Post: True Blue ELF Dumper Released
Options
08-25-2012, 12:45 AM
#1
DEREKTROTTER
You're Goddamn Right
True Blue ELF Dumper Released
Shadoxi over at PS3News has released a True Blue EBOOT/ELF Dumper for the scene, which allows you to, as the program name does, dump True Blue-encrypted EBOOT/ELF files once loaded up.
Originally posted by another user
Originally Posted by Shadoxi @ PS3NEWS
Hi ,
I release my ELF dumper, it work with any firmware > 3.56.
Tested on:
- Original 355 -> ok
- True Blue CFW v2 -> ok
- ...
There are some bugs (size of dump ...) but it work.
Hi ,
I release my ELF dumper, it work with any firmware > 3.56.
Tested on:
- Original 355 -> ok
- True Blue CFW v2 -> ok
- ...
There are some bugs (size of dump ...) but it work.
Originally posted by another user
Originally Posted by TB ELF Dumper Readme
It's ELF dumper from memory and it work with True blue cfw v2 and any 3.55 firmware because it doesn't use lv2 peek/poke.
Warning:
It will not brick your ps3. But i am not responsible for any damage.
HOWTO:
- Enable dev_blind with multiman
- copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it "orignal_libsysutil_np_trophy.sprx"
- copy my modified "libsysutil_np_trophy.sprx" to /dev_blind/sys/external/
- load a True blue game from multiman
- exit multiman
- run your game
- wait few minutes (if you get black screen after 3 minutes reboot ps3)
- exit game
- go to ftp
- in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
- copy and rename it with another name.
Howto uninstall patch :
Two ways:
- You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx
- Or uptade in recovery mode
Thanks to: Ps3dev
It's ELF dumper from memory and it work with True blue cfw v2 and any 3.55 firmware because it doesn't use lv2 peek/poke.
Warning:
It will not brick your ps3. But i am not responsible for any damage.
HOWTO:
- Enable dev_blind with multiman
- copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it "orignal_libsysutil_np_trophy.sprx"
- copy my modified "libsysutil_np_trophy.sprx" to /dev_blind/sys/external/
- load a True blue game from multiman
- exit multiman
- run your game
- wait few minutes (if you get black screen after 3 minutes reboot ps3)
- exit game
- go to ftp
- in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
- copy and rename it with another name.
Howto uninstall patch :
Two ways:
- You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx
- Or uptade in recovery mode
Thanks to: Ps3dev
However, as the first quoted comment states, the SPRX-based application is buggy when it comes to dump sizes, so it may not work perfectly, so try this at your own risk!
Source Code:
//Author:Shadoxi
//Replace libsysutil_np_trophy.sprx in flash/internal by this code
//Some evil crash due to size of dump
SYS_MODULE_INFO(sceNpTrophyhook, 0, 1, 0 );
SYS_MODULE_START( _start );
SYS_MODULE_STOP( _stop );
SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT );
SYS_LIB_EXPORT( loader_sprx, sceNpTrophyhook );
int _start(void);
int _stop(void);
void loader_sprx(const char* PATH_PRX);
static inline CellFsErrno lv2FsOpen(const char* path, uint32_t oflags, int* fd, uint32_t mode, const void* arg, uint64_t argsize) {
system_call_6(801, (uint64_t)path, oflags, (uint64_t)fd, mode, (uint64_t)arg, argsize);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsRead(int fd, void* buf, uint64_t size, uint64_t* read_e)
{
system_call_4(802, fd, (uint64_t)buf, size, (uint64_t)read_e);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsWrite(int fd, const void* buf, uint64_t size, uint64_t* written)
{
system_call_4(803, fd, (uint64_t)buf, size, (uint64_t)written);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsClose(int fd)
{
system_call_1(804, fd);
return_to_user_prog(CellFsErrno);
}
static void write_message (char const * message)
{
unsigned int write_length;
char const * end;
for (end = message; *end != '\0'; ++end);
sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length);
}
void DumpELF_Payload()
{
write_message("Dumping ELF from RAM\n");
int fd,res ;
uint64_t i,nread,ptr;
uint64_t sizeelf = 25*1024*1024 ;
//Need a way to get size of ELF
if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) //exist ?
