94w ago - Following up on the previous True Blue (TB) PS3 JailBreak 2 (JB2) DRM-infected dongle news comes a WIP update from Shadoxi on dumping and decrypting the TB and Cobra payloads below, as follows:
I have figured out where the payload is located of the TB and Cobra dongles. You can find it at offset @360000 in lv2_kernel and 7f0000 in PS3 memory. According to the PS3 Developer Wiki (ps3devwiki.com/index.php/ReDRM_/_Piracy_dongles) the LV2 dump payload at 0x7f0000 has also been decrypted @ LV2 dump 0x7f0000 (pastebin.com/3VG76HQs)
Drag and drop payload in IDA and load it in Binary file mode, Processor type PPC.Press "C" to convert in ASM code.
First of all you need to edit the header of lv2_kernel.self (from CFW TrueBlue) at offset 0x1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself tool from fail0verflow. Open lv2_kernel.elf with IDA Pro (in binary file mode), go to offset 360000 and press "C" to convert to asm code.
TrueBlue use some HVCALL:
lv1_panic (shutdown ps3 when TB is unplugged)
This payload do some HVCALL:
lv1_insert_htab_entry (map lv1)
lv1_panic (shutdown ps3 when TrueBlue dongle is unplugged)
lv1_undocumented_function_114 (map lv1)
lv1_undocumented_function_115 (unmap lv1)
We needed to dump lv2 and lv1 memory when the dongle is plugged in, so I created a modified TB CFW with peek and poke syscall. It works fine !
Finally, from the MFW_TrueBLue.zip ReadMe file: Warning this mfw can brick your dongle !!!
First install PS3PEEKTEST.pkg
Install MFW TrueBlue firmware in recovery mode
If Peek Result is equal to 10 and true blue light is green -> work.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Siggy12 Convert to a Dex and use the update to make the fresh new released game work. And if there is no update then we need to dump it out of ram with coredump function.
utar oO The Coredump function is a embended system of the debug FW and get handled of liblv2dbg. The send signal call aka send_signal_to_coredump_handler() and the trigger function are always running and CAN NOT be deactivated.
This have nothing to do with any custom syscall. Please download a SDK, Install it and read the documentation about the Core Dump function.
In none technical language I assume you mean that you do a memory dump once the eboot has been decrypted. How does this work with post 3.55 firmware? Wouldn't you need to have level 1 or 2 peek and poke access to trigger the exception and core dump which we don't have?