I (aka shadoxi) figured out where is located the payload of Trueblue and cobra dongle. You can find it at offset @360000 in lv2_kernel and 7f0000 in ps3 memory.

First of all you need to edit the header of lv2_kernel.self (from cfw trueblue) at offset 0×1D, replace 36 1A 00 by 4C FC F0. And decrypt it with unself tool from fail0verFlow. Open lv2_kernel.elf with Ida pro (in binary file mode), go to offset 360000 and press “C” to convert to asm code.

TrueBlue use some HVCALL:
lv1_insert_htab_entry
lv1_undocumented_function_114
lv1_undocumented_function_115
lv1_allocate_device_dma_region
lv1_map_device_dma_region
lv1_net_start_tx_dma
lv1_net_control
lv1_panic (shutdown ps3 when TB is unplugged)

This payload do some hvcall:
lv1_insert_htab_entry (map lv1)
lv1_allocate_device_dma_region (?)
lv1_map_device_dma_region (?)
lv1_net_start_tx_dma (?)
lv1_net_control (?)
lv1_panic (shutdown ps3 when TrueBlue Dongle is unplugged)
lv1_undocumented_function_114 (map lv1)
lv1_undocumented_function_115 (unmap lv1)

We need now to dump lv2 and lv1 memory when TrueBlue is plugged. So I create a modified TrueBlue Cfw with peek and poke syscall. It work fine !

Download: Payload.zip