I (aka shadoxi) figured out where is locatedthepayload of Trueblueandcobradongle. You can find it at offset @360000 in lv2_kerneland 7f0000 in ps3 memory.
First of all you need to edit the header of lv2_kernel.self (from cfw trueblue) at offset 0×1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself toolfrom fail0verFlow.Openlv2_kernel.elf with Ida pro (in binary file mode), go to offset 360000 and press “C” to convert to asm code.
TrueBlue use some HVCALL: lv1_insert_htab_entry lv1_undocumented_function_114 lv1_undocumented_function_115 lv1_allocate_device_dma_region lv1_map_device_dma_region lv1_net_start_tx_dma lv1_net_control lv1_panic (shutdown ps3 when TB is unplugged)
This payload do some hvcall: lv1_insert_htab_entry (maplv1) lv1_allocate_device_dma_region (?) lv1_map_device_dma_region(?) lv1_net_start_tx_dma (?) lv1_net_control(?) lv1_panic (shutdown ps3 when TrueBlue Dongle is unplugged) lv1_undocumented_function_114 (map lv1) lv1_undocumented_function_115 (unmaplv1)
We need now to dump lv2 and lv1 memory when TrueBlue is plugged. So I create a modified TrueBlue Cfw with peek and poke syscall. It work fine!