First of all you need to edit the header of lv2_kernel.self (from cfw trueblue) at offset 0×1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself tool from fail0verFlow. Open lv2_kernel.elf with Ida pro (in binary file mode), go to offset 360000 and press “C” to convert to asm code.
TrueBlue use some HVCALL:
lv1_panic (shutdown ps3 when TB is unplugged)
This payload do some hvcall:
lv1_insert_htab_entry (map lv1)
lv1_panic (shutdown ps3 when TrueBlue Dongle is unplugged)
lv1_undocumented_function_114 (map lv1)
lv1_undocumented_function_115 (unmap lv1)
We need now to dump lv2 and lv1 memory when TrueBlue is plugged. So I create a modified TrueBlue Cfw with peek and poke syscall. It work fine !
News Source: Brewology
Thanks to Secludedly for sharing this with us.
[Get Your Name On The Front Page!! Member News Submissions!!]