today PlayStation 3 developers on the Wiki (linked above) have started a preliminary Q&A work-in-progress for hacking the True Blue (TB) PS3 JailBreak 2 (JB2) USB dongle.
To clarify the initial reports, after examining the PS3 JailBreak 2 (JB2) / True Blue (TB) CFW PARADOX Game Releases they now state the EBOOT used on the True Blue (TB) released 3.6+ PS3 games are not a Debug ones. Below is the complete text thus far, as follows:
True Blue (TB) PS3 JailBreak 2 (JB2) Q&A
Q: Is this possible on other dongles from the FW3.41 days like Blackcat and Teensy?
A: Dongles are bad and obsolete, mkay (once you have the key/algo, you don't need any dongle at all)
Q: Are they (TB team) just stealing the dev eboots?
A: First we thought that too but today the first TB game was released Dirt 3 and it's working and it isn't a dev eboot so it maybe is really worth something so it's time to search why and how to use it.
You can only rumor which source they use to resign the content to lock-in their DRM. But ofcourse those very same DRM-less files can be resigned for 3.55 too (as has been done numerous times in the past). Piracy is bad, but pirates using DRM to make sure they get the money and not genuine developers is even worse (especially when they lock you into a single firmware that has even less to offer than generic MFW and makes you loose OtherOS++ too).
It seems the ps3jb2 loads masterdiscs with fself, with the algo provided and the right key (which is not provided) you can decrypt said masterdiscs images right on pc and grab the fself files.
[an0nym0us] TB is just a clone, blame cobra
[walsid] TB is a clone?
[an0nym0us] yes, its a clone of the cobra dongle
[an0nym0us] I really enjoy saying that ... especially since it is true
[an0nym0us] look at the lv2_kernel.self for cobra pup and tb pup
[an0nym0us] Its the same hook with different "payloads" at 0x80000000007f0000
[an0nym0us] so either cobra decided to "update" without "updating" the existing dongles, or they just wanted more money from you pir8s
// do crypt unsigned char sector_key; memset(sector_key, 0, 16); sector_key = (sector_num & 0xFF000000)>>24; sector_key = (sector_num & 0x00FF0000)>>16; sector_key = (sector_num & 0x0000FF00)>> 8; sector_key = (sector_num & 0x000000FF)>> 0; // encrypt sector aes_context aes_ctx; aes_setkey_enc(&aes_ctx, G_DEBUG_KEY, 128); aes_crypt_cbc(&aes_ctx, AES_ENCRYPT, aligned_size, sector_key, buff, buff); // decrypt aes_context aes_ctx; aes_setkey_dec(&aes_ctx, G_DEBUG_KEY, 128); aes_crypt_cbc(&aes_ctx, AES_DECRYPT, aligned_size, sector_key, buff, buff);
That's the algo for masterdiscs, ps3gen dll has the static keys for masterdiscs you can also get it from sv_iso the crappy sdk tool that generates masterdisc images for dex.
Files to strip:
rootfolder, LICDIR + content, TROPDIR + content, USRDIR (EBOOT.BIN + other signed binaries like .SPRX, .sdat)
example (portal_2_BLUS30732) :
|-- ICON0.PNG |-- LICDIR | `-- LIC.DAT |-- PARAM.SFO |-- PIC0.PNG |-- PIC1.PNG |-- PIC2.PNG |-- PS3LOGO.DAT |-- SND0.AT3 |-- TROPDIR | `-- NPWR01719_00 | `-- TROPHY.TRP `-- USRDIR |-- EBOOT.BIN |-- bin | |-- datacache_ps3.sprx | |-- engine_ps3.sprx | |-- filesystem_stdio_ps3.sprx | |-- inputsystem_ps3.sprx | |-- launcher_ps3.sprx | |-- localize_ps3.sprx | |-- materialsystem_ps3.sprx | |-- scenefilecache_ps3.sprx | |-- soundemittersystem_ps3.sp rx | |-- steam_api_ps3.sprx | |-- steam_config.sdat | |-- steam_resources.sdat | |-- steamclient_ps3.sprx | |-- studiorender_ps3.sprx | |-- tier0_ps3.sprx | |-- vgui2_ps3.sprx | |-- vguimatsurface_ps3.sprx | |-- vjobs_ps3.sprx | |-- vphysics_ps3.sprx | |-- vscript_ps3.sprx | `-- vstdlib_ps3.sprx `-- portal2 `-- bin |-- client_ps3.sprx |-- matchmaking_ps3.sprx `-- server_ps3.sprx
Folks I looked a little more and it seems the psjb2 just runs masterdiscs with fself, kinda lame. very lame. npdrm encrypted but labeled as fself, it's an fself but I dunno what it does, I never looked at it. I don't really care on doing more if you use the masterdisc algo I provided and the proper key which I am not supplying you can decrypt all the psjb2 disc images right on pc, grab the fself and use them to run them on a regular 3.55 fw.
Basically security == LAME, still interesting to see how they patched the firmware to allow masterdiscs, they also do some auth with the dongle which involves crypto to make sure the firmware does not load without it, but if you don't need the firmware to load the games... they could have added some extra keys in appldr and encrypted the damn eboots at least. I guess they didn't have enough time or enough spu skills
Regarding FSELF from "RikuKH3":
Real FSELFs are never encrypted. You can extract it with official unfself tool from SDK. But, in this FSELF I looked into (driver sf) ELF inside IS encrypted. You can say this because it's masterdisc fself, but I really doubt it. It doesn't look like a proper fself to me at all, in header it says that sections unecrypted, but it's not true. Another thing - Masterdisc Generator tool from Sony gives errors with this EBOOT (if it's a masterdisc eboot as stated, why?).
More details will be posted as they become available, and below is another PS3 JailBreak 2 (True Blue) HDD Review video from MrDjbubba2002.