PS3Cobra Payload Reverse Engineering

From PS3 Developer wiki
Revision as of 12:08, 31 December 2011 by Euss (talk | contribs) (→‎Dongle 1.0)
Jump to navigation Jump to search

Description

Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it.
Hardwarewise, there are many simularities with PSJB2/TrueBlue


The Ps3Cobra implements syscall 8 and moves syscall 0 into the payload. It does some heavy patching on Lv2 code

Lv2 Patches of Cobra Payload 1.2

offset psgroove cobra 1.2 cobra 2.0 comment
9134 7d 80 00 26 mfcr r12 N/A 48 4f 77 ec b 0x8000000000500920
17cbc e8 63 00 00 ld r3,0(r3) 3c 60 80 01 lis r3,-32767 3c 60 80 01 lis r3,-32767 remove syscall 6 (peek)
17cc0 60 00 00 00 nop 60 63 00 03 ori r3,r3,3 60 63 00 03 ori r3,r3,3 remove syscall 6 (peek)
17cc8 f8 83 00 00 std r4,0(r3) 3c 60 80 01 lis r3,-32767 3c 60 80 01 lis r3,-32767 remove syscall 7 (poke)
17ccc 60 00 00 00 nop 60 63 00 03 ori r3,r3,3 60 63 00 03 ori r3,r3,3 remove syscall 8 (poke)
490e0 2f 83 00 00 cmpwi cr7,r3,0 e8 82 0f 08 ld r4,3848(r2) e8 82 0f 08 ld r4,3848(r2)
490e4 7c 64 1b 78 mr r4,r3 e8 7c 00 20 ld r3,32(r28) e8 7c 00 20 ld r3,32(r28)
490e8 40 de 00 20 bne- cr7,0x8000000000049108 f8 64 00 00 std r3,0(r4) f8 64 00 00 std r3,0(r4)
4ed18 38 84 ff fa addi r4,r4,-6 38 80 00 00 li r4,0 38 80 00 00 li r4,0
4ed1c 7c 08 02 a6 mflr r0 90 83 00 00 stw r4,0(r3) 90 83 00 00 stw r4,0(r3)
4ed20 f8 21 ff 91 stdu r1,-112(r1) 4e 80 00 20 blr 4e 80 00 20 blr
4f0a8 bl sub_50B44 48 4b 11 a9 bl 0x8000000000500250 48 4b 11 a9 bl 0x8000000000500250
4fc2c beq cr7, loc_4FC4C 60 00 00 00 nop 60 00 00 00 nop
505D0 li %r3, 1 b sub_5008E0 48 4b 04 28 b 0x80000000005009f8
50B48 patched unpatched ?
572B8 extsw %r3, %r31 li %r3, 0
5741C bl sub_288568 nop
1C00EC stdu %sp, var_150(%sp) b sub_5003A8
1C26EC stdu %sp, var_D0(%sp) b sub_500448
1CF8A8 stdu %sp, var_B0(%sp) b sub_5004C8
25EC18 bl sub_12934 bl sub_500960
271AF0 stdu %sp, var_B0(%sp) b loc_500808 b loc_500818 (syscall864) Again, wrong here, loc_500808 is a bad jump.
this is 1.2!
273F80 stdu %sp, var_B0(%sp) b sub_500878 b sub_500990 (syscall867)you have a critical mistake, sub_500878 IS WRONG, :), if you jump here you crash your lv2
YOUR CRITICAL MISTAKE WAS ONLY PUT 1.2, NOW YOU FIX IT, THANKS
didn't meant to be rude, sry :)
29245C stdu %sp, var_100(%sp) b sub_5005A8
292598 ld %r11, stru_3403A0 b sub_5006D8
293A18 ld %r9, stru_3403A0 b sub_500540
296550 stdu %sp, var_D0(%sp) b sub_500640 (syscall606)
296928 stdu %sp, var_D0(%sp) b sub_500770 (syscall619)
29BD48 b sub_11850 b sub_500358
2AAFC8 b sub_50B48 b sub_5002F0
2AB3FC unpatched b sub_5002A0 (PS2 EMU?)
3ba890 0x01000000 patch table entry 1
offset cobra 1.2 cobra 2.0 comment
3ba890 0x10000000 0x10000000 patch table entry 1
490e0 ld r4, stru_33F628 patch table entry 2
490e4 ld r3, 0x20(r28) patch table entry 3
490e8 std r3, 0(r4) patch table entry 4
4ed18 li r4, 0 patch table entry 5
4ed1c stw r4, 0(r3) patch table entry 6
4ed20 blr patch table entry 7
572b8 li r3, 0 patch table entry 8
5741c nop patch table entry 9
4fc2c nop patch table entry a
50b3c li r3, 1 patch table entry b
50b40 blr patch table entry c

