Following up on the previous
True Blue (TB) PS3 JailBreak 2 (JB2) DRM-infected
dongle news comes a WIP update from Shadoxi
on dumping and decrypting the TB and Cobra payloads below, as follows:
Download: TB / Cobra Payloads
(2.84 MB) / TB / Cobra Payloads
(2.84 MB - Mirror) / TB / Cobra Payloads
(2.84 MB - Mirror) / PS3 True Blue MFW
I have figured out where the payload is located of the TB and Cobra dongles. You can find it at offset @360000 in lv2_kernel and 7f0000 in PS3 memory. According to the PS3 Developer Wiki (ps3devwiki.com/index.php/ReDRM_/_Piracy_dongles) the LV2 dump payload at 0x7f0000 has also been decrypted @ LV2 dump 0x7f0000 (pastebin.com/3VG76HQs)
Drag and drop payload in http://www.hex-rays.com/products/ida/support/download.shtml and load it in Binary file mode, Processor type PPC.Press "C" to convert in ASM code.
First of all you need to edit the header of lv2_kernel.self (from CFW TrueBlue) at offset 0x1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself tool from fail0verflow
. Open lv2_kernel.elf with IDA Pro (in binary file mode), go to offset 360000 and press "C" to convert to asm code.
TrueBlue use some HVCALL:
- lv1_panic (shutdown ps3 when TB is unplugged)
This payload do some HVCALL:
- lv1_insert_htab_entry (map lv1)
- lv1_allocate_device_dma_region (?)
- lv1_map_device_dma_region (?)
- lv1_net_start_tx_dma (?)
- lv1_net_control (?)
- lv1_panic (shutdown ps3 when TrueBlue dongle is unplugged)
- lv1_undocumented_function_114 (map lv1)
- lv1_undocumented_function_115 (unmap lv1)
We needed to dump lv2 and lv1 memory when the dongle is plugged in, so I created a modified TB CFW with peek and poke syscall. It works fine !
Finally, from the MFW_TrueBLue.zip ReadMe file: Warning this mfw can brick your dongle !!!
- First install PS3PEEKTEST.pkg
- Install MFW TrueBlue firmware in recovery mode
- Start ps3peektest
If Peek Result is equal to 10 and true blue light is green -> work.
More PlayStation 3 News