Jump to content
  • Announcements

    • GregoryRasputin

      Say Hello, Make An Introduction Thread :)   11/20/2015

      We love having new members join the forum, what we like more is them being productive people and contributing a little bit to the forum. So if you are a new member, let us know who you are by saying hi in an introduction thread, you can find the forum section here: https://playstationhax.xyz/forums/forum/15-member-introduction/
Sign in to follow this  
zecoxao

[Tutorial] [Technical] How to find toc address in any lv2_kernel without script!

Recommended Posts

zecoxao    1,305

Tools Required:
* IDA Pro (don't ask where to find it, Google is your friend)

* HxD
* 7zip

* Tools to extract elf from lv2_kernel.self (Unself/Unself2/Scetool/etc) / pup unpack tools

 

Step 1:

Extract the elf from lv2_kernel (here i'm using aldos tools) by right clicking lv2 and choosing "SELF Tools->Extract ELF"

 

Step 2:

Extract further the elf with 7zip by right clicking the elf and choosing "7zip-> Extract to <name_of_file_without_extension>"
It'll create a folder and extract its contents. If a popup box shows up asking to overwrite or not, choose "Rename automatically"

 

Step 3:
Open the folder and go to the segment with 46KB/45KB size. Open it with HxD and go from the start position 0x8000 bytes into the file.
Example for 1.02 lv2_kernel:
j5S5Rhq.png

Step 4:
Copy the first 8 bytes from 0x8000 to the transfer area.

Step 5: Open the kernel in IDA Pro and let it load. After it loads search for those bytes. You should see an unknown data structure. That is your TOC :)

 

PS: Tested on 4.46 REX Cex Kernel, 1.02 CEX Kernel, and 4.60 DECR Kernel, as well as 3.41 CEX Kernel v1, 2.70 CEX Kernel and 2.00 CEX Kernel

  • Upvote 7

Share this post


Link to post
Share on other sites
zecoxao    1,305

@3141card @Joonie @mysis

proof of concept scripts:
https://www.sendspace.com/file/mv5czq
lv2_dump_analyser_before_355.idc <- script for firmwares before 3.55 and after 1.02 (TOC located at segment #7)
lv2_dump_analyser_355_plus.idc <- script for firmwares 3.55 and above (TOC located at segment #6)

Useful if you want to find everything quick and leave syscall table for later. Just add those two to ps3ida folder and use them according to version. TOC will be automatically found.

  • Upvote 5

Share this post


Link to post
Share on other sites
zecoxao    1,305

How to find TOC in lv1:
b2wQoC3.png

  • Upvote 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×