Hey there.

So... you use an ad blocker. That's cool. Sometimes we do too.

But without ad revenue, we wouldn't even be here. And we might not be here much longer.

Please disable your ad blocker and click to continue.

Page 1 of 3 12 ... Last
  1. #1
    Join Date
    Apr 2005

    MemDump v0.01 PS3 LV1, LV2, NAND / NOR Flash & eEID Dumper

    This weekend PlayStation 3 hacker an0nym0us has released a PS3 homebrew utility called MemDump v0.01 which allows end-users to dump LV1, LV2, NAND / NOR Flash and eEID from the GameOS, with the details below as follows:

    Download: PS3 MemDump v0.01 / PS3 MemDump v0.01 (Mirror) / GIT

    From the PS3 Dev Wiki (linked above) and included ReadMe file:

    For all of you out there intereseted in, or already in the process of reverse engineering the PS3, this new tool will make your life a whole lot easier! Now you can dump LV1, LV2, NAND/NOR Flash and eEID from one tool!

    There have been methods in the past that accomplished the same goals, but certainly the ease of use and speed hindered many. Of course, none had such a beautiful user-interface either.


    Place the necessary pkg file in the root of an empty USB flash dongle, and install like any other pkg.

    1. Place pkg on USB flash dongle.
    2. Select "memdump" icon.
    3. Select type of dump to perform once loaded.

    The following buttons are mapped in the user interface:
    • Triangle - Dump LV1 memory
    • Circle - Dump LV2 memory
    • X - Dump FLASH storage
    • Square - Dump eEID storage
    • SELECT - cycle menus
    • UP - cycle menus
    • DOWN - cycle menus
    • LEFT - cycle menus
    • RIGHT - cycle menus
    • START - exit

    • CEX or DEX PS3 fat or slim
    • MFW 2.70 - 3.55 (with LV2 peek/poke and LV1 hvcall 114 patches)
    • USB Flash drive (if no Flash drive is available, dumps will be stored in /dev_hdd0/tmp)


    memdump is known to work on CEX or DEX PS3s running firmware versions above 2.70, with or without OtherOS++ patches.

    Bug Reports:

    To submit a report of a bug, please join #memdump on EFNet, and have the log file ready. You can find the log file where the files were dumped.


    memdump.self 5189ca393df77e06794f948c2921814267d54e02
    memdump.gnpdrm.pkg a28a23b7de3380c6917e12352de24cde93cdb817
    memdump.npdrm.pkg 520ec81f89b146926149ef33f2faab2946e2c020


    PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS.

    Applicable firmwares

    [Register or Login to view code]

    • NA : Not Available as target version (mostly because of missing lv1: mmap114 or lv2: peek/poke patches)
    • Yes: Fully supported
    • No: Not supported
    • Partial: Some functions work, others might not be complete
    • Pending: No reports yet (help out by sending in your logs and dumps in a ZIP/RAR/7z!)

    Known bugs
    • buttons do not come back up after pressing -> to be fixed in v0.02 (button handler thread)
    • exit app gives rightscreen black triangle -> to be fixed in v0.02 (cleanup RSX buffer)
    • when free space is 0 bytes when dumping, application will halt -> to be fixed in v0.02 (check freespace first)

    Current limitations
    • Needs mmap114+peek/poke as minimal patches
    • Can be buggy with strange spoofs
    • No reports yet on Kiosk/SEX & Tool/DECR models

    More PlayStation 3 News...

  2. #2
    chrrox Guest
    is there any way to dump the memory while a game is loaded up?

  3. #3
    Ezio Guest
    Yes, only if you are able to stop the execution of a game and after to run this tool. However it works only on cfw with peek &poke support and specific patch lv1, so it cannot be used to dump memory on 3.60+ firmware.

  4. #4
    chrrox Guest
    can you pm me what I would do to get my ps3 ready to dump game memory and how you would go about stopping execution of a game the proper way so the memory is not lost.

  5. #5
    N3WB0Y Guest
    Perhaps memdump can be executed whilst in debug mode for Heavy Rain in fw3.60++

  6. #6
    Ezio Guest
    Quote Originally Posted by chrrox View Post
    can you pm me what I would do to get my ps3 ready to dump game memory and how you would go about stopping execution of a game the proper way so the memory is not lost.
    No, I'm not able to do what you ask me, so far there is no known way to dump the memory when new games are running.

  7. #7
    chrrox Guest
    could you pm me on how to do it with older games. I would like to get good with the process on the ps3.

  8. #8
    4218kris Guest
    will this dumper work with CEX2DEX Application for Any PS3 NOR / NAND? i'm sure it will my question is what .pkg do i use gnpdrm or npdrm?

  9. #9
    Join Date
    Apr 2005

    PS3 eEID RKDumper (from GameOS) PKG by Flat_z is Now Available

    Following up on the PS3 LV1, LV2, NAND / NOR Flash & eEID Dumper and PS3 XMB eEIDx Dumper Tool, this weekend flat_z released a PS3 eEID RKDumper PKG which allows users to dump their eid_root_key from PlayStation 3 3.55 GameOS in seconds without OtherOS.