{
write_message("DumpedEBOOT.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i); //Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT1.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");//Tb decrypted offset
lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((&ptr == 0x7F454C4601020100ULL) && i != 0)
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else
{
write_message("remove dumpedeboot\n");
}
lv2FsClose(fd); //Close file
}
void loader_sprx(const char* PATH_PRX)
{
sys_prx_id_t prx_id ;
write_message ("Loading a prx ... ");
prx_id = sys_prx_load_module(PATH_PRX,0, NULL);
if (prx_id < CELL_OK) {
write_message ("Failed LOADING\n");
return;
} else {
write_message ("OK loading\n");
}
int modres;
int res1 = sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL );
if (res1 < CELL_OK)
{
write_message ("start Failed \n");
}
}
int _start(void)
{
int wait = 0;
write_message ("By shadoxi\n");
//DUMP Decrypted noDrm TB
DumpELF_Payload();
//load original libsysutil_np_trophy for game
loader_sprx("/dev_hdd0/game/TEST00000/USRDIR/orignal_libsysutil_np_trophy.sprx");//place here original libsysutil_np_trophy.sprx
return SYS_PRX_RESIDENT;
}
int _stop(void)
{
return SYS_PRX_STOP_OK;
}
OFF-SITE DOWNLOAD LINK #1: You must login or register to view this content.
OFF-SITE DOWNLOAD LINK #4: You must login or register to view this content.
08-25-2012, 01:29 AM
#2
Choco
Respect my authoritah!!
Originally posted by DEREKTROTTER
True Blue ELF Dumper Released
Shadoxi over at PS3News has released a True Blue EBOOT/ELF Dumper for the scene, which allows you to, as the program name does, dump True Blue-encrypted EBOOT/ELF files once loaded up.
However, as the first quoted comment states, the SPRX-based application is buggy when it comes to dump sizes, so it may not work perfectly, so try this at your own risk!
Source Code:
//Author:Shadoxi
//Replace libsysutil_np_trophy.sprx in flash/internal by this code
//Some evil crash due to size of dump
SYS_MODULE_INFO(sceNpTrophyhook, 0, 1, 0 );
SYS_MODULE_START( _start );
SYS_MODULE_STOP( _stop );
SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT );
SYS_LIB_EXPORT( loader_sprx, sceNpTrophyhook );
int _start(void);
int _stop(void);
void loader_sprx(const char* PATH_PRX);
static inline CellFsErrno lv2FsOpen(const char* path, uint32_t oflags, int* fd, uint32_t mode, const void* arg, uint64_t argsize) {
system_call_6(801, (uint64_t)path, oflags, (uint64_t)fd, mode, (uint64_t)arg, argsize);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsRead(int fd, void* buf, uint64_t size, uint64_t* read_e)
{
system_call_4(802, fd, (uint64_t)buf, size, (uint64_t)read_e);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsWrite(int fd, const void* buf, uint64_t size, uint64_t* written)
{
system_call_4(803, fd, (uint64_t)buf, size, (uint64_t)written);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsClose(int fd)
{
system_call_1(804, fd);
return_to_user_prog(CellFsErrno);
}
static void write_message (char const * message)
{
unsigned int write_length;
char const * end;
for (end = message; *end != '\0'; ++end);
sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length);
}
void DumpELF_Payload()
{
write_message("Dumping ELF from RAM\n");
int fd,res ;
uint64_t i,nread,ptr;
uint64_t sizeelf = 25*1024*1024 ;
//Need a way to get size of ELF
if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) //exist ?
{
write_message("DumpedEBOOT.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i); //Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT1.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");//Tb decrypted offset
lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((&ptr == 0x7F454C4601020100ULL) && i != 0)
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else
{
write_message("remove dumpedeboot\n");
}
lv2FsClose(fd); //Close file
}
void loader_sprx(const char* PATH_PRX)
{
sys_prx_id_t prx_id ;
write_message ("Loading a prx ... ");
prx_id = sys_prx_load_module(PATH_PRX,0, NULL);
if (prx_id < CELL_OK) {
write_message ("Failed LOADING\n");
return;
} else {
write_message ("OK loading\n");
}
int modres;
int res1 = sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL );
if (res1 < CELL_OK)
{
write_message ("start Failed \n");
}
}
int _start(void)
{
int wait = 0;
write_message ("By shadoxi\n");
//DUMP Decrypted noDrm TB
DumpELF_Payload();
//load original libsysutil_np_trophy for game
loader_sprx("/dev_hdd0/game/TEST00000/USRDIR/orignal_libsysutil_np_trophy.sprx");//place here original libsysutil_np_trophy.sprx
return SYS_PRX_RESIDENT;
}
int _stop(void)
{
return SYS_PRX_STOP_OK;
}
OFF-SITE DOWNLOAD LINK #1: You must login or register to view this content.
OFF-SITE DOWNLOAD LINK #4: You must login or register to view this content.
Cool, people are finally figuring this out. TheUnkn0wn has been able to do this for months in a similar way, but his works for ANY game, not just TrueBlue games
08-25-2012, 01:43 AM
#3
DEREKTROTTER
You're Goddamn Right
The following user thanked DEREKTROTTER for this useful post:
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