Cobra 1.2

 8000000000017cbc:     3c 60 80 01     lis     r3,-32767
 8000000000017cc0:     60 63 00 03     ori     r3,r3,3
 8000000000017cc8:     3c 60 80 01     lis     r3,-32767
 8000000000017ccc:     60 63 00 03     ori     r3,r3,3
 80000000000490e0:     e8 82 0f 08     ld      r4,3848(r2)
 80000000000490e4:     e8 7c 00 20     ld      r3,32(r28)
 80000000000490e8:     f8 64 00 00     std     r3,0(r4)
 800000000004ed18:     38 80 00 00     li      r4,0
 800000000004ed1c:     90 83 00 00     stw     r4,0(r3)
 800000000004ed20:     4e 80 00 20     blr
 800000000004f0a8:     48 4b 11 a9     bl      0x8000000000500250
 800000000004fc2c:     60 00 00 00     nop
 80000000000505d0:     48 4b 03 10     b       0x80000000005008e0
 8000000000050b3c:     38 60 00 01     li      r3,1
 8000000000050b40:     4e 80 00 20     blr
 80000000000572b8:     38 60 00 00     li      r3,0
 800000000005741c:     60 00 00 00     nop
 80000000001c00ec:     48 34 02 bc     b       0x80000000005003a8
 80000000001c26ec:     48 33 dd 5c     b       0x8000000000500448
 80000000001cf8a8:     48 33 0c 20     b       0x80000000005004c8
 800000000025ec18:     48 2a 1d 49     bl      0x8000000000500960
 8000000000271af0:     48 28 ed 18     b       0x8000000000500808
 8000000000273f80:     48 28 c8 f8     b       0x8000000000500878
 800000000029245c:     48 26 e1 4c     b       0x80000000005005a8
 8000000000292598:     48 26 e1 40     b       0x80000000005006d8
 8000000000293a18:     48 26 cb 28     b       0x8000000000500540
 8000000000296550:     48 26 a0 f0     b       0x8000000000500640
 8000000000296928:     48 26 9e 48     b       0x8000000000500770
 800000000029bd48:     48 26 46 10     b       0x8000000000500358
 80000000002aafc8:     48 25 53 28     b       0x80000000005002f0

Cobra 2.0

 8000000000009134:     48 4f 77 ec     b       0x8000000000500920
 8000000000017cbc:     3c 60 80 01     lis     r3,-32767
 8000000000017cc0:     60 63 00 03     ori     r3,r3,3
 8000000000017cc8:     3c 60 80 01     lis     r3,-32767
 8000000000017ccc:     60 63 00 03     ori     r3,r3,3
 80000000000490e0:     e8 82 0f 08     ld      r4,3848(r2)
 80000000000490e4:     e8 7c 00 20     ld      r3,32(r28)
 80000000000490e8:     f8 64 00 00     std     r3,0(r4)
 800000000004ed18:     38 80 00 00     li      r4,0
 800000000004ed1c:     90 83 00 00     stw     r4,0(r3)
 800000000004ed20:     4e 80 00 20     blr
 800000000004f0a8:     48 4b 11 a9     bl      0x8000000000500250
 800000000004fc2c:     60 00 00 00     nop
 80000000000505d0:     48 4b 04 28     b       0x80000000005009f8
 8000000000050b3c:     38 60 00 01     li      r3,1
 8000000000050b40:     4e 80 00 20     blr
 80000000000572b8:     38 60 00 00     li      r3,0
 800000000005741c:     60 00 00 00     nop
 80000000001c00ec:     48 34 02 cc     b       0x80000000005003b8
 80000000001c26ec:     48 33 dd 6c     b       0x8000000000500458
 80000000001cf8a8:     48 33 0c 30     b       0x80000000005004d8
 800000000025ec18:     48 2a 1e 61     bl      0x8000000000500a78
 8000000000271af0:     48 28 ed 28     b       0x8000000000500818
 8000000000273f80:     48 28 ca 10     b       0x8000000000500990
 800000000029245c:     48 26 e1 5c     b       0x80000000005005b8
 8000000000292598:     48 26 e1 50     b       0x80000000005006e8
 8000000000293a18:     48 26 cb 38     b       0x8000000000500550
 8000000000296550:     48 26 a1 00     b       0x8000000000500650
 8000000000296928:     48 26 9e 58     b       0x8000000000500780
 800000000029bd48:     48 26 46 20     b       0x8000000000500368
 80000000002aafc8:     48 25 53 38     b       0x8000000000500300

lv1 hvcalls

  • lv1_get_repository_node_value
  • lv1_allocate_device_dma_region
  • lv1_free_device_dma_region
  • lv1_map_device_dma_region
  • lv1_unmap_device_dma_region
  • lv1_storage_read
  • lv1_storage_check_async_status

Preliminary Examination of Cobra USB Manager v1.0

The following was acquired from a Debug/DEX unit on 3.55forDEX using the *Check debug option:

System Version : 03.0000

---
Log
---
[Info]	Checking HDD Game.(HG,"/dev_hdd0/game/CBUM01234")
[Debug]	Checking System File /dev_hdd0/game/CBUM01234/PARAM.SFO.
[Info]	TITLE_ID = CBUM01234.
[Info]	PARENTAL_LEVEL = 0/--/--/--/--/--/--.
[Info]	ATTRIBUTE = 0x0.
[Info]	RESOLUTION = 0x3F, 1080/720/576/576(16:9)/480/480(16:9).
[Info]	SOUND_FORMAT = 0x117, 7.1LPCM/5.1LPCM/2LPCM/5.1Dolby.
[Info]	VERSION = 01.00.
[Info]	PS3_SYSTEM_VER = 03.0000.
[Info]	APP_VER = 01.00.
[Debug]	TITLE_ID = CBUM01234.
[Warn]	PARAM.SFO: Param PARENTAL_LEVEL: Currently being rated.
[Debug]	PARENTAL_LEVEL = 0/--/--/--/--/--/--.
[Debug]	ATTRIBUTE = 0x0.
[Error]	PARAM.SFO: Param LICENSE: Unexpected val_size.
[Error]	PARAM.SFO: Param LICENSE: Unexpected value.
[Debug]	RESOLUTION = 0x3F, 1080/720/576/576(16:9)/480/480(16:9).
[Debug]	SOUND_FORMAT = 0x117, 7.1LPCM/5.1LPCM/2LPCM/5.1Dolby.
[Debug]	VERSION = 01.00.
[Debug]	PS3_SYSTEM_VER = 03.0000.
[Debug]	APP_VER = 01.00.
[Debug]	PS3LOGO.DAT: Logo.
[Debug]	ICON0.PNG: 320x176/24bit.
[Info]	EBOOT.BIN: PPU SELF file, SDK version = 03.0000.
[Debug]	EBOOT.BIN: 300.001 (PPU) : crt0
[Debug]	EBOOT.BIN: 300.001 (PPU) : crt1
[Debug]	EBOOT.BIN: 192.001 (PPU) : libftp
[Error]	EBOOT.BIN: Debug library linked (libftp).
[Error]	EBOOT.BIN: Version conflict error (libftp, 192.001).
[Debug]	EBOOT.BIN: 300.001 (PPU) : libnet_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libnetctl_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libpngdec_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libdbgfont_gcm
[Error]	EBOOT.BIN: Debug library linked (libdbgfont_gcm).
[Debug]	EBOOT.BIN: 300.001 (PPU) : libgcm_cmd
[Debug]	EBOOT.BIN: 300.001 (PPU) : libgcm_sys_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libio_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libsysmodule_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libsysutil_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libfs_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libl10n_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libfontGcm
[Debug]	EBOOT.BIN: 300.001 (PPU) : libfontFT_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libfont_stub
[Debug]	EBOOT.BIN: 300.001 (PPU) : libstdc++
[Debug]	EBOOT.BIN: 300.001 (PPU) : libc
[Debug]	EBOOT.BIN: 300.001 (PPU) : liblv2_stub



Hardware Dongle

Dongle 1.0

PS3Cobra - TOP
PS3Cobra - BACK

Components

Actel ProASIC3 A3P060 - FPGA

U2

  A3P060 = 60,000 System Gates
  blank = Speed Grade: Standard
  VQ = Package Type: Very Thin Quad Flat Pack (0.5mm pitch)
  G = Lead-Free Packaging: RoHS-Compliant (Green)
  100 = Package Lead Count : 100 pins
  blank = Security Feature : no IP license
  blank = Temperature Range: Commercial (0°C to +70°C Ambient Temperature)

128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals: http://www.actel.com/products/pa3/docs.aspx#ds
Familyroot: http://www.actel.com/products/pa3/

Pinout A3P060 VQ100
Actel ProASIC3 A3P060 - FPGA (Cobra) VQ100 package
Pin Function Notes
1 GND Ground
2 GAA2/IO118UDB3
3 IO118VDB3
4 GAB2/IO117UDB3
5 IO117VDB3
6 GAC2/IO116UDB3
7 IO116VDB3
8 IO112PSB3
9 GND Ground
10 GFB1/IO109PDB3
11 GFB0/IO109NDB3
12 VCOMPLF
13 GFA0/IO108NPB3
14 VCCPLF
15 GFA1/IO108PPB3
16 GFA2/IO107PSB3
17 VCC
18 VCCIB3
19 GFC2/IO105PSB3
20 GEC1/IO100PDB3
21 GEC0/IO100NDB3
22 GEA1/IO98PDB3
23 GEA0/IO98NDB3
24 VMV3
25 GNDQ Ground
26 GEA2/IO97RSB2
27 GEB2/IO96RSB2
28 GEC2/IO95RSB2
29 IO93RSB2
30 IO92RSB2
31 IO91RSB2
32 IO90RSB2
33 IO88RSB2
34 IO86RSB2
35 IO85RSB2
36 IO84RSB2
37 VCC
38 GND Ground
39 VCCIB2
40 IO77RSB2
41 IO74RSB2
42 IO71RSB2
43 GDC2/IO63RSB2
44 GDB2/IO62RSB2
45 GDA2/IO61RSB2
46 GNDQ Ground
47 TCK
48 TDI
49 TMS
50 VMV2
51 GND Ground
52 VPUMP
53 NC
54 TDO
55 TRST
56 VJTAG
57 GDA1/IO60USB1
58 GDC0/IO58VDB1
59 GDC1/IO58UDB1
60 IO52NDB1
61 GCB2/IO52PDB1
62 GCA1/IO50PDB1
63 GCA0/IO50NDB1
64 GCC0/IO48NDB1
65 GCC1/IO48PDB1
66 VCCIB1
67 GND Ground
68 VCC
69 IO43NDB1
70 GBC2/IO43PDB1
71 GBB2/IO42PSB1
72 IO41NDB1
73 GBA2/IO41PDB1
74 VMV1
75 GNDQ Ground
76 GBA1/IO40RSB0
77 GBA0/IO39RSB0
78 GBB1/IO38RSB0
79 GBB0/IO37RSB0
80 GBC1/IO36RSB0
81 GBC0/IO35RSB0
82 IO29RSB0
83 IO27RSB0
84 IO25RSB0
85 IO23RSB0
86 IO21RSB0
87 VCCIB0
88 GND Ground
89 VCC
90 IO15RSB0
91 IO13RSB0
92 IO11RSB0
93 GAC1/IO05RSB0
94 GAC0/IO04RSB0
95 GAB1/IO03RSB0
96 GAB0/IO02RSB0
97 GAA1/IO01RSB0
98 GAA0/IO00RSB0
99 GNDQ Ground
100 VMV0