    Download: PS3 eEID_RKDumper.pkg / PS3 eEID_RKDumper.pkg (Mirror) / PS3 eEID_RKDumper.pkg Signed for 4.31 / PS3 eEID_Dumper.pkg Signed for 4.31 by jarmster (eid4, not eid4d.bin)

    To quote: eEID_RKDumper (from GameOS) by flatz

    • Install package and run it
    • It will then black screen (no GUI) and restart the console automatically
    • FTP (other otherwise) retrieve your eid_root_key / PCK1 from /dev_hdd0/tmp/eid_root_key

    • Install eEID_RKDumper.pkg
    • Unplug all USB devices
    • Run eEID_RKDumper from XMB
    • It will show a black screen (no GUI) for 10-15 seconds, then 3 beeps and restart the console automatically
    • FTP (other otherwise) retrieve your eid_root_key / PCK1 from /dev_hdd0/tmp/eid_root_key (48 bytes)


    CRC-16: 8058
    CRC-32 (Ethernet and PKZIP): BFD3BD8A
    SHA-1: 4C3E775BC9DB1755B1396C0200B5EA49B2F46A87
    SHA-256: 29C2DB61D8BA28E427BE2464E2B45365F2C6861B96D0C8B8EF 2E45CD4BF84D39
    SHA-384: F8765BBABAE0FEE2EEEF6C807E0E6881ECFB10609536C6923E 570974C606B48DCCBB3FE62D83735266310A4B6C6D7C63
    SHA-512: A2F84F53921AE28B3886FB779BC5F007C36903E6216222B6BC FDDC9C7ECCFB39E74881CDBBA45C01E11AB4187708E6620FA2 07446141411EA5AABC18AE490F30
    MD-2: 2126B37F69204E32C8B26F2FF2A623FD
    MD-4: 6A2451F8A3D2F4EC9170E491CEE2D933
    MD-5: E93213E630EF700E4ABADDFECCD0CCC2

    Before starting the eEID_RKDumper from XMB, remove ALL your USB devices. Otherwise, it will freeze in a black screen and you will have to unplug the power cord from the PS3 (or turn it off using the power switch in back of the PS3 phat).

    PlayStation 3 developer aldostools compared the eid_root_key (48 bytes) with the first 48 bytes of his dump_eid0.bin (obtained via linux & metldrpwn), and they are the same.

    From haz367: The eEID dumper works perfect, could not get eid_root_key working on 4.21 with "dispath settings" ticked in Rebug's Toolbox(runs boot hangs after loading with the symbol on the right upper corner" = hard rest, anyone knows correct settings for eid_root_key dumper... no required here but for anyone wanted to test... let me be the noob here asking some stuff

    eid4 is the bd drive part (offset 303A0 > 303CF) the 3k3y_keydumper dumps the "eid4+root_key" as "3Dump.bin" = Disc key = eid4+root_key

    when using the manual way using zecoxao's tool we get an "eid3" error because of missing sha etc..correct?! on the provided 5KB "eid" then end up with "eid4&eid4d.bin" > eid4 identical as "3k3y dumper+added root_key" = Disc key?

    [Register or Login to view code]

    so anyone can skip all this ^ if u have the root_key and a dump of the flash? add the "eid4+root_key" in 1 file = disc key?

    [Register or Login to view code]

    updating the linux atm.. gonna waste some time on the wiki later on.. let's how long my patience lasts.

    Finally, zecoxao who has created a PS3 HDD / eEID decryption repository stating the following:

    You only need the eEID and the eid_root_key. entire flash is not needed. and i don't have the slightest idea why the heck they made a pkg that only dumps eid4 (someone talked about hash comparison and they said eid4 from the program and the dump from the pkg match in comparison)

    The first key is used for encrypting data sent from host to BD drive. The second key is used for decrypting data sent from BD drive to host. Two keys infact (via ps3devwiki.com/wiki/BD_Drive_Reverse_Engineering#Information_about_EID 4)

    [Register or Login to view code]

    Basically, the first 16 bytes contain a key, the second 16 contain another, and the last 16 are the hash check from OMAC1. you get that by "digesting" the two keys. that's a hash function.

    So, I decided to create a ps3 hdd/eEID decryption repository, just for the gist of it. Bear in mind that the code is adapted from naehrwert’s code, so it’s not 100% my code, but i did modify some things and made it so that it’d be more user-friendly. for now, it only runs on linux, and people who want to use it on windows or mac have to adapt the code (the cygwin zip i have also works for windows, but i want to improve it a bit)

    Here's my repository: github.com/zecoxao/ps3_decrypt_tools

    That should work on linux if you have build-essential, openssl, and libpolarssl-dev installed. just read the readme, and you're good to go. Note: gitorious didn't seem to work for me, so i decided for github instead.

    More PlayStation 3 News...

  10. #10
    JOshISPoser Guest
    so, we pretty close to completely linux-less cex to dex conversion? i'm gonna go with no since a few people say there's just no way to get certain files without linux

Page 1 of 3 12 ... Last

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Log in