|
|
04-16-2012
|
#1 |
|
Member
 Join Date: Oct 2011
Posts: 83
Likes: 31
Liked 50 Times in 9 Posts
Mentioned: 15 Post(s)
Tagged: 0 Thread(s)
|
TrueBlue lv2_kernel.bin Reverse Engineering
Hello, everybody!
At the last time there was a lot noob news about loading TB lv2_kernel in IDA and what it really does, so I really wanted take a look at this by myself  This thing is really small, and took a few minutes for rce the "salt" of it. I spend more time writing some scripts for it This is my clean idb http://rghost.ru/37617670 (I dont share my idb with comments, because its mostly Russian comments :D ) How you can see it uses some ofbusctaion, unconditionally branches, complex of instructions mtctr and bctrl. When you will start reversing sub_80000000007F1114, the first thing what you will see that there is some condition of execution sub_80000000007F0F10. Let's look this function, allocating a buffers already a good sign) You look subfunctions and see some crypt) sub_80000000007F0B1C is Tiny Encryption Algorithm Code:
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
uint32_t delta=0x9e3779b9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}
Look next. I think it dont needs comments ) Code:
malloc memcpy free free Code:
mtctr r30 bctrl After this code executed its free a buffer, look back at sub_80000000007F1114, memcpy original code with mounting dev_flash, and jumps to lv2_kernel.self. TB made really similar to malware. Now we know that lv2_kernel is Payload Loader, we know where is a key, we know where is Payload) I dont have TrueBlue so at this point its all what I can done My Twitter: https://twitter.com/oct0xor Greetings to my friend and great dev flatz: https://twitter.com/flat_z UPDATE: Today I take a look at lv2_kernel's from section 0 of dongle and from TB CFW v2. The first one do the same what lv2_kernel.bin, but for 3.41. Never heard about TB work with 3.41 so they took away this feature. But payload is there, you can see it in updates. In TB CFW v2 they change decryption key. The new key is 0x10 from 800000000035E104 xored with 67 EE E4 B3 6D DE EC 0E 70 08 8E F6 D2 D4 97 CC. TB CFW v2 is not much more secured xD Last edited by Octopus; 04-17-2012 at 03:36 PM. Reason: Update |
|
|
|
Likes: (34) |
Annelies,
big_russ,
blaxoul,
BobbyBangin,
bobpes,
Calliope,
chadvt,
cloudxxii,
Deadman19,
DEFAULTDNB,
derako,
euss,
FL321,
gmitesh90,
granberro,
H3avyRa1n,
hellsing9,
himshie,
landon,
maconell,
mcmrc1,
mirkie,
Mistawes,
Mystic Racer,
nzie,
oPolo,
ps3hen,
Rautz,
RickDangerous,
Sphaa80,
Trivia618,
Trokadero,
willemse21,
xi123xi
|
|
04-16-2012
|
#2 |
|
Hired Gun
 
Join Date: May 2011
Posts: 6,791
Likes: 2,574
Liked 3,315 Times in 1,844 Posts
Mentioned: 980 Post(s)
Tagged: 1 Thread(s)
|
good finding
@Octopus
keeps us posted
__________________
Check Blacklist of FAKE devs
Check Whitelist of TRUSTED devs Tutorial : DEX conversion (TEST-DEBUG) One thread with all DEX information published so far. One thread with PS3 LV0 keys, CFW'S and many more. PS3devwiki your number 1 source. Check it. Console ID's Market Warning thread PS3 Ban, CFW, Unban. How to avoid it. |
|
|
|
|
04-16-2012
|
#3 |
|
Member
 
Join Date: Jan 2011
Location: Gliese 581g
Posts: 613
Likes: 531
Liked 346 Times in 176 Posts
Mentioned: 17 Post(s)
Tagged: 0 Thread(s)
|
sounds interessting :D thx for your work
@Octopus
and you friend wrote
"I am successfully decrypted the second part of eid0 " i know that i understand nothing from the dev things but sounds interessting too :Dand "a nice piece of garbage which zadow28 contributed to the scene lol))" is also funny :D
__________________
 Last edited by mcmrc1; 04-16-2012 at 01:05 PM. |
|
|
|
|
04-16-2012
|
#4 |
|
Member
 Join Date: Nov 2011
Posts: 199
Likes: 25
Liked 94 Times in 50 Posts
Mentioned: 8 Post(s)
Tagged: 0 Thread(s)
|
Thank you for sharing your findings!
|
|
|
|
|
04-16-2012
|
#6 |
|
Member
 Join Date: Dec 2011
Posts: 43
Likes: 6
Liked 21 Times in 14 Posts
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
|
Do you see the irony in your post
|
|
|
|
|
Likes: (2) |
|
04-16-2012
|
#7 |
|
Member
 Join Date: Feb 2012
Posts: 337
Likes: 52
Liked 170 Times in 97 Posts
Mentioned: 20 Post(s)
Tagged: 0 Thread(s)
|
Thank you for your input! I have a TB dongle. If you can tell me what to do I will give it a try.
|
|
|
|
|
04-16-2012
|
#8 |
|
Member
 Join Date: Oct 2011
Posts: 207
Likes: 125
Liked 39 Times in 34 Posts
Mentioned: 14 Post(s)
Tagged: 0 Thread(s)
|
Hope this will help us !! Thank you Octopus
|
|
|
|
|
04-16-2012
|
#9 |
|
Member
Join Date: Oct 2011
Posts: 83
Likes: 31
Liked 50 Times in 9 Posts
Mentioned: 15 Post(s)
Tagged: 0 Thread(s)
|
Well, now I look and see my post looks very "technical". If you dont understand anything, this what I did: Got 3.55 TB CFW, fully reverse payload in it, understand what it do. Payload from CFW decrypt real payload from dongle. I reversed where it's in the memory, I reversed where the key , I reversed algo. I gave it all to you
|
|
|
|
|
04-16-2012
|
#10 | |
|
Member
 Join Date: Feb 2012
Posts: 69
Likes: 25
Liked 19 Times in 12 Posts
Mentioned: 8 Post(s)
Tagged: 0 Thread(s)
|
Anyway, thanks for your work |
|
|
|
 |
| Bookmarks |
| Thread Tools | |
|
|
