True Blue ELF Dumper Released; Source Code Also Found After A Failed Deletion Attempt

[PatrickBatman]

Shadoxi over at PS3News has released a True Blue EBOOT/ELF Dumper for the scene, which allows you to, as the program name does, dump True Blue-encrypted EBOOT/ELF files once loaded up.

However, the source was released to dump ELF files from TB games, but it was then promptly taken down but not before Shadoxi at PS3News was quick enough to compile it.

Hi ,

I release my ELF dumper, it work with any firmware > 3.56.

Tested on:
- Original 355 -> ok
- True Blue CFW v2 -> ok
- ...

There are some bugs (size of dump ...) but it work.

It's ELF dumper from memory and it work with True blue cfw v2 and any 3.55 firmware because it doesn't use lv2 peek/poke.

Warning:
It will not brick your ps3. But i am not responsible for any damage.

HOWTO:
- Enable dev_blind with multiman
- copy libsysutil_np_trophy.sprx from /dev_blind/sys/external/external to dev_hdd0/ and rename it "orignal_libsysutil_np_trophy.sprx"
- copy my modified "libsysutil_np_trophy.sprx" to /dev_blind/sys/external/
- load a True blue game from multiman
- exit multiman
- run your game
- wait few minutes (if you get black screen after 3 minutes reboot ps3)
- exit game
- go to ftp
- in dev_hdd0/ there are your decrypted DUMPEDBOOT.bin
- copy and rename it with another name.

Howto uninstall patch :
Two ways:

- You could uninstall this patch by replacing modified libsysutil_np_trophy.sprx by orginal libsysutil_np_trophy.sprx

- Or uptade in recovery mode

Thanks to: Ps3dev

However, as the first quoted comment states, the SPRX-based application is buggy when it comes to dump sizes, so it may not work perfectly, so try this at your own risk!

Update #1: lurkandlearn has successfully managed to recover the source code for the application, "thanks to Google" - click here: TB ELF Dumper Source Code (resurrected by lurkandlearn)

Update #2: DeanK has decided to compile an updated version of the TB ELF Dumper application, which now has improved dumping capabilities, to name one of the key fixed features - click here for the source code, the download link, and the changelog: TB ELF Dumper v2 compiled by DeanK

NEWS SOURCE #1: TB ELF Dumper Released by Shadoxi - PS3NEWS
NEWS SOURCE #2: TB ELF Dumper Compiled by Shadoxi - PS3Hax Network

SOURCE CODE LINK #1: TB ELF Dumper Source Code (resurrected by lurkandlearn) - PS3Crunch
SOURCE CODE LINK #2: TB ELF Dumper Source Code (resurrected by lurkandlearn) - Pastie

OFF-SITE DOWNLOAD LINK #1: TB ELF Dumper - PS3SceneFiles
OFF-SITE DOWNLOAD LINK #2: TB ELF Dumper - PS3News
OFF-SITE DOWNLOAD LINK #3: TB ELF Dumper - 2Shared
OFF-SITE DOWNLOAD LINK #4: TB ELF Dumper - Mediafire
OFF-SITE DOWNLOAD LINK #5: TB ELF Dumper - Zippyshare
OFF-SITE DOWNLOAD LINK #6: TB ELF Dumper - GameFront

ON-SITE DOWNLOAD LINK: TB ELF Dumper v2 - PS3Crunch
OFF-SITE DOWNLOAD LINK: TB ELF Dumper v2 - Mediafire

[abdelmajidtolba]

someone has a hard grudge against true blue.leaking or releasing left and right tools that pwned their eboots.
winner of this fortunatelty is us end user

[exx22]

hope this will help with the new titles too

[buller1986]

some crackers boast of having broken TrueBlue and laughing behind their back, but the only thing that is actually happening right now. Is that some crackers are publishing their old titles. but IF they can brag how good they are! where is eboots for the latest games? the only thing that's gonna happen is that TrueBlue not want to publish more eboots? what then?

[PatrickBatman]

some crackers boast of having broken TrueBlue and laughing behind their back, but the only thing that is actually happening right now. Is that some crackers are publishing their old titles. but IF they can brag how good they are! where is eboots for the latest games? the only thing that's gonna happen is that TrueBlue not want to publish more eboots? what then?

Well, the True Blue method is known by non TB people (Not just DRM) but a RAM exploit, i have already mentioned this before. The scene release groups releasing cr*cked TB games are focused on the back catalog first, then will try and tackle the newest games.

So this is exactly doing what i said dumping from RAM memory, TB cant DRM the PS3's RAM, but there are other ways to circumvent this I'm sure.

[2die4]

So anyone tried it ?

