Page 1 of 15 1211 ... LastLast
Results 1 to 10 of 141

Thread: PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

  1. #1
    Join Date
    Apr 2005

    PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

    A few weeks back we saw a video on Booting Debug on a Retail PS3 Unit via Rebug PS3 CFW, and today zeryos has made available a PS3 CEX to DEX Converter Kit (Retail to Debug) which currently requires IDPS (PlayStation ID via Sony's server in the format of request_idps.txt) by PlayStation 3 hacker "You know who" in order to fully convert a Retail PS3 console to a Debug / Test unit.

    Download: PS3 CEX to DEX Kit (Retail to Debug) (pass: ps3scene) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror #2)

    For those interested in the background of this PS3 CEX to DEX method, some leaked IRC logs appear to reveal that initially Mathieulh gave it to Durandal without permission from Sony PlayStation 3 hacker RichDevX.

    To quote from a (now removed) Tweet of Squarepusher2: "BTW Mathieulh I know you gave durandal that CEX-DEX ZIP, that it wasn't you that bundled that up, and you were not supposed to do so either"

    Now that the PS3 CEX to DEX Kit has surfaced, other developers can begin to examine it and determine how to generate the required request_idps.txt file without access to Sony servers.

    Finally, according to the IRC chat logs an updated method already exists, so only time will tell if that too will surface before the IDPS issue is sorted out by PlayStation 3 developers.

    DEX to CEX Converter By "You know who"



    1. A playstation 3 on firmware 3.55 or below
    2. A dongle to go to Service mode
    3. A usb pendrive
    4. A brain
    5. The author of this little trick.
    6. Have your pc connected directly to the ps3 on ethernet with the ip set to and the hostmask to (make sure no firewall is running, not even windows one, this may prevent your console from connecting to the pc)


    ** PART 1 **

    1. Set your console into service mode with any compatible dongle.

    2. Put the content of the converter-console folder at the root of your usb pendrive.

    3. Extract ObjectiveSuites-GetData on your PC.

    4. Put the usb pendrive on the last usb port on the right of your console.

    5. Run ObjectiveSuites.exe from ObjectiveSuites-GetData

    6. You now have a few seconds to start your console, start it.

    7. Objective Suite should display "PASS" and txt files will be created in the Temp dir. Once done, power off your console.

    8. Get ALL these txt files from your temp directory and send them to the author (me) with informations about your playstation 3 model (FAT/SLIM, CECH* model)

    ** PART 2 **

    9. You should recieve from the author (Yeah me again) a file called request_idps.txt

    10. Extract ObjectiveSuites-SetIdps on your pc.

    11. Put the request_idps.txt in your temp folder (MAKE EXTRA SURE IT'S THERE OR YOU WILL BRICK)

    12. Run ObjectiveSuites.exe from the ObjectiveSuites-SetIdps directory.

    13. Start the SAME CONSOLE YOