PS3Cobra Payload Reverse Engineering
Description
Dongle is DRM to make sure you have the dongle, the firmware 'special' functionality will not work without it.
Hardwarewise, there are many simularities with PSJB2/TrueBlue
The Ps3Cobra implements syscall 8 and moves syscall 0 into the payload.
It does some heavy patching on Lv2 code
Lv2 Patches of Cobra Payload 1.2
offset | psgroove | cobra 1.2 | cobra 2.0 | comment |
---|---|---|---|---|
9134 | 7d 80 00 26 mfcr r12 | N/A | 48 4f 77 ec b 0x8000000000500920 | |
17cbc | e8 63 00 00 ld r3,0(r3) | 3c 60 80 01 lis r3,-32767 | 3c 60 80 01 lis r3,-32767 | remove syscall 6 (peek) |
17cc0 | 60 00 00 00 nop | 60 63 00 03 ori r3,r3,3 | 60 63 00 03 ori r3,r3,3 | remove syscall 6 (peek) |
17cc8 | f8 83 00 00 std r4,0(r3) | 3c 60 80 01 lis r3,-32767 | 3c 60 80 01 lis r3,-32767 | remove syscall 7 (poke) |
17ccc | 60 00 00 00 nop | 60 63 00 03 ori r3,r3,3 | 60 63 00 03 ori r3,r3,3 | remove syscall 8 (poke) |
490e0 | 2f 83 00 00 cmpwi cr7,r3,0 | e8 82 0f 08 ld r4,3848(r2) | e8 82 0f 08 ld r4,3848(r2) | |
490e4 | 7c 64 1b 78 mr r4,r3 | e8 7c 00 20 ld r3,32(r28) | e8 7c 00 20 ld r3,32(r28) | |
490e8 | 40 de 00 20 bne- cr7,0x8000000000049108 | f8 64 00 00 std r3,0(r4) | f8 64 00 00 std r3,0(r4) | |
4ed18 | 38 84 ff fa addi r4,r4,-6 | 38 80 00 00 li r4,0 | 38 80 00 00 li r4,0 | |
4ed1c | 7c 08 02 a6 mflr r0 | 90 83 00 00 stw r4,0(r3) | 90 83 00 00 stw r4,0(r3) | |
4ed20 | f8 21 ff 91 stdu r1,-112(r1) | 4e 80 00 20 blr | 4e 80 00 20 blr | |
4f0a8 | bl sub_50B44 | 48 4b 11 a9 bl 0x8000000000500250 | 48 4b 11 a9 bl 0x8000000000500250 | |
4fc2c | beq cr7, loc_4FC4C | 60 00 00 00 nop | 60 00 00 00 nop | |
505D0 | li %r3, 1 | b sub_5008E0 | 48 4b 04 28 b 0x80000000005009f8 | |
50B48 | patched | unpatched ? | ||
572B8 | extsw %r3, %r31 | li %r3, 0 | ||
5741C | bl sub_288568 | nop | ||
1C00EC | stdu %sp, var_150(%sp) | b sub_5003A8 | ||
1C26EC | stdu %sp, var_D0(%sp) | b sub_500448 | ||
1CF8A8 | stdu %sp, var_B0(%sp) | b sub_5004C8 | ||
25EC18 | bl sub_12934 | bl sub_500960 | ||
271AF0 | stdu %sp, var_B0(%sp) | b loc_500808 | b loc_500818 | (syscall864) this is 1.2! |
273F80 | stdu %sp, var_B0(%sp) | b sub_500878 | b sub_500990 | (syscall867) YOUR CRITICAL MISTAKE WAS ONLY PUT 1.2, NOW YOU FIX IT, THANKS didn't meant to be rude, sry :) |
29245C | stdu %sp, var_100(%sp) | b sub_5005A8 | ||
292598 | ld %r11, stru_3403A0.base_addr_toc+8 | b sub_5006D8 | ||
293A18 | ld %r9, stru_3403A0.base_addr_toc+8 | b sub_500540 | ||
296550 | stdu %sp, var_D0(%sp) | b sub_500640 | (syscall606) | |
296928 | stdu %sp, var_D0(%sp) | b sub_500770 | (syscall619) | |
29BD48 | b sub_11850 | b sub_500358 | ||
2AAFC8 | b sub_50B48 | b sub_5002F0 | ||
2AB3FC | unpatched | b sub_5002A0 | (PS2 EMU?) |
Cobra 1.2
8000000000017cbc: 3c 60 80 01 lis r3,-32767 8000000000017cc0: 60 63 00 03 ori r3,r3,3
8000000000017cc8: 3c 60 80 01 lis r3,-32767 8000000000017ccc: 60 63 00 03 ori r3,r3,3
80000000000490e0: e8 82 0f 08 ld r4,3848(r2) 80000000000490e4: e8 7c 00 20 ld r3,32(r28) 80000000000490e8: f8 64 00 00 std r3,0(r4)
800000000004ed18: 38 80 00 00 li r4,0 800000000004ed1c: 90 83 00 00 stw r4,0(r3) 800000000004ed20: 4e 80 00 20 blr
800000000004f0a8: 48 4b 11 a9 bl 0x8000000000500250 800000000004fc2c: 60 00 00 00 nop
80000000000505d0: 48 4b 03 10 b 0x80000000005008e0 8000000000050b3c: 38 60 00 01 li r3,1 8000000000050b40: 4e 80 00 20 blr
80000000000572b8: 38 60 00 00 li r3,0
800000000005741c: 60 00 00 00 nop
80000000001c00ec: 48 34 02 bc b 0x80000000005003a8 80000000001c26ec: 48 33 dd 5c b 0x8000000000500448 80000000001cf8a8: 48 33 0c 20 b 0x80000000005004c8 800000000025ec18: 48 2a 1d 49 bl 0x8000000000500960 8000000000271af0: 48 28 ed 18 b 0x8000000000500808 8000000000273f80: 48 28 c8 f8 b 0x8000000000500878 800000000029245c: 48 26 e1 4c b 0x80000000005005a8 8000000000292598: 48 26 e1 40 b 0x80000000005006d8 8000000000293a18: 48 26 cb 28 b 0x8000000000500540 8000000000296550: 48 26 a0 f0 b 0x8000000000500640 8000000000296928: 48 26 9e 48 b 0x8000000000500770 800000000029bd48: 48 26 46 10 b 0x8000000000500358 80000000002aafc8: 48 25 53 28 b 0x80000000005002f0
Cobra 2.0
8000000000009134: 48 4f 77 ec b 0x8000000000500920
8000000000017cbc: 3c 60 80 01 lis r3,-32767 8000000000017cc0: 60 63 00 03 ori r3,r3,3
8000000000017cc8: 3c 60 80 01 lis r3,-32767 8000000000017ccc: 60 63 00 03 ori r3,r3,3
80000000000490e0: e8 82 0f 08 ld r4,3848(r2) 80000000000490e4: e8 7c 00 20 ld r3,32(r28) 80000000000490e8: f8 64 00 00 std r3,0(r4)
800000000004ed18: 38 80 00 00 li r4,0 800000000004ed1c: 90 83 00 00 stw r4,0(r3) 800000000004ed20: 4e 80 00 20 blr
800000000004f0a8: 48 4b 11 a9 bl 0x8000000000500250
800000000004fc2c: 60 00 00 00 nop
80000000000505d0: 48 4b 04 28 b 0x80000000005009f8
8000000000050b3c: 38 60 00 01 li r3,1
8000000000050b40: 4e 80 00 20 blr
80000000000572b8: 38 60 00 00 li r3,0
800000000005741c: 60 00 00 00 nop
80000000001c00ec: 48 34 02 cc b 0x80000000005003b8 80000000001c26ec: 48 33 dd 6c b 0x8000000000500458 80000000001cf8a8: 48 33 0c 30 b 0x80000000005004d8 800000000025ec18: 48 2a 1e 61 bl 0x8000000000500a78 8000000000271af0: 48 28 ed 28 b 0x8000000000500818 8000000000273f80: 48 28 ca 10 b 0x8000000000500990 800000000029245c: 48 26 e1 5c b 0x80000000005005b8 8000000000292598: 48 26 e1 50 b 0x80000000005006e8 8000000000293a18: 48 26 cb 38 b 0x8000000000500550 8000000000296550: 48 26 a1 00 b 0x8000000000500650 8000000000296928: 48 26 9e 58 b 0x8000000000500780 800000000029bd48: 48 26 46 20 b 0x8000000000500368 80000000002aafc8: 48 25 53 38 b 0x8000000000500300
lv1 hvcalls
- lv1_get_repository_node_value
