[Calliope]

Understanding the works of TruBlue/Cobra is important as their functions would mean a great deal to the community. However, maybe the secret is hidden in the eboots or lv1/lv2 patching. As I stated else where in the forum it is quite possible that we can subtract the information we need from the RAM when the data is decrypted there. We would receive the the raw decrypted data from RAM and then compare it to encrypted data for analysis.

One *should* be able to dump unencrypted eboots using an E3 or similar with dual NOR. Boot into 4.11, load a game up, pull cell_reset to preserve ram and switch NOR into a CFW which dumps ram to USB. i believe the linux kernel overwrites gameos....and the decrypted eboot.... mod the lvl1ldr to dump ram just like everyone has been saying to do.

Correct this is exactly what im working on. First i proved that im right with dumping games/apps out of RAM and to find the way how to do. Now the next step is to write a app and find a way to do it with newer games but im sure that it will not take to long to also figuer that out.

Nice to see that we were on the right path already because this indeed is the most logical solution right now as I also pointed out earlier! :-)

Pullin the cell reset is another issue....its documented on early fats but not on the slims. One of those 128 pins on the new syscons is the cell reset but you gotta find it. And 90% of the traces are on internal layers. Ive got 2 mobos ive been playin with but its been slow Even the cell pinout is different on the slims. I even debated on grounding out pins on a running ps3's syscon till she reboot but im not sure if that would even work. Theres likly a risk of frying it.

Maybe we can get a hardware specialist (PS3) in here to give their take on the situation? Good job!

From what I gather from a quick reading of http://www.ps3devwiki.com/wiki/Lv1.self : Write a PPU program to dump ram to USB. You need to extract all the embedded selfs in Lv1.self. (script is on the page I linked) Edit pme_init.conf to load your custom ram-dumper.self. It doesn't matter what it does after that, it can ylod for all you care, because you can just reboot into 4.11 again by swapping NOR. You could probably just rename your self to an existing one in there and replace it. I don't know how to rebuilt it into Lv1.self (I'm sure it's not hard to do) Replace it in core_os, flash your CFW to the swap NOR, boot into 4.11, load game, pull cell_reset and swap NOR. Success. Okay, did not know cell_reset isn't documented on later models. Plus, I think a NAND setup would be better anyway (does E3 make a dual NAND board?) because it doesn't rely on anything being on the HDD.

I would suggest we start on the early phat PS3 as they would be easier to run these mods on, but I hope that there is a hardware specialist in PS3 that can give some input on these things as well as advice on how we can run the code succesfully. Good job!

we need metldr and lvl1ldr disassemblies then.........

We need an exploit, which enables us to inject the code... Like the one mentioned below.

Games that can help achieve in some kind of way with that objective = Skyrim and Fallout. Memory issues all over the place.

This could maybe be an option which we could as an exploit to inject the code we need to infect the systemt with to retrieve the needed data. Any thoughts today? Someone said that there is a code to dump RAM today!

I attached a litle POC for you all. It's a dump of 3.55 and the used app is BlackBox. I just used a small app to make things to start more easy. We also have a RAM dump of OFW 3.74 and we don't have used any hardware or software moddifications. To time i still hold back some infos i hope for your understanding.

Thank you! This is the sort of thing we were looking for! However, I believe you said in a earlier post that you were in the progress of getting your hands on debug eboots like True Blue?


Dump entire ram when USB specific is introduced:

Code:

/****************************************************************/
/* JaiCraB  14/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Dump entire ram  when USB especific is introduced       */
/* Private use to                                 */
/****************************************************************/
#include "defines.h"
#include "gccpch.h"
#include "ps3Utils.h"
#include "ps3FileSystemUtils.h"
  
void lv1dumplv1()
{      
        uint64_t Valor;
        uint64_t x=0,i=0;
 
        char internal_buffer[255];
        unsigned char buffer_dump[0x400];      
        int result, fd;
  
        for (i=0;i<99999;i++)
        {
                sprintf(internal_buffer, "/dev_hdd0/RAM_PS3_%d.bin",i);
                result  = lv2FsOpen("/dev_usb000/dumper.lv1", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                if (result!=0)
                {
                        i=99999;
                        lv2FsClose(fd);
                }
        }
        result = lv2FsOpen(internal_buffer, CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd,CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
        if(!result)
        {
                for (i=0;i< (256 * 1024 * 1024);i+= 0x400)
                {
                        for (x=0; x < 0x400; x+=0x8)
                        {
                                Valor= lv1Peek(x+i);
                                memcpy(buffer_dump+x, &Valor, 8);
                        }
                        lv2FsWrite(fd, buffer_dump, 0x400, NULL);
                }
                lv2FsClose(fd);
        }
}
  
int main(void)
{
        int ret;       
        int fd;
  
