[ev1l51xty51x]

A few day ago there was a theory about taking some offsets of a TB eboot and putting them in a retail eboot +3.60 to get it to work wich was a bust.
But someone (don't remember who), stated that the true blue dongle doesn't do anything besides checking that you've bought the dongle, and that everything that you need to run TB eboots is in the firmware.
Then someone else stated that someone should write a True Blue emulator and that started me thinking.(witch is usually a dangerous thing ,lol)
So I started to compare REBUG_3.55.2 to REBUG_3.55.2_TB.
Unpacked both pups and saw that 2 files had different hashes, version.txt( this is normal different names in them) and update_files.tar(more interesting)
I unpacked the 2 tar's and saw that 3 files where different.
1)CORE_OS_PACKAGE.pkg
2)dev_flash_011.tar.aa.2010_11_27_051337
3)dev_flash_022.tar.aa.2010_11_27_051337
First i unpacked the CORE_OS_PACKAGE.pkg and found that 2 files where different.
1) lv1.self
2)lv2-kernel.self
Decrypted those and looked at them in a simple hexeditor.
In lv1.elf only 3 offsets differ as to lv2_kernel.elf is completely different at first glance. the filesize differs and one of them starts out with a lot of zero's where the other does not. But when I compare the files from the bottom up I see a lot of things that are the same but the 'code' has shifted to other offsets.(Don't know what this means, if someone could elaborate on that it would be much appreciated.)

Then the dev_flash:
I can't seem to get it unpacked.Tried every tool and script I could find, spent hours reading the ps3_dev_wiki to no avail and then I read somewhere that you can't unpack the dev_flash from the pup when it is created in MFWbuilder.Apparently a bug in the current tools.(Is there any truth to that?)

I tought that if one could find where the REBUG_TB firmware points to the dongle, maybe it could be redirected to somewhere else.(say a folder on the ps3 where one could put the TB_dongle_payload.)

I know I'm a noob at this but I try to do something constructive as to all the drama and flaming going on.(no offence intended to anyone!)
So please tell me,
Is my way of thinking a step in the right or the wrong direction?
and
What do I need to do to get to the next step cause I'm totally stuck at the moment.(Unpacking the dev-flash from REBUG and REBUG_TB).

Update:
Managed to get both dev_flashes unpacked using MFWbuilder's Temp directory and having the program patch something that isn't there.This way the program halts but the temp dir is not deleted.Just copy paste.lol so I'm looking in to those now.

Update 2:
Compared 'dev_flash_011.tar.aa.2010_11_27_051337' and it's the same thing as in lv2_kernel.self different filesizes but the same code is there at different offsets.Strange indeed.
And after looking at 'dev_flash_022.tar.aa.2010_11_27_051337' I can see they are verry different.
And it calls for sprx modules that I can't find in the 'modules' folder.
I'll start comparing the sprx module hashes now, as there have been comments that TB firmware uses modules from 4.00.

Update 3:
All sprx modules have exactly the same hashes and filesizes.

Update 4:
After doing a little more research I found out that I am missing a lot of the sprx files that should be in dev_flash\vsh\modules folder, so it seems that MFWbuilder only unpacks the sprx-es it needs.Any input on how to completely unpack the entire dev_flash would be welcome.
Thanks in advance.

@iPwnz thanks

[ev1l51xty51x]

Come on guys and girls,
Nobody? Nobody calling fake or B**ls**t! No drama what so ever? (lol)
That makes me so sad :-(
Ok then I'll keep hitting my head against the brick wall cause I'm not giving up.


How the **** do I get those dev_flashes unpacked so I can Compare the Modules folder in VHS?

[enosrasun]

start comparion original eboot from game with fix eboot released ,

and the right question if you don't have 3.60+ keys how you decrypt 3.60+ eboot?????? and modify it?????????

and the logical answer !!!!!! if you can decrypt 3.60+ ,you have 3.60+ keys!!!!!!!

and decrypt this eboot ,I have fail

[ev1l51xty51x]

Originally Posted by enosrasun start comparion original eboot from game with fix eboot released , and the right question if you don't have 3.60+ keys how you decrypt 3.60+ eboot?????? and modify it????????? and the logical answer !!!!!! if you can decrypt 3.60+ ,you have 3.60+ keys!!!!!!! and decrypt this eboot ,I have fail

Ok I downloaded the eboot.rar but the archive is corrupted. fails CRC check and I can't unpack it. maybe you could upload it again in it's original eboot.bin format or just tell me from what game it came and i'll get it 'somehow'.

as for the 3.60+ eboot's, All true blue Eboots are 3.55 encrypted.(And you would only be able to compare 3.60+ eboots if they are decrypted, otherwise when you open them they will just be gibrish and you would be comparing random charaters. no 3.60+ keys = not looking into 3.60 eboots)
Try to run a TB game trough multiman's eboot fixer and it will fail at converting sprx files, the eboot get converted just fine. The error that you get is an make_self_npdrm error witch has nothing to do with 3.60+ keys in my opinion. That has to do with the true blue's OWN DRM keys.
if you check the wiki you'll see that they manage to decrypt all DRM locked files from the dongle, even the payload that's on the dongle.
I think if you could ad the TB DRM keys to the eboot fixer, you could just run a TB game trough Multiman's eboot fixer and play it on any 3.55 CFW.

