="100%" align="left"><tr> | ||
! Pin !! Function !! Notes | <td align="left">[[File:Jb-king-front.jpg|200px|thumb|left|JB-King clone dongle front]]<br />[[File:JB-King BACK.jpg|200px|thumb|left|JB-King clone dongle - BACK]]</td> | ||
|- | <td align="left">[[File:JB-King_Dongle_Abkarino_DVD4Arab_01.png|200px|thumb|left|tb-king clone dongle overview]]</td> | ||
| 1 || VBAT || | <td align="left">[[File:JB-King_Dongle_Abkarino_DVD4Arab_02.png|200px|thumb|left|tb-king clone dongle board]]</td></tr></table> | ||
|- | |||
| 2 || PC13-TAMPER-RTC || | Its poetic, piracy and theft of the "intellectual property" of pirates and thieves. | ||
|- | |||
=== Components === | |||
==== Winbond 25X16AVSIG (SPI Flash 16Mbit) ==== | |||
<div style="float:right">[[File:W25X16A - SOIC-8.png|200px|thumb|left|8-pin TSSOP<br />Winbond 25X16A<br />SOIC-8 pinout]] | |||
<br /></div> | |||
<pre>W - Winbond | |||
25X - SPI Flash with 4KB sectors/64Kbyte blocks, dual output | |||
16A - 16Mbit / 2M-byte | |||
V - Supply Voltage 2.7 to 3.6V | |||
S - Package Type : 8pin SOIC 150-mil | |||
I - Temperature Range: Industrial (-40'C ~ 85'C) | |||
G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)</pre> | |||
datasheet: [http://www.multiupload.com/P2833U5SOW W25X16A.pdf (1.3 MB)] <br /> | |||
Note: can use [http://blog.hodgepig.org/busninja/ Bus Ninja] or [http://flashrom.org/Bus_Pirate Bus Pirate] and [http://flashrom.org/Flashrom FlashROM] - <abbr title="In-System Programming (ISP)">ISP</abbr> is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it). | |||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | |||
|- bgcolor="#cccccc" | |||
! Pin !! Usage !! I/O !! Remarks | |||
|- | |||
| 1 || /CS || I || Chip Select (high=deselect, low=select) | |||
|- | |||
| 2 || DO || O || Data output | |||
|- | |||
| 3 || /WP || I || Write Protect (active low) | |||
|- | |||
| 4 || GND || || Ground | |||
|- | |||
| 5 || DIO || I/O || Serial data input/output | |||
|- | |||
| 6 || CLK || I || Serial Clock | |||
|- | |||
| 7 || /HOLD || I || Hold (high=normal/resume, low=hold/pause) | |||
|- | |||
| 8 || VCC || || Vcc (min 2.7-max 3.6V @ Fr0 75MHz / min 3.0-max 3.6V @ Fastread Fr1 100MHz) | |||
|- | |||
|} | |||
====Test Points==== | |||
<br> | |||
<div style="float:right">[[File:Psjb2-Trueblue-TESTPOINTS.jpg|200px|thumb|left|PSJB2/TrueBlue - Testpoints to Winbond SPI flash]]</div> | |||
<br> | |||
==== STM32 F103C8T6 : U2 ==== | |||
U2 <br /> | |||
datasheet: [http://www.multiupload.com/WPXWYMX3UU stm32_f103c8t6.pdf (1.38 MB)] | |||
===== Pinout STM32 F103C8T6 LQFP48 ===== | |||
<div style="float:right">[[File:STM32 F103C8T6 - LQFP48.png|200px|thumb|left|STMicroelectronics STM32 F103C8T6 - LQFP48 package]]</div> | |||
<div style="height:250px; overflow:auto"> | |||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | |||
|- bgcolor="#cccccc" | |||
! Pin !! Function !! Notes | |||
|- | |||
| 1 || VBAT || | |||
|- | |||
| 2 || PC13-TAMPER-RTC || | |||
|- | |||
| 3 || PC14-OSC32_IN || | | 3 || PC14-OSC32_IN || | ||
|- | |- | ||
Line 702: | Line 727: | ||
= Downloads = | = Downloads = | ||
== First release (1.0/2.1) == | == First release (1.0/2.1) == | ||
* MFW: [ | * MFW: [http://www.multiupload.com/O7SP26A83E Jailbreak2.CFW.rar (172.34 MB)]<!--//http://www.filesonic.nl/file/2688912531/Jailbreak2.CFW.zip (password: whyudie)//--> | ||
** Alternative FW compatible with the PSJB2/TrueBlue dongle DRM lock-in : [http://rebug.me REBUG 3.55.2 TB EDITION | ** Alternative FW compatible with the PSJB2/TrueBlue dongle DRM lock-in : [http://rebug.me REBUG 3.55.2 TB EDITION] | ||
* Dongle Updater v2.1: [ | * Dongle Updater v2.1: [http://www.multiupload.com/9YPQX47G7F JB2.Dongle.Updater.rar (2.1 MB)]<!--//http://www.filesonic.nl/file/2689038911/JB2.Dongle.Updater.zip (password: whyudie)//--> | ||
== Update 2.2 == | == Update 2.2 == | ||
* Dongle Updater v2.2: | * Dongle Updater v2.2: [http://www.multiupload.com/QU4XVYD4CF TrueBlueUpdate2_2.zip (544.2 KB)] | ||
== FW Info (1.0/2.1) == | == FW Info (1.0/2.1) == | ||