- lv1_allocate_device_dma_region
- lv1_free_device_dma_region
- lv1_map_device_dma_region
- lv1_unmap_device_dma_region
- lv1_storage_read
- lv1_storage_check_async_status
Hardware Dongle
Dongle 1.0
Components
Actel ProASIC3 A3P060 - FPGA
U2
A3P060 = 60,000 System Gates blank = Speed Grade: Standard VQ = Package Type: Very Thin Quad Flat Pack (0.5mm pitch) G = Lead-Free Packaging: RoHS-Compliant (Green) 100 = Package Lead Count : 100 pins blank = Security Feature : no IP license blank = Temperature Range: Commercial (0°C to +70°C Ambient Temperature)
128-bit AES
1,024 bits of user flash memory
Datasheets and usermanuals: http://www.actel.com/products/pa3/docs.aspx#ds
Familyroot: http://www.actel.com/products/pa3/
Pinout A3P060 VQ100
Pin | Function | Notes |
---|---|---|
1 | GND | Ground |
2 | GAA2/IO118UDB3 | |
3 | IO118VDB3 | |
4 | GAB2/IO117UDB3 | |
5 | IO117VDB3 | |
6 | GAC2/IO116UDB3 | |
7 | IO116VDB3 | |
8 | IO112PSB3 | |
9 | GND | Ground |
10 | GFB1/IO109PDB3 | |
11 | GFB0/IO109NDB3 | |
12 | VCOMPLF | |
13 | GFA0/IO108NPB3 | |
14 | VCCPLF | |
15 | GFA1/IO108PPB3 | |
16 | GFA2/IO107PSB3 | |
17 | VCC | |
18 | VCCIB3 | |
19 | GFC2/IO105PSB3 | |
20 | GEC1/IO100PDB3 | |
21 | GEC0/IO100NDB3 | |
22 | GEA1/IO98PDB3 | |
23 | GEA0/IO98NDB3 | |
24 | VMV3 | |
25 | GNDQ | Ground |
26 | GEA2/IO97RSB2 | |
27 | GEB2/IO96RSB2 | |
28 | GEC2/IO95RSB2 | |
29 | IO93RSB2 | |
30 | IO92RSB2 | |
31 | IO91RSB2 | |
32 | IO90RSB2 | |
33 | IO88RSB2 | |
34 | IO86RSB2 | |
35 | IO85RSB2 | |
36 | IO84RSB2 | |
37 | VCC | |
38 | GND | Ground |
39 | VCCIB2 | |
40 | IO77RSB2 | |
41 | IO74RSB2 | |
42 | IO71RSB2 | |
43 | GDC2/IO63RSB2 | |
44 | GDB2/IO62RSB2 | |
45 | GDA2/IO61RSB2 | |
46 | GNDQ | Ground |
47 | TCK | |
48 | TDI | |
49 | TMS | |
50 | VMV2 | |
51 | GND | Ground |
52 | VPUMP | |
53 | NC | |
54 | TDO | |
55 | TRST | |
56 | VJTAG | |
57 | GDA1/IO60USB1 | |
58 | GDC0/IO58VDB1 | |
59 | GDC1/IO58UDB1 | |
60 | IO52NDB1 | |
61 | GCB2/IO52PDB1 | |
62 | GCA1/IO50PDB1 | |
63 | GCA0/IO50NDB1 | |
64 | GCC0/IO48NDB1 | |
65 | GCC1/IO48PDB1 | |
66 | VCCIB1 | |
67 | GND | Ground |
68 | VCC | |
69 | IO43NDB1 | |
70 | GBC2/IO43PDB1 | |
71 | GBB2/IO42PSB1 | |
72 | IO41NDB1 | |
73 | GBA2/IO41PDB1 | |
74 | VMV1 | |
75 | GNDQ | Ground |
76 | GBA1/IO40RSB0 | |
77 | GBA0/IO39RSB0 | |
78 | GBB1/IO38RSB0 | |
79 | GBB0/IO37RSB0 | |
80 | GBC1/IO36RSB0 | |
81 | GBC0/IO35RSB0 | |
82 | IO29RSB0 | |
83 | IO27RSB0 | |
84 | IO25RSB0 | |
85 | IO23RSB0 | |
86 | IO21RSB0 | |
87 | VCCIB0 | |
88 | GND | Ground |
89 | VCC | |
90 | IO15RSB0 | |
91 | IO13RSB0 | |
92 | IO11RSB0 | |
93 | GAC1/IO05RSB0 | |
94 | GAC0/IO04RSB0 | |
95 | GAB1/IO03RSB0 | |
96 | GAB0/IO02RSB0 | |
97 | GAA1/IO01RSB0 | |
98 | GAA0/IO00RSB0 | |
99 | GNDQ | Ground |
100 | VMV0 |
24.000 MHz Crystal
Y1
CLK for Actel
12.000 MHz Crystal
Y2?
