That's bull****. You can't dump it that's the point. What you talk about is from the nand/nor, but not the memory. In memory Lv2 is not encrypted and can not be dumped from userland. If you can dump it from userland you got the power to really search an exploit. I need 2 bytes in lv2 on a syscall i can call and I can pwn the whole lv2. First patch peek -> dump the real one (if you don't got it) Then patch a poke -> poke real peek and poke syscalls -> restore overwritten lv2 stuff with the poke syscall -> done Theory is always as simple as that. There is no need for complicated payloads if you manage to write to a syscall that is callable from userland. The whole security breaks apart from that on. Of course such things are patchable. We should wait for ps4 and checkout what AMD came up with. In my opinion IBM > AMD, but we will see ^^. The cell has a strong security system, just the implementation lacks. Biggest mistake was that they said, metldr is not patchable . They just don't use it anymore. I did enough, most people don't even know what I all did. It's time for a new generation . I am an oldie to the ps3 scene xD and still very underestimated ^^