Line 772: | Line 796: | ||
Data length: 172890112 | Data length: 172890112 | ||
File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0</pre> | File hash : 93A7A95BFCFC263DCB4A18477062FDCC72BE47A0</pre> | ||
=Content discs= | =Content discs= | ||
Line 849: | Line 868: | ||
== Paradox TB == | == Paradox TB == | ||
Note: Releases seen in the wild are full BD content prepatched for TrueBlue. We are only interested in documenting/reversing, so please don't post full links (only stripped). | Note: Releases seen in the wild are full BD content prepatched for TrueBlue. We are only interested in documenting/reversing, so please don't post full links (only stripped). | ||
* [ | * [http://www.multiupload.com/9A4DXVTXX9 portal_2_BLUS30732_TB.rar (78.04 MB)] | ||
=== EBOOT.BIN details === | === EBOOT.BIN details === | ||
Line 857: | Line 876: | ||
== FW Changes (1.0/2.1) == | == FW Changes (1.0/2.1) == | ||
Compared to OFW 3.55: | Compared to OFW 3.55: | ||
[ | [http://www.multiupload.com/LAIIB6IMX0 ofw-vs-jb2.rar (4.18 MB)] | ||
====EULA.xml==== | ====EULA.xml==== | ||
<pre> <str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> </pre> | <pre> <str id="msg_updater_10">This update will install PS3 system software version 3.55, modified to support homebrew software and the disc dongle.</str> </pre> | ||
Line 885: | Line 904: | ||
only 1 function change, and a section added <br /> | only 1 function change, and a section added <br /> | ||
sub_28fe30 is replaced <small>1)</small><br /> | sub_28fe30 is replaced <small>1)</small><br /> | ||
the new section is loaded at 0x80000000007f0000 (which is where those payloads are being loaded) [ | the new section is loaded at 0x80000000007f0000 (which is where those payloads are being loaded) [http://www.multiupload.com/CI5XRM3FOP lv2_kernel.bin (6.41 KB)] | ||
<small>note 1) : * ''the 28fe30 function is replaced with OFW code during exploit execution (which is why it is OFW, when there is no dongle). That 28fe30 function mounts dev_flash, so they are in control before even dev_flash loads. When lv2 loads dev_flash, the exploit is triggered which, among the things it does, is replace the function with the proper one to mount dev_flash, then branchs to it and boot continues.''</small> | <small>note 1) : * ''the 28fe30 function is replaced with OFW code during exploit execution (which is why it is OFW, when there is no dongle). That 28fe30 function mounts dev_flash, so they are in control before even dev_flash loads. When lv2 loads dev_flash, the exploit is triggered which, among the things it does, is replace the function with the proper one to mount dev_flash, then branchs to it and boot continues.''</small> | ||
Line 920: | Line 939: | ||
== 2.1 == | == 2.1 == | ||
Dongle is released with 1.0, this PKG is used to update the dongle to 2.1 | Dongle is released with 1.0, this PKG is used to update the dongle to 2.1 | ||
SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62 | SHA1: 4066FFEFD723FAF08EB84A62F4AA38180C40129C // MD5: 0200689D58FCA0FC51F7B738C33A5DC9 // CRC32: 4D72836 // CRC16: 8A62 | ||
Unpkg/unself'ed: [http://www.multiupload.com/XC00DAHUXP dongle-updater.pkg.out.rar (2.03 MB)] <br /> | |||
Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)<br /> | Plaintext visible in the unself'ed eboot.bin : http://pastebin.com/EFQczE2r (interesting note: it used /dev_hdd0/vsh/tmp.bin as temp for the payload)<br /> | ||
Line 935: | Line 953: | ||
002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | 002084E0 001FFFF0 EB 3B 01 F7 6F A9 CF 3C B6 EB 89 82 7D E6 7D 3B ë;.÷o©Ï<¶ë‰‚}æ}; | ||
[ | [http://www.multiupload.com/PFC3IZZNNN TB_dongle_payload.bin (2 MB)] | ||
SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | SHA1: 43402D6FE2ECE43EBE91531EFA07C366D46DD121 // MD5: BA5AFAB174BF6003D41AC8951301B822 // CRC32: 248284D2 // CRC16: 8C78 | ||
Line 1,418: | Line 1,436: | ||
00000010 03 6b 2d 2c 45 d7 25 ff aa 34 b1 a8 8b 5d a7 b3 | 00000010 03 6b 2d 2c 45 d7 25 ff aa 34 b1 a8 8b 5d a7 b3 | ||
... | ... | ||