CLK for Atmel
AMS1117 3.3 1032 - Low Dropout Linear Regulator
U3
Datasheet: http://www.sltdigital.com/product/product_pdf/AMS1117.pdf / http://home1.cyber-labo.co.jp/board/goods/pdf/AMS1117.pdf
File:AMS1117 - SOT-223.png
A 47 (unreferenced 5pin IC : U4)
U4
A 47
File:SOT5.PNG
Atmel ATmega 16A (16MHz AVR - 16KB flash - USB stack + DFU)
U5
ISP via pin 1 (MOSI), 2 (MISO), 3 (SCK), 4 (Reset)
datasheet: Atmel-ATMega16A.pdf (6.93 MB)
Pin | Function | Notes |
---|---|---|
1 | (MOSI) PB5 | |
2 | (MISO) PB6 | |
3 | (SCK) PB7 | |
4 | RESET | |
5 | VCC | |
6 | GND | |
7 | XTAL2 | |
8 | XTAL1 | |
9 | (RXD) PD0 | |
10 | (TXD) PD1 | |
11 | (INT0) PD2 | |
12 | (INT1) PD3 | |
13 | (OC1B) PD4 | |
14 | (OC1A) PD5 | |
15 | (ICP1) PD6 | |
16 | (OC2) PD7 | |
17 | VCC | |
18 | GND | |
19 | (SCL) PC0 | |
20 | (SDA) PC1 | |
21 | (TCK) PC2 | |
22 | (TMS) PC3 | |
23 | (TDO) PC4 | |
24 | (TDI) PC5 | |
25 | (TOSC1) PC6 | |
26 | (TOSC2) PC7 | |
27 | AVCC | |
28 | GND | |
29 | AREF | |
30 | (ADC7) PA7 | |
31 | (ADC6) PA6 | |
32 | (ADC5) PA5 | |
33 | (ADC4) PA4 | |
34 | (ADC3) PA3 | |
35 | (ADC2) PA2 | |
36 | (ADC1) PA1 | |
37 | (ADC0) PA0 | |
38 | VCC | |
39 | GND | |
40 | (XCK/T0) PB0 | |
41 | (T1) PB1 | |
42 | (AIN0/INT2) PB2 | |
43 | (AIN1/OC0) PB3 | |
44 | (SS) PB4 |
Winbond 25X16AVSIG (SPI Flash 16Mbit)
U1
W - Winbond 25X - SPI Flash with 4KB sectors/64Kbyte blocks, dual output 16A - 16Mbit / 2M-byte V - Supply Voltage 2.7 to 3.6V S - Package Type : 8pin SOIC 150-mil I - Temperature Range: Industrial (-40'C ~ 85'C) G - Environment: Green Package (Lead-free, RoHS Compliant, Halogen-free (TBBA), Antimony-Oxie-free)
datasheet: W25X16A.pdf (1.3 MB)
Note: can use Bus Ninja or Bus Pirate and FlashROM - ISP is possible, so long as no other devices on the SPI bus are trying to access the device (in that case, you might want to cut Vcc to the FPGA or the regulator for it).
Pin | Usage | I/O | Remarks |
---|---|---|---|
1 | /CS | I | Chip Select (high=deselect, low=select) |
2 | DO | O | Data output |
3 | /WP | I | Write Protect (active low) |
4 | GND | Ground | |
5 | DIO | I/O | Serial data input/output |
6 | CLK | I | Serial Clock |
7 | /HOLD | I | Hold (high=normal/resume, low=hold/pause) |
8 | VCC | Vcc (min 2.7-max 3.6V @ Fr0 75MHz / min 3.0-max 3.6V @ Fastread Fr1 100MHz) |