24.000 MHz Crystal

Y1
CLK for Actel

12.000 MHz Crystal

Y2?
CLK for Atmel

AMS1117 3.3 1032 - Low Dropout Linear Regulator

U3
Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf
File:AMS1117 - SOT-223.png

A 47 (unreferenced 5pin IC : U4)

U4
A 47
File:SOT5.PNG

Atmel ATmega 16A (16MHz AVR - 16KB flash - USB stack + DFU)

U5
ISP via pin 1 (MOSI), 2 (MISO), 3 (SCK), 4 (Reset)
datasheet: Atmel-ATMega16A.pdf (6.93 MB)

Atmel ATMega16A
QFN44 pinout
Pin Function Notes
1 (MOSI) PB5
2 (MISO) PB6
3 (SCK) PB7
4 RESET
5 VCC
6 GND
7 XTAL2
8 XTAL1
9 (RXD) PD0
10 (TXD) PD1
11 (INT0) PD2
12 (INT1) PD3
13 (OC1B) PD4
14 (OC1A) PD5
15 (ICP1) PD6
16 (OC2) PD7
17 VCC
18 GND
19 (SCL) PC0
20 (SDA) PC1
21 (TCK) PC2
22 (TMS) PC3
23 (TDO) PC4
24 (TDI) PC5
25 (TOSC1) PC6
26 (TOSC2) PC7
27 AVCC
28 GND
29 AREF
30 (ADC7) PA7
31 (ADC6) PA6
32 (ADC5) PA5
33 (ADC4) PA4
34 (ADC3) PA3
35 (ADC2) PA2
36 (ADC1) PA1
37 (ADC0) PA0
38 VCC
39 GND
40 (XCK/T0) PB0
41 (T1) PB1
42 (AIN0/INT2) PB2
43 (AIN1/OC0) PB3
44 (SS) PB4


Winbond 25X16AVSIG (SPI Flash 16Mbit)

8-pin TSSOP
Winbond 25X16A
SOIC-8 pinout

U1

W - Winbond
25X - SPI Flash with 4KB sectors/64Kbyte blocks, dual output
16A - 16Mbit / 2M-byte
V - Supply Voltage 2.7 to 3.6V
S - Package Type : 8pin SOIC 150-mil
I - Temperature Range: Industrial (-40'C ~ 85'C)
G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)

datasheet: W25X16A.pdf (1.3 MB)
Note: can use Bus Ninja or Bus Pirate and FlashROM - ISP is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it).

Pin Usage I/O Remarks
1 /CS I Chip Select (high=deselect, low=select)
2 DO O Data output
3 /WP I Write Protect (active low)
4 GND Ground
5 DIO I/O Serial data input/output
6 CLK I Serial Clock
7 /HOLD I Hold (high=normal/resume, low=hold/pause)
8 VCC Vcc (min 2.7-max 3.6V @ Fr0 75MHz / min 3.0-max 3.6V @ Fastread Fr1 100MHz)