== 2.2 == | == 2.2 == | ||
True Blue Dongle Update v2.2 - Initial worldwide release | True Blue Dongle Update v2.2 - Initial worldwide release | ||
SHA1: 504D53CD6EDFA3382510CCB40CE49F802073FBD4 // MD5: A09CBCD5B3AEC31B07D974BEB4AC21FE // CRC32: 82F977CC // CRC16: 92D4 | |||
[ | Unpkg/unself'ed: [http://www.multiupload.com/NUILFATYL1 TrueBlueUpdate-2.2.pkg.out.rar (1018.2 KB)] <br /> | ||
=== Payload (2.2) === | === Payload (2.2) === | ||
Line 1,433: | Line 1,452: | ||
0007B588 00072EF0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 0007B588 00072EF0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.multiupload.com/KARELUPQRS payload2-2.bin (459.75 KB)] | ||
SHA1: 69953C9CF60E67E798A22C1016ABCB44A1D42CDF // MD5: F0826BA059B352BC6100647DB7EFDE5F // CRC32: 4B3C2132 // CRC16: 8181 | SHA1: 69953C9CF60E67E798A22C1016ABCB44A1D42CDF // MD5: F0826BA059B352BC6100647DB7EFDE5F // CRC32: 4B3C2132 // CRC16: 8181 | ||
Line 2,229: | Line 2,248: | ||
== 2.3 == | == 2.3 == | ||
True Blue Dongle Update v2.3 - [ | True Blue Dongle Update v2.3 - [http://www.multiupload.com/S5S9X4UON0 TrueBlueUpdate-2.3.zip (546.29 KB)] | ||
* Fixed games requiring "BD Mirror" | * Fixed games requiring "BD Mirror" | ||
* True Blue firmware version is now displayed on the XMB "System Information" screen | * True Blue firmware version is now displayed on the XMB "System Information" screen | ||
Line 2,236: | Line 2,255: | ||
<!--// The 'True Blue' team again comes thru with more support, this time with another update (v2.3), which was developed after the team was contacted by 'Paradox' in regard to problems with some of the latest games like 'Modern Warfare 3', and up-coming releases and patches, after some brain-storming and figuring out the compatibility problems the 'True Blue' team has now released the v2.3 update which will be required for all 'future' PS3 games released. //--> | <!--// The 'True Blue' team again comes thru with more support, this time with another update (v2.3), which was developed after the team was contacted by 'Paradox' in regard to problems with some of the latest games like 'Modern Warfare 3', and up-coming releases and patches, after some brain-storming and figuring out the compatibility problems the 'True Blue' team has now released the v2.3 update which will be required for all 'future' PS3 games released. //--> | ||
Unpkg/unself'ed: [http://www.multiupload.com/FHT635SH7W TrueBlueUpdate-2.3.pkg.out.rar (1022.45 KB)] <br /> | |||
=== Payload (2.3) === | === Payload (2.3) === | ||
Line 2,245: | Line 2,265: | ||
0007BD88 000736F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 0007BD88 000736F0 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.multiupload.com/F0OVXTV2UV payload_2.3.bin (461.75 KB)] | ||
SHA1: DD8C3302F5F2394B2A0D907DE972AFB8E94DB0B5 // MD5: 7E4C3C6D7BA24375D3BE83074D882E0A // CRC32: 7D748CE8 // CRC16: 4A3B | SHA1: DD8C3302F5F2394B2A0D907DE972AFB8E94DB0B5 // MD5: 7E4C3C6D7BA24375D3BE83074D882E0A // CRC32: 7D748CE8 // CRC16: 4A3B | ||
Line 2,274: | Line 2,294: | ||
== 2.4 == | == 2.4 == | ||
[ | [http://www.multiupload.com/8D38XV8KFK TrueBlueUpdate-2.4.zip (704.48 KB)] | ||
Unpkg/unself'ed: [http://www.multiupload.com/5TA80L7I8V UP0001-TRUEBLUE4_00-0000000000000000.rar (1.31 MB)] | |||
=== Payload (2.4) === | === Payload (2.4) === | ||
located in unself'ed eboot.bin @ offset: | located in unself'ed eboot.bin @ offset: | ||
Line 2,283: | Line 2,306: | ||
000A3620 0009AEFF 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | 000A3620 0009AEFF 99 0A 4C 65 2A CE DE D6 0D C8 D2 73 FC B3 85 E2 ™.Le*ÎÞÖ.ÈÒsü³…â | ||
[ | [http://www.multiupload.com/0F9906NKSO payload_2.4.bin (619.75 KB)] | ||
SHA1: C062057BFBE4A0DF6C6C6E1B33C7561BC859C23F // MD5: 69FC4CE04DD4255A0BEEF4C2168F0AB0 // CRC32: 1C9EE18 // CRC16: 85DE | SHA1: C062057BFBE4A0DF6C6C6E1B33C7561BC859C23F // MD5: 69FC4CE04DD4255A0BEEF4C2168F0AB0 // CRC32: 1C9EE18 // CRC16: 85DE | ||
IDA DB: [ | IDA DB: [http://www.multiupload.com/2GBP8AY2NF EBOOT_SHT_fixed.i64 (3.01 MB)] | ||