        WriteLog(0,"/dev_flash/TheGrid/log","TheGrid Plugin Dumper RAM: Running main base!\n");
        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Waiting USB with flag...\n");
        while (1)
        {
                sys_timer_sleep(2);
                ret  = lv2FsOpen("/dev_usb000/dumper.lv1", CELL_FS_O_RDONLY, &fd, 0, NULL, 0);
                if (!ret)
                {
                        lv2FsUnLink("/dev_usb000/dumper.lv1");
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Detected USB with flag!\n");
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Dumping fisical ram...(256M)\n");
                        //sys_timer_sleep(2);
                        lv1dumplv1();
                        WriteLog(0,NULL,"TheGrid Plugin Dumper RAM: Waiting USB with flag...\n");
                }              
        }
        WriteLog(1,NULL, "TheGrid Plugin Dumper RAM: Byez!");
        return 0;
}

Using USB DRIVE as Blu-Ray Drive:

Code:

/****************************************************************/
/* JaiCraB  17/07/2011                                          */
/* Plugin TheGrid:                                              */
/*      Using USB DRIVE as Blu-Ray Drive                        */
/* File: mount.cpp                                              */
/* Private use to                                */
/****************************************************************/
  
uint64_t ChangeMountUnit(uint64_t Origen, uint64_t Destino1, uint64_t Destino2)
{
        uint64_t Start= 0x80000000003EE470ULL;          //MTAB  // 0x80000000003EE870
        uint64_t Stop=  0x80000000003EF570ULL;          //end
        uint64_t Current;
        uint64_t Data;
        int status=-1;
  
        for (Current=Start;Current<Stop;Current=Current+0x100)
        {
                Data = lv2Peek(Current);
                if (Data==Origen){
                        lv2Poke(Current, Destino1);
                        lv2Poke(Current+0x8, Destino2);
                        status = 0;
                }
  
        }
        return status ;
}

Cobra USB payload v2:

Code:

/****************************************************************/
/* JaiCraB  29/06/2011                                          */
/* Plugin TheGrid:                                              */
/*      Cobra USB payload v2                                    */
/* File: main.cpp                                               */
/* Private use to                                */
/****************************************************************/
  
uint64_t lv2launch(uint64_t addr)
{
        //addr, offset, opcode
        uint64_t offset=0x8000000000017CE0ULL;          //sc9
        uint64_t opcode=0x3C60800160630003ULL;          //sc9
  
        uint64_t offset2=0x8000000000017CC8ULL;         //sc7
        uint64_t opcode2=0x3C60800160630003ULL;         //sc7
 
        uint64_t offset3=0x8000000000017CBCULL;         //sc6
        uint64_t opcode3=0x3C60800160630003ULL;         //sc6
  
        
        system_call_8(9,(uint64_t) addr, offset,opcode,offset2,opcode2,offset3,opcode3,0);
        return_to_user_prog(uint64_t);
}
int dumplv2(void)
{
        int fd, result;
        uint64_t Valor;
        uint64_t x=0,y=0,i=0;
        char* buffer = NULL;
                result = lv2FsOpen("/dev_usb000/Dumplv2Cobra.bin", CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd,CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
                if(!result)
                {
                        buffer = (char*)malloc(8 * 1024 * 1024);
                        memset(buffer, 0, sizeof(8 * 1024 * 1024));
                        for (x=0x8000000000000000ULL,y=0; x < 0x8000000000000000ULL + (8 * 1024 * 1024);x+=0x8, y+=0x8)
                        {
                                Valor= lv2Peek(x);
                                memcpy(buffer + y, &Valor, 8);
                        }
                        lv2FsWrite(fd, buffer, 8 * 1024 * 1024, NULL);
                        lv2FsClose(fd);
                        free(buffer);
                }
  
        return 0;
}
  
int main(void)
{
        int i,x;
        WriteLog(0,"/dev_usb000","TheGrid Plugin Payload Cobra: Running main base!\n");
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Patching Block!\n");
        for (x=0;x<25;x++)
        {
                for (i=0; i< 4976;i++)
                {
                        lv2Poke(0x8000000000500000ULL + (i * 0x8),payloadBlock[i]);
                }
                __asm__("sync");
        }
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Patching Step 1...\n");
        for (x=0;x<25;x++)
        {       //SC 9 offset
                lv2Poke(0x8000000000017CE0ULL , 0x7C6903A64E800420ULL);
        __asm__("sync");
        }
        WriteLog(0,NULL,"TheGrid Plugin Payload Cobra: Running payload...\n");
        lv2launch(0x80000000005000A8ULL);
        for (x=0;x<25;x++)__asm__("sync");
  