[lurkandlearn]

Source code that was removed from ps3hax (thanks Google):

Code:

//Author:Shadoxi
//Replace libsysutil_np_trophy.sprx in flash/internal by this code
//Some evil crash due to size of dump

SYS_MODULE_INFO(sceNpTrophyhook, 0, 1, 0 );
SYS_MODULE_START( _start );
SYS_MODULE_STOP( _stop );

SYS_LIB_DECLARE( sceNpTrophyhook, SYS_LIB_AUTO_EXPORT | SYS_LIB_WEAK_IMPORT );

SYS_LIB_EXPORT( loader_sprx, sceNpTrophyhook );

int _start(void);
int _stop(void);
void loader_sprx(const char* PATH_PRX);


static inline CellFsErrno lv2FsOpen(const char* path, uint32_t oflags, int* fd, uint32_t mode, const void* arg, uint64_t argsize) {
system_call_6(801, (uint64_t)path, oflags, (uint64_t)fd, mode, (uint64_t)arg, argsize);
return_to_user_prog(CellFsErrno);
}
static inline CellFsErrno lv2FsRead(int fd, void* buf, uint64_t size, uint64_t* read_e)
{
system_call_4(802, fd, (uint64_t)buf, size, (uint64_t)read_e);
return_to_user_prog(CellFsErrno);
}

static inline CellFsErrno lv2FsWrite(int fd, const void* buf, uint64_t size, uint64_t* written)
{
system_call_4(803, fd, (uint64_t)buf, size, (uint64_t)written);
return_to_user_prog(CellFsErrno);
}

static inline CellFsErrno lv2FsClose(int fd)
{
system_call_1(804, fd);
return_to_user_prog(CellFsErrno);
}
static void write_message (char const * message)
{

unsigned int write_length;
char const * end;
for (end = message; *end != '\0'; ++end);

sys_tty_write(SYS_TTYP_PPU_STDERR, message,end - message, &write_length);

}
void DumpELF_Payload()
{
write_message("Dumping ELF from RAM\n");
int fd,res ;
uint64_t i,nread,ptr;
uint64_t sizeelf = 25*1024*1024 ;
//Need a way to get size of ELF
if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0) //exist ?
{
write_message("DumpedEBOOT.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;

for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i); //Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);


}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT1.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT1.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;

for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);

}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");
lv2FsOpen("/dev_hdd0/DUMPEDBOOT2.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;

for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((ptr == 0x7F454C4601020100ULL) && (i != 0))
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else if(lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDONLY, &fd, 0,NULL, 0) != 0)
{
write_message("DumpedEBOOT2.bin\n");//Tb decrypted offset
lv2FsOpen("/dev_hdd0/DUMPEDBOOT3.bin", CELL_FS_O_RDWR|CELL_FS_O_CREAT, &fd, 0,NULL, 0) ;

for(i = 0; i < sizeelf ; i+=8)
{
ptr = *(uint64_t*)(0x00010000ULL+i);//Tb decrypted offset
if((&ptr == 0x7F454C4601020100ULL) && i != 0)
return;
lv2FsWrite(fd, (void*)&ptr, 8, &nread);
}
lv2FsClose(fd);
return;
}
else
{
write_message("remove dumpedeboot\n");
}

lv2FsClose(fd); //Close file

}

void loader_sprx(const char* PATH_PRX)
{
sys_prx_id_t prx_id ;
write_message ("Loading a prx ... ");
prx_id = sys_prx_load_module(PATH_PRX,0, NULL);
if (prx_id < CELL_OK) {
write_message ("Failed LOADING\n");
return;
} else {
write_message ("OK loading\n");
}
int modres;
int res1 = sys_prx_start_module( prx_id, 0, NULL, &modres, 0, NULL );
if (res1 < CELL_OK)
{
write_message ("start Failed \n");

}
}

int _start(void)
{
int wait = 0;
write_message ("By shadoxi\n");
//DUMP Decrypted noDrm TB
DumpELF_Payload();
//load original libsysutil_np_trophy for game
loader_sprx("/dev_hdd0/game/TEST00000/USRDIR/orignal_libsysutil_np_trophy.sprx");//place here original libsysutil_np_trophy.sprx
return SYS_PRX_RESIDENT;
}

int _stop(void)
{
return SYS_PRX_STOP_OK;
}

[PatrickBatman]

So anyone tried it ?

Yeah I am. Tried Mass Effect 3, it dumped to 2 eboots, had to reboot after 3 minutes(black screen) like readme mentioned. 2 eboots were really small perhaps you have to let it run longer for bigger eboots.

the eboots size were all wrong (like mentioned) 1MB and 1.7MB while TB ME3 is around 28MB. Now my problem is dev_flash easily let me replace modded libsysutil_np_trophy.sprx, but now wont let me put the original back; in multiman it freezes everytime, via FTP it fails cause of permissions, wont let me apply permissions. (my console isn't bricked btw, dev_flash is just a bitch when you try and write to it)

So i may have to do a recovery update. Regardless i dont understand why it gave me 2 eboots (perhaps error, or it wasn't finished, or you have to combine the eboots?)

EDIT: Could be the TB dongle getting pissed that im messing with dev_flash, ill remove dongle and try.
EDIT2: NOPE! still froze, time to reinstall CFW.

[gDrive]

lurkandlearn
Well done for recovering the source code!

Nice username by the way!

Lastly, I'll update the front-page with the source code - FUCKIN' YEAH!

[tonybologna]

This looks promising! Boy, there's been a rash of leaks & releases lately! From nearly dead to alive & kicking has the PS3 scene went in recent times. I LIKE IT!