And please if I'm wrong, witch could very well be, explane where the fault is in the theory so that I learn and move along. I am learning as I go Along.

[enosrasun]

ok this is it
************* [ - Post Merged - ] *************
when I try to decrypt thor god of thunder eboot get this

Exception: STATUS_ACCESS_VIOLATION at eip=610F1630
eax=00000002 ebx=00D00000 ecx=6115F410 edx=00000001 esi=0028CD02 edi=FFFFFFFA
ebp=0028CCC8 esp=0028CBE0 program=C:\Users\nicusor\Desktop\New folder (8)\PS3Tools GUI Edition\fwpkg.exe, pid 3724, thread main
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame Function Args
0028CCC8 610F1630 (0028CD02, 61179FC3, 0028CD58, 61006CD3)
0028CD58 61006CD3 (00000000, 0028CD94, 61006570, 7EFDE000)
End of stack trace


if in someway the drm keys from stick is use to decrypt some part of the eboot

in my opinion the the game from higher firmware call the library in an different way so you have to modify 3.55 files ,so it can respond to the calls

[ev1l51xty51x]

Ok but is this the retail version or the TB version of the game
My guess is retail.

And if by saing :
"in my opinion the the game from higher firmware call the library in an different way so you have to modify 3.55 files ,so it can respond to the calls"

Then what we need to run TB games on any 3.55CFW is inside the TB firmware.

[enosrasun]

is tb fix for thor god of thunder

and eboot attached is tb firware only manage to see only that

SELF header
elf #1 offset: 00000000_00000090
header len: 00000000_00000a80
meta offset: 00000000_000004a0
phdr offset: 00000000_00000040
shdr offset: 00000000_00061070
file size: 00000000_00071524
auth id: 10100000_01000003 (Unknown)
vendor id: 01000002
info offset: 00000000_00000070
sinfo offset: 00000000_00000290
version offset: 00000000_00000390
control info: 00000000_000003c0 (00000000_00000100 bytes)
app version: 3.64.0
SDK type: Retail
app type: NP-DRM application

Control info
control flags:
40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
file digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NPDRM info:
magic: 00000000
unk0 : 00000000
unk1 : 00000000
unk2 : 00000000
content_id:
digest: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
invdigest: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
xordigest: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Section header
offset size compressed unk1 unk2 encrypted
00000000_00000a80 00000000_00060369 [YES] 00000000 00000000 [YES]
00000000_00060df0 00000000_0000027a [YES] 00000000 00000000 [YES]
00000000_00061070 00000000_00000008 [YES] 00000000 00000000 [YES]
00000000_00061080 00000000_00000008 [YES] 00000000 00000000 [YES]
00000000_00061090 00000000_00000000 [NO ] 00000000 00000000 [YES]
00000000_00061090 00000000_00000004 [NO ] 00000000 00000000 [N/A]
00000000_000610a0 00000000_00000020 [NO ] 00000000 00000000 [N/A]
00000000_000610c0 00000000_00000040 [NO ] 00000000 00000000 [N/A]

Encrypted Metadata
unable to decrypt metadata

ELF header
type: Executable file
machine: PowerPC64
version: 1
phdr offset: 00000000_00000040
shdr offset: 00000000_00070e20
entry: 00000000_000800f0
flags: 00000000
header size: 00000040
program header size: 00000038
program headers: 8
section header size: 00000040
section headers: 28
section header string table index: 27

[ev1l51xty51x]

Yes indeed you're right I can't decrypt the eboot.
I tried Portal 2 a while back.
But i mean, TB firmware is a 3.55CFW.
if TB eboot's are encrypted with 3.60+ keys , than there's no way of comparing them because we don't have those keys. and that means this is a no go.

On the other hand, as you mentioned they call for the libraries in a different way.
Is it really that stupid to want to look at those libraries from the TB Firmware.
It really bugs me that I can't get to them?
When I try to unpack the dev_flash from an OFW it works just fine but when I try to do the same for REBUG or REBUG_TB it just doesn't work.
I'm sitting here thinking why?

[enosrasun]

if you put an 3.55 game on 4.00 firmware it will work because 4.00 contain the instruction for the game how to call and work properly

but if you put an 3.60+ game on lower firmware it won't work because the 3.55 don't have instruction for the game

my bet is that tb stick contain that instrucion ,they have modified firmware to use the stick and have the game call right

so insert the game ,and it will made the request to the ps3 firmware 3.55 don't know how to handle the game,and next it will use the drm stick for an set of instruction,(how to handle game request) and now if you have the proper library the game will run

[carldenning]

Originally Posted by enosrasun if you put an 3.55 game on 4.00 firmware it will work because 4.00 contain the instruction for the game how to call and work properly but if you put an 3.60+ game on lower firmware it won't work because the 3.55 don't have instruction for the game my bet is that tb stick contain that instrucion ,they have modified firmware to use the stick and have the game call right so insert the game ,and it will made the request to the ps3 firmware 3.55 don't know how to handle the game,and next it will use the drm stick for an set of instruction,(how to handle game request) and now if you have the proper library the game will run

the reason why 3.55 games work on 4.0 fw is because the eboot is signed with 3.55 keys are not blocked .
as for 3.60 fw games on a 3.55 the ps3 is able to read it as becuse of the per console key , but because the eboot says i want 3.60 fw so the ps3 gives the intrustions that it need to be on 3.60+ to do anythink with it . hope it makes a bit sence