        WriteLog(1,NULL, "TheGrid Plugin Payload Cobra: Byez!");
        return 0;
}

USB Firm Loader v3:

Code:

/****************************************************************/
/* JaiCraB  30/11/2010                                          */
/* USB Firm Loader v3                                           */
/* File: main.c                                                 */
/* Private use to                                */
/****************************************************************/
 
int main( void )
{
uint64_t dev_flash  = 0x5F666C6173680000;
        uint64_t dev_flashO = 0x5F666C6173684F00;
uint64_t dev_hdd0   = 0x5F68646430000000;
        uint64_t dev_hdd1   = 0x5F68646431000000;
        uint64_t dev_hdd2   = 0x5F68646432000000;
uint64_t dev_usb000 = 0x5F75736230303000;
uint64_t dev_usb001 = 0x5F75736230303100;
uint64_t dev_usb002 = 0x5F75736230303200;
        uint64_t dev_usb003 = 0x5F75736230303300;
 
uint64_t Start= 0x80000000003EE470;             //MTAB  // 0x80000000003EE870
uint64_t Stop=  0x80000000003EF570;             //end
        uint64_t Current;
        uint64_t Data;
 
char debugt[100];
 
for (Current=Start;Current<Stop;Current=Current+0x100)
{
Data = syscall_peek(Current);
//Flash -> FlashO
//HDD   -> Flash
//USB   -> HDD
if (Data==dev_flash){
//      sprintf(debugt,"Found in %016llX -> _flash\n",Current);
//      DebugTest(debugt);
syscall_pook(Current,dev_flashO);
//      sprintf(debugt,"Parchet in %016llX -> _flashO\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_usb000/dumpf.bin");
}
if (Data==dev_hdd0){
//      sprintf(debugt,"Found in %016llX -> _hdd0\n",Current);
//      DebugTest(debugt);
//                      syscall_pook(Current,dev_flashO);
//      sprintf(debugt,"Parchet in %016llX -> _flash\n",Current);
//      DebugTest(debugt);
 
//VolcarLv2("/dev_usb000/dumph.bin");
}
 
if ((Data==dev_usb000)||(Data==dev_usb001)||(Data==dev_usb002)||(Data==dev_usb003)){
//      sprintf(debugt,"Found in %016llX -> _usb000\n",Current);
//      DebugTest(debugt);
                        syscall_pook(Current,dev_flash);
                        //      sprintf(debugt,"Parchet in %016llX -> dev_hdd0\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_hdd0/dumpx.bin");
Current=Stop;
}
                if (Data==dev_hdd1){
//      sprintf(debugt,"Found in %016llX -> _usb000\n",Current);
//      DebugTest(debugt);
//                      syscall_pook(Current,dev_hdd2);
                        //      sprintf(debugt,"Parchet in %016llX -> dev_hdd0\n",Current);
//      DebugTest(debugt);
//VolcarLv2("/dev_hdd0/dumpx.bin");
}
}
 
return 0;
}

Dump Syscon ROM From GameOS :

Code:

 /**********************************/
    /* JaiCraB  21/09/2011            */
    /* Dump syscon rom from GameOs    */
    /* Private use for  */
    /**********************************/
     
    #include "defines.h"
    #include "gccpch.h"
    #include "ps3Utils.h"
    #include "ps3FileSystemUtils.h"
     
    #define DUMP_OFFSET                     0x2401fc00000ull
    #define DUMP_SIZE                       0x400000ull
     
    void DumpSyscon()
    {
           
            uint64_t Valor;
            uint64_t x=0,i=0;
     
            unsigned char buffer_dump[0x200];      
            int result, fd;
     
