› Foros › PlayStation 3 › Scene
http://www.ps3hax.net/2012/08/dump-nodrm-trueblue-eboots/
It’s ELF dumper from memory and it work with True blue cfw v2 and any 3.55 firmware because it doesn’t use lv2 peek/poke.
Warning:
It will not brick your ps3. But i am not responsible for any damage.
HOWTO:
- Enable dev_blind with multiman
- copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it “orignal_libsysutil_np_trophy.sprx”
- copy my modified “libsysutil_np_trophy.sprx” to /dev_blind/sys/external/
- load a True blue game from multiman
- exit multiman
- run your game
- wait few minutes (if you get black screen after 3 minutes reboot ps3)
- exit game
- go to ftp
- in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
- copy and rename it with another name.
Howto uninstall patch :
Two ways:
- You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx
- Or uptade in recovery mode
Thanks to: Ps3dev
juanchuloperron escribió:el source code se ha encontrado,asi que los devs ya tienen con que entretenerse xD
http://pastie.org/private/7hrn1g60zcqp0qkmcvq0q
juanchuloperron escribió:el source code se ha encontrado,asi que los devs ya tienen con que entretenerse xD
http://pastie.org/private/7hrn1g60zcqp0qkmcvq0q
//Autor:Shadoxi
//Reemplaza el codigo del archivo libsysutil_np_trophy.sprx in flash/internal por este codigo
//Ocasionaba un error del tamaño del dump(Some evil crash due to size of dump)
SYS_MODULE_INFO(sceNpTrophyhook, 0, 1, 0 );
SYS_MODULE_START( _start );
SYS_MODULE_STOP( _stop );
SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT );
SYS_LIB_EXPORT( loader_sprx, sceNpTrophyhook );
int _start(void);
int _stop(void);
void loader_sprx(const char* PATH_PRX);
static inline CellFsErrno lv2FsOpen(const char* path, uint32_t oflags, int* fd, uint32_t mode, const void* arg, uint64_t argsize) {
system_call_6(801, (uint64_t)path, oflags, (uint64_t)fd, mode, (uint64_t)arg, argsize);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsRead(int fd, void* buf, uint64_t size, uint64_t* read_e)
{
system_call_4(802, fd, (uint64_t)buf, size, (uint64_t)read_e);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsWrite(int fd, const void* buf, uint64_t size, uint64_t* written)
{
system_call_4(803, fd, (uint64_t)buf, size, (uint64_t)written);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsClose(int fd)
{
system_call_1(804, fd);
return_to_user_prog(CellFsErrno);
}
static void write_message (char const * message)
{
unsigned int write_length;
char const * end;
for (end = message; *end != '\0'; ++end);
sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length);
}
void DumpELF_Payload()
{
write_message("Dumping ELF from RAM\n");
int fd,res ;
uint64_t i,nread,ptr;
uint64_t sizeelf = 25*1024*1024 ;
//Need a way to get size of ELF
if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) //exist ?
{
write_message("DumpedEBOOT.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i); //Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT1.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");//Tb decrypted offset
lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;
for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((&ptr == 0x7F454C4601020100ULL) && i != 0)
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else
{
write_message("remove dumpedeboot\n");
}
lv2FsClose(fd); //Close file
}
void loader_sprx(const char* PATH_PRX)
{
sys_prx_id_t prx_id ;
write_message ("Loading a prx ... ");
prx_id = sys_prx_load_module(PATH_PRX,0, NULL);
if (prx_id < CELL_OK) {
write_message ("Failed LOADING\n");
return;
} else {
write_message ("OK loading\n");
}
int modres;
int res1 = sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL );
if (res1 < CELL_OK)
{
write_message ("start Failed \n");
}
}
int _start(void)
{
int wait = 0;
write_message ("By shadoxi\n");
//DUMP Decrypted noDrm TB
DumpELF_Payload();
//load original libsysutil_np_trophy for game
loader_sprx("/dev_hdd0/game/TEST00000/USRDIR/orignal_libsysutil_np_trophy.sprx");//place here original libsysutil_np_trophy.sprx
return SYS_PRX_RESIDENT;
}
int _stop(void)
{
return SYS_PRX_STOP_OK;
ing_pereira escribió:Para solventar la falla del tamaño incorrecto del dump, se puede hacer una modificacion al codigo que lea primero el eboot original y en su header que se encuentra el elf size ya de alli se saca el tamaño de la memoria a leer por completo desde 0x10000...
Ademas al ser un modulo residente lo mas seguro es que tambien se pueda usar el ingame_xmb para lanzar un dump de esa parte de la user, pero lo mas seguro es que el de trofeos se use mejor ya que es llamado automaticamente una ves que se carga el juego, aunque si se realiza con el ingame_xmb lo puedes activar en el momento oportuno (Existen juegos que tienen mas selfs o sprx que un simple eboot) asi que en algun momento del juego uno de estos selfs se lanza como en el caso de ubi play del ac y puede venir bien dumpear en un momento exacto.
Deank modified the code!
check it:
Changed:
* Doesn't stop dumping when it reaches embedded ELF
* Dumps 35MB of RAM in one write call (so it takes ~1 second)
* Dumps are saved in /dev_hdd0/RAMDUMP-##.BIN where ## is from 00 to 99 for 100 sequential dumps
* Doesn't really require the original sprx, since loading never succeeds anyway
* Tested: dumps mM, Beyond Good&Evil HD PSN...
* Rebuilding the original 'elf' takes few minutes if you know what you're doing