Following up on the previous update, today I am releasing my True Blue USB dongle PS3 ELF dumper which works with any PlayStation 3 Firmware greater than 3.56 to dump the encrypted TB EBOOT / ELF files once they are loaded.
Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] (Mirror #3) / [Register or Login to view links] (Mirror #4) / [Register or Login to view links] (Mirror #5) / [Register or Login to view links] (Mirror #6) / [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (DUMPEDBOOT.bin and DUMPEDBOOT1.bin) by arnes_king / [Register or Login to view links] by gibson25 / [Register or Login to view links] (np_trp_prx.rar) / [Register or Login to view links] (Mirror) / [Register or Login to view links] by mellss
- Original 355 -> ok
- True Blue CFW v2 -> ok
There are some bugs (size of dump ...) but it works. It's ELF dumper from memory and it work with True Blue cfw v2 and any 3.55 firmware because it doesn't use lv2 peek/poke.
Warning: It will not brick your ps3. But I am not responsible for any damage.
- Enable dev_blind with multiman
- copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it "orignal_libsysutil_np_trophy.sprx"
- copy my modified "libsysutil_np_trophy.sprx" to /dev_blind/sys/external/
- load a True blue game from multiman
- exit multiman
- run your game
- wait few minutes (if you get black screen after 3 minutes reboot ps3)
- exit game
- go to ftp
- in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
- copy and rename it with another name.
Howto uninstall patch - Two ways:
- You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx
- Or update in recovery mode
Thanks to: Ps3dev
1 - Install TB ELF Dumper first as stated in its readme file.
2 - Start Multiman, it will make a dump of multiman eboots, so you must delete it first by browsing to dev_hdd0 then delete all DUMPEDEBOOT.BIN files you found there.
3 - Back to multiman game selection then select any TB game then launch it.
4 - Start the game from XMB then wait for some times until game start.
5 - Exit game now then start multiman again then browse to dev_hdd0 and now you must found a decrypted game dump.
From PlayStation 3 developer deank (via pastebin.com/avcM5iuU) comes a revision as follows:
Download: [Register or Login to view links] (np_trp_prx.rar) / [Register or Login to view links] (Mirror)
// Author: Shadoxi
// Modified: :)
// Backup the original /dev_flash/sys/external/libsysutil_np_trophy.sprx to /dev_hdd0
// Replace /dev_blind/sys/external/libsysutil_np_trophy.sprx by this sprx
SYS_MODULE_INFO (sceNpTrophyhook, 0, 1, 0 );
SYS_MODULE_START( _start );
SYS_MODULE_STOP ( _stop );
SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT );
SYS_LIB_EXPORT ( loader_sprx, sceNpTrophyhook );
void loader_sprx(const char* PATH_PRX);
static void write_message (char const * message)
unsigned int write_length;
char const * end;
for (end = message; *end != '\0'; ++end);
sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length);
write_message("Dumping ELF from RAM...\n");
uint64_t ptr= 0x00010000ULL; //ELF offset in RAM;
uint64_t sizeelf = 35*1024*1024; //Need a way to get size of ELF
for(uint8_t i=0; i<100; i++)
if (cellFsOpen(dump_path, CELL_FS_O_RDONLY, &fd, NULL, 0) != CELL_FS_SUCCEEDED)
cellFsOpen(dump_path, CELL_FS_O_CREAT|CELL_FS_O_RDWR|CELL_FS_O_TRUNC, &fd, NULL, 0);
cellFsWrite(fd, (void*)ptr, sizeelf, &nread);
void loader_sprx(const char* PATH_PRX)
sys_prx_id_t prx_id ;
write_message ("Loading original prx... ");
prx_id = sys_prx_load_module(PATH_PRX, 0, NULL);
if (prx_id <= CELL_OK)
write_message ("Done!\n\nStarting module... ");
if(sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL) != CELL_OK)
write_message ("By shadoxi\n");
// place here original libsysutil_np_trophy.sprx
- Doesn't stop dumping when it reaches embedded ELF
- Dumps 35MB of RAM in one write call (so it takes ~1 second)
- Dumps are saved in /dev_hdd0/RAMDUMP-##.BIN where ## is from 00 to 99 for 100 sequential dumps
- Doesn't really require the original sprx, since loading never succeeds anyway
- Tested: dumps mM, Beyond Good&Evil HD PSN...
- Rebuilding the original 'elf' takes few minutes if you know what you're doing
Finally, from mellss: I tested shadoxi patch, in ofw 3.55 dex and 3.55 cfw it work fine (but like he said some buggy with size of dump). And also let him time to dump all memory!!! (it take for me around ~10 - 20 min !!!)
Proof Of Concept:
- Download: [Register or Login to view links]
- dumpedboot.bin -> decrypt EBOOT.bin fifa 953 ko (original eboot 68 ko) -> winhex offset of decrypted elf 0x0 to 0xEA60 ~61 ko
- dumpedboot1.bin -> decrypt fifazf.elf 25 mo (original self 35 mo) -> need to increase size of dump to 35 mo
I make a fself EBOOT.bin (4.11 dex) which load reencrypted (flself) shadoxi patch and YES his patch dump my eboot and also some 4.11 dex lib sprx !!! So if someone can run shadoxi or deank patch when a game is running we can get decrypted 4.xx EBOOT.
I think TB team load the decrypted eboot to another offset in memory, that's why some of people get ps3 crash when TB was plugged. But, We can get this new offset by editing shadoxi exploit and print the address of a variable (stack address) to get the new one.
More PlayStation 3 News...