            WriteLog(0,NULL, "TheGrid Plugin Dumper Syscon: Dumping...");
            result = lv2FsOpen("/dev_usb000/syscon.rom", CELL_FS_O_RDWR | CELL_FS_O_CREAT, &fd, CELL_FS_DEFAULT_CREATE_MODE_6, NULL, 0);
            if(!result)
            {
                    for (i=DUMP_OFFSET;;i+=0x2000)
                    {
                            for (x=0; x < 0x200; x+=0x8)
                            {
                                    Valor= lv1Peek(i+x);
                                    memcpy(buffer_dump+x, &Valor, 8);
                            }
                            lv2FsWrite(fd, buffer_dump, 0x200, NULL);
                            lv2FsFSync(fd);
                    }
                    WriteLog(0,NULL, "Finish!\n");
                    lv2FsClose(fd);
            }
    }
     
    int main(void)
    {
            int ret;       
            int fd;
     
            WriteLog(0,"/dev_usb000/","TheGrid Plugin Dumper Syscon: Running main base!\n");
            DumpSyscon();
            WriteLog(1,NULL, "TheGrid Plugin Dumper Syscon: Byez!");
            return 0;
    }

Maybe this is what we need? :-)

What if the True Blue Dongle merely loads a custom firmware from the USB the beginning? As anyone considered that possibility?

What am I thinking right now is what is the True Blue dongle simply loads a custem payload in the lv1/dev_flash and the eboots are simply redirected to it? By redirecting they are perhaps avoiding the whole security cycle??

Well I just got an idea, but its past midnight and I have to goto bed (Im there with my laptop now), but I had to post this. I will elaborate on it tomorrow! But here it goes (some of the points are from PS3devwiki):

Sony SDK Devkit --> NP-DRM –> Perhaps they are making the PS3 believe that it is a PSN game? If so then they are modifying the eboot.bin into a PSN eboot. Perhaps members of Team Duplex could help?

- Patching of lvl1 to allow RW mapping of RAM via lvl1.self
- File/memory
- Offset(h) 00 01 02 03
- OFW: 000F5A44 39 20 00 00 li r9,0
- TB: 000F5A44 39 20 00 01 li r9,1

lv2_kernel.self --> only 1 function change, and a section added
sub_28fe30 is replaced --> Determines whether to load as OFW or TB. So the actual exploit is executed before loading OFW code!

dev_flash_010.tar.aa.2010_11_27_051337
\dev_flash\vsh\module\nas_plugin.sprx

Offset(h) 00 01 02 03
OFW: 00003250 7C 60 1B 78 mr r0, r3
TB: 00003250 38 00 00 00 li r0, 0
Offset(h) 00 01 02 03
OFW: 00037350 41 9E 00 4C beq- cr7,4c
TB: 00037350 60 00 00 00 nop

LV2 - Lets take a analysis the LV2 for possible exploits

Code:

Offset in 3.55 (1)         Offset in 3.41 (2) 
(1) 0x60b78                 (2) 0x62088

Function void* alloc(size_t size, int unk)                        
Note unk is possibly pool? PSGroove uses 0x27!

Lv2 System Table Offset
FW version	 Alloc	 Free	 Syscall
Table	 Mem_base	 TOC	 Copy
to
User	 
3.56 Retail	 0x60b24	 0x60f60	 0x346570	 0xef60	 0x330540		
3.55 Retail	 0x60b78	 0x60fb4	 0x346570	 0x0ef48	 0x330540	 0xf6a4	
3.55 DEX	 0x64464	 0x648a0	 0x361578	 0xf590	 0x34ac80	 0xfcec

Usefull Syscalls:

Code:

300	 0x12C	 sys_vm_memory_map	 int sys_vm_memory_map(size_t vsize, size_t psize, sys_memory_container_t container, uint64_t flag, uint64_t policy, sys_addr_t * addr);
301	 0x12D	 sys_vm_unmap	 int sys_vm_unmap(sys_addr_t addr);
302	 0x12E	 sys_vm_append_memory	 int sys_vm_append_memory(sys_addr_t addr, size_t size);
303	 0x12F	 sys_vm_return_memory	 int sys_vm_return_memory(sys_addr_t addr, size_t size);
304	 0x130	 sys_vm_lock	 int sys_vm_lock(sys_addr_t addr, size_t size);
305	 0x131	 sys_vm_unlock	 int sys_vm_unlock(sys_addr_t addr, size_t size);
306	 0x132	 sys_vm_touch	 int sys_vm_touch(sys_addr_t addr, size_t size);
307	 0x133	 sys_vm_flush	 int sys_vm_flush(sys_addr_t addr, size_t size);
308	 0x134	 sys_vm_invalidate	 int sys_vm_invalidate(sys_addr_t addr, size_t size);
309	 0x135	 sys_vm_store	 int sys_vm_store(sys_addr_t addr, size_t size);
310	 0x136	 sys_vm_sync	 int sys_vm_sync(sys_addr_t addr, size_t size);
311	 0x137	 sys_vm_test	 int sys_vm_test(sys_addr_t addr, size_t size, uint64_t * result);

