[gingerbread]

Did Spider-Man : Edge of Time and X-Men: Destiny had a TB release?

Thanks.

[Asure]

Rebuild theory:

Find start by searching for:

Code:

7F 45 4C 46 02 02

Delete any crap in front of it.

Find size by scetool:

Code:

scetool -i italian.self
we need:
  Section Headers Offset 0x00000000022B96B8

From my previous test, we know there is crap at the end, that we don't need. We need to clean the elf..

To find the end, differs by each self. But you can use the decrypted elf/self to learn.
in this case, search for "licensed by Dinkumware".. and the last actual used byte is '01' at 0x0229077B. The rest is 'overdump' with useless info.

[sguerrini97]

Originally Posted by Asure Rebuild theory: Find start by searching for: Code: 7F 45 4C 46 02 02 Delete any crap in front of it. Find size by scetool: Code: scetool -i italian.self we need: Section Headers Offset 0x00000000022B96B8 From my previous test, we know there is crap at the end, that we don't need. We need to clean the elf.. To find the end, differs by each self. But you can use the decrypted elf/self to learn. in this case, search for "licensed by Dinkumware".. and the last actual used byte is '01' at 0x0229077B. The rest is 'overdump' with useless info.

Did you rebuild the self?
I will try too. Thanks for the infos.

Edit: i misunderstand this:

Code:

Section Headers Offset 0x00000000022B96B8

This is the size for....?

[Eiji]

Originally Posted by Asure So which TB boots remain at this point then?

Tales of Graces F US version.

[KDSBest]

Let me clearify some things.

First if you boot a game from XMB you will get the PID printed.
Tested don't work. PS3 doesn't respond on retail Eboots to most interesting commands. Unauth Syscall exception.

Second the TB Eboot dumper doesn't work on newer Firmwares.

Third I brute forced the PID earlier with a little knowledge you can pretty much guess the next PID at least a range. Since I did it with software brute force was possible. Didn't work because of reason in First.

Fourth there is no way on modifing or injecting any SPRX on higher FWs, we have no private keys. 3.55 Stuff is totaly different than 4.XX.

Fifth People saying why not using this syscall and this... Man I speak often with euss (my wiki encyclopedia) and if there is something on wiki I think he would tell me right away. Unauth Syscall is patched on most MFW 3.55. Yeah not all syscalls are possible to call in 4.XX else everything would be a cat walk. Map/Unmap, Peek/Poke is obviously not on higher FWs too.

Sixth and this is the most important one. At current time, I don't know if the core dump features are loaded while a retail Eboot is running. Since I got a crash log but no core dump... It should have triggered a core dump, which doesn't happened. Sony patched alot in the higher FWs.

Seventh I'm running out of time, since soon other projects starts hopefully

Eight to make clear what Sony patched too... It looks like you can't spawn a retail Eboot anymore from an none retail Eboot. PS3 will kill the process instantly... SCE Header is enough to create this check so the Elf shouldn't get decrypted to that time. You could investigate more in that direction since maybe it is decrypted, but I don't think so.

Nineth How does TB get higher FW Eboots dumped.
1. They found an exploit (I don't think so)
2. They have one of the earlier ref tools and foot trigger is still possible (as far as I know the best way)
3. They have the public keys (They are hard to get... Very hard but definitly possible)

[sguerrini97]

Originally Posted by KDSBest Let me clearify some things. First if you boot a game from XMB you will get the PID printed. Tested don't work. PS3 doesn't respond on retail Eboots to most interesting commands. Unauth Syscall exception.

Thanks for all the infos.. I've to say only a thing.
It was easy to get a core dump of a retail eboot from an original game, that's what i did:
1. Connect Target Manager to the PS3;
2. Boot the game from the XMB (in System Software Mode);
3. Connect the Debugger to the target;
(I don't remember exactly what i did but i got all the process info, and i saw that "CORE DUMP HANDLER" was there);
4. Disconnect the Target Manager from the PS3;
5. Connect the Target Manager to the PS3 again, then the "Trigger core dump" function was working.

I was on 4.20 DEX. I can't test a 4.x game now.
Sorry for my english.

[sardine]

Originally Posted by oPolo If you are curious, and have a windows machine. Try CTRL+SHIFT+ESCAPE to open task manager. Then the processes tab. Then click on "view" on the taskbar, and choose the subcategory "Select columns".. Make a check next to PID, and press ok. There you go, the PID's of the processes in windows xp/vista/7 shown to you :D If you use windows 8, just go to the details tab in the task manager...

Thanks oPolo for your guide, i have a TB diblo up in my ass for sometime doing nothing. I think is time to take it out 2 help me 2 work the games. If i can help in anyway please let me know but u must guide me how 2 do it. Hope i can help u n the scenes out n also me

[JonahUK]

Originally Posted by Asure Find size by scetool: Code: scetool -i italian.self we need: Section Headers Offset 0x00000000022B96B8

Asure, just open the original self. The offset needed is part of the header:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  53 43 45 00 00 00 00 02 00 01 00 01 00 00 04 10  SCE.............
00000010  00 00 00 00 00 00 09 80 00 00 00 00 02 2B 9F 38  .......€.....+Ÿ8
00000020  00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 70  ...............p
00000030  00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 D0  ...............Ð
00000040  00 00 00 00 02 2B A0 38 00 00 00 00 00 00 02 90  .....+*8........
00000050  00 00 00 00 00 00 03 90 00 00 00 00 00 00 03 C0  ...............À
00000060  00 00 00 00 00 00 00 70 00 00 00 00 00 00 00 00  .......p........
00000070  10 10 00 00 01 00 00 03 01 00 00 02 00 00 00 04  ................
00000080  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  7F 45 4C 46 02 02 01 66 00 00 00 00 00 00 00 00  .ELF...f........
000000A0  00 02 00 15 00 00 00 01 00 00 00 00 00 7B C9 00  .............{É.
000000B0  00 00 00 00 00 00 00 40 00 00 00 00 02 2B 96 B8  .......@.....+–¸

The address you need is in RED and never changes ("shdr_offset"), only the value will change (obviously).

The BLUE highlighted part is the size of the elf and again, that offset never changes as it's part of the SCE header.

This should give you all the info you need:

SELF File Format and Decryption

Hope that helps.

[KDSBest]

Originally Posted by sguerrini97 Thanks for all the infos.. I've to say only a thing. It was easy to get a core dump of a retail eboot from an original game, that's what i did: 1. Connect Target Manager to the PS3; 2. Boot the game from the XMB (in System Software Mode); 3. Connect the Debugger to the target; (I don't remember exactly what i did but i got all the process info, and i saw that "CORE DUMP HANDLER" was there); 4. Disconnect the Target Manager from the PS3; 5. Connect the Target Manager to the PS3 again, then the "Trigger core dump" function was working. I was on 4.20 DEX. I can't test a 4.x game now. Sorry for my english.

The debugger won't show anything on retail eboots. You had a TB eboot or so .

[sguerrini97]

Originally Posted by KDSBest The debugger won't show anything on retail eboots. You had a TB eboot or so .

It's from an original disk, so i think that it's a retail self..
Maybe the Dbeugger isn't needed, i used it only to see the "CORE DUMP HANDLER".. anyway it worked with the self.

I will try again with more attention to write the exactly procedure