324	 0x144	 sys_memory_container_create	 int sys_memory_container_create(sys_memory_container_t * cid, size_t yield_size);
325	 0x145	 sys_memory_container_destroy	 int sys_memory_container_destroy(sys_memory_container_t cid);
326	 0x146	 sys_mmapper_allocate_fixed_address	 int sys_mmapper_allocate_fixed_address(void);
327	 0x147	 sys_mmapper_enable_page_fault_notification	 int sys_mmapper_enable_page_fault_notification(sys_addr_t start_addr, sys_event_queue_t queue_id);
328	 0x148		 7 Params
329	 0x149	 sys_mmapper_free_shared_memory	 int sys_mmapper_free_shared_memory(sys_addr_t start_addr);
330	 0x14A	 sys_mmapper_allocate_address	 int sys_mmapper_allocate_address(size_t size, uint64_t flags, size_t alignment, sys_addr_t * alloc_addr);
331	 0x14B	 sys_mmapper_free_address	 int sys_mmapper_free_address(sys_addr_t start_addr);
332	 0x14C	 sys_mmapper_allocate_shared_memory	 4 Params: (size_t size, uint64_t flags, size_t alignment, sys_addr_t * alloc_addr) ?
333	 0x14D	 sys_mmapper_set_shared_memory_flag	 int sys_mmapper_set_shared_memory_flag(sys_addr_t, flags) ?;
334	 0x14E	 sys_mmapper_map_shared_memory	 3 Params: (sys_addr_t start_addr, sys_memory_t mem_id, uint64_t flags) ?
335	 0x14F	 sys_mmapper_unmap_shared_memory	 2 Params: (sys_addr_t start_addr,sys_memory_t *mem_id ) ?
336	 0x150	 sys_mmapper_change_address_access_right	 int sys_mmapper_change_address_access_right(sys_addr_t start_addr, uint64_t flags);
337	 0x151	 sys_mmapper_search_and_map	 int sys_mmapper_search_and_map(sys_addr_t start_addr, sys_memory_t mem_id, uint64_t flags, sys_addr_t * alloc_addr);
338	 0x152	 sys_mmapper_get_shared_memory_attribute	 2 Params:
339	 0x153		 5 Params
340	 0x154		 2 Params
341	 0x155	 sys_memory_container_create	 int sys_memory_container_create(sys_memory_container_t * cid, size_t yield_size);
342	 0x156	 sys_memory_container_destroy	 int sys_memory_container_destroy(sys_memory_container_t cid);
343	 0x157	 sys_memory_container_get_size	 int sys_memory_container_get_size(sys_memory_info_t * mem_info, sys_memory_container_t cid);

348	 0x15C	 sys_memory_allocate	 int sys_memory_allocate(size_t size, uint64_t flags, sys_addr_t * alloc_addr);
349	 0x15D	 sys_memory_free	 int sys_memory_free(sys_addr_t start_addr);
350	 0x15E	 sys_memory_allocate_from_container	 int sys_memory_allocate_from_container(size_t size, sys_memory_container_t container, uint64_t flags, sys_addr_t * alloc_addr);
351	 0x15F	 sys_memory_get_page_attribute	 int sys_memory_get_page_attribute(sys_addr_t addr, sys_page_attr_t * attr);
352	 0x160	 sys_memory_get_user_memory_size	 int sys_memory_get_user_memory_size(sys_memory_info_t * mem_info);

I have reasons to believe that they perhaps are using the old USB exploit from PSJailbreak from a different angle. The Dongle modifies files on the dev_flash and I believe does some sort of Cex --> Dex conversion.

PSJailbreak Payload Reverse Engineering

1.it gets control at exploit_entry, which copies the rest of the payload to the fixed address 0x8000000000700000 and jumps to exploit_main. 2.exploit_main copies a resident part of the payload to another location, creates virutal usb device driver called "mod" with 3 functions, hooks some vsh functions via toc entry and does some permanent in-ram patching. when the work is done it zeroes itself out. 3.the resident part has basically 3 purposes: it manages virtual usb device, it does some on-the-fly patching and it hooks all the game disk file accesses from the vsh. 1.the virtual usb device is needed to make sure the original ps3jb device in plugged in. once the correct device is plugged (the one with the AAAAC0DE) device driver initializes the variable INITIALIZED to 1 (see kmod_func1 - probably "identify device", and kmod_func2 - "initialize device"). if one pluggs the device out, the function kmod_func3_call_panic "term device" is called which causes a kernel panic. all the virtual usb device code can be removed completely from the open psjb implementation since it's just a way of protection for the original ps3jb. 2.the on-the-fly patching part of the code is probably called on virtual memory page remapping and does additional patching in-place. it identifies if the pages requires patching byt calculating it's "hash" and comparing to the table entries. one of the patches enables developer menu/settings called "category_game_tool2.xml#root" which probably enables support of the pkgs and other dev stuff. 3.the hooks from the vsh are intended to redirect all on-bdvd file requests (or probably just "open") from vsh to the hdd saved backup. the launcher saves the base directory of the game started and after that all the file names are prepended with it. that's how the backup feature works. the lv1 still needs bdvd auth to launch the game, so the original disc in bdvd is still required. 4.Adds a Syscall (Syscall 36) which will be called by Backup Loader to activate the virtual bluray drive with the correct backed upped disk. 5.Patches the return value from hypercall 99 so that we can launch unsigned apps. the code below is from my idb of the payload.

Oh, one last thing before I go to sleep :-) The magic happens between the eboots and the lv1/dev_flash modding. I believe that the eboots are patched to "look" for the patched areas in the lv1/dev_flash instead where it should be authenticating. The Dongle patches the lv1/dev_flash as I mentioned and the eboots are modified to authenticate in the modified areas instead of behavior of OFW.

In conclusion:

Dongle --> Loading payload --> patching lv2/dev_flash
Paradox eboot patching --> Look for addresses/spaces from lv2/dev_flash patching instead of where OFW would seek.
TB CFW 2 --> Authenticate dongle and load payload? Not sure here.

Good night and more stuff tomorrow :-)

[Adamsville]

TLDR

Can a mod move this to the right section? maybe the coding + tech area...

[hellsing9]

Moved. Nice info

[Calliope]

Originally Posted by Adamsville TLDR Can a mod move this to the right section? maybe the coding + tech area...

Well thanks I did not know where to place it :-)

[hellsing9]

So this have Thegrid from jbcrab.
The thing is to find the *Strings* on skyrim (for example) to make a useful exploit. I still like that memory issue.

[Calliope]

Originally Posted by hellsing9 So this have Thegrid from jbcrab

Yes, the Cobra Dongle uses code from JaiCrab! And I suspect that True Blue does the same! Does anyone know whether the old PSJailbreak can be modified to be used on CFW 3.55? Because I suspect that this is what they have done.

[hellsing9]

You already read this? = click

I think..since was reversed. Maybe im wrong.

P.s: I edited the thread use [/code] Next time, it's easier to read.

[Calliope]

Originally Posted by hellsing9 You already read this? = click I think..since was reversed. Maybe im wrong. P.s: I edited the thread use [/code] Next time, it's easier to read.

Thanks again! I was looking for the function, but I could not find it, so I used the /Quote instead. Where do I find the /CODE function?

[bigo93]

Well we all know more than 80% of the work put into cobra and tb has been done by other devs who released the info freely, but it's nice to be able to point it our directly.

tbh we've seen the mess jfw-dh is, so do we want more of it? I believe when tb first came out they said you wouldnt be able to install another cfw or downgrade, and now I guess we know why.

Now maybe cobra and tb have fixed the issues dh teams hasnt been able to.

Actually now thinking about it, tb website was registered in November, jfw-dh was supposed to out in October, instead they release a year old draft cfw. I am beginning to think the tb team is dh and his team.
That or we now know who hacked dh's servers that time he complained and said he was leaving :P

[Calliope]

Originally Posted by bigo93 Well we all know more than 80% of the work put into cobra and tb has been done by other devs who released the info freely, but it's nice to be able to point it our directly. tbh we've seen the mess jfw-dh is, so do we want more of it? I believe when tb first came out they said you wouldnt be able to install another cfw or downgrade, and now I guess we know why. Now maybe cobra and tb have fixed the issues dh teams hasnt been able to. Actually now thinking about it, tb website was registered in November, jfw-dh was supposed to out in October, instead they release a year old draft cfw. I am beginning to think the tb team is dh and his team. That we we now know who hacked dh's servers that time he complained and said he was leaving :P

Personally, I dont think DemonHades is behind True Blue. PSJailbreak was made by the same Devs. DemonHades could have provided them with some info, but I dont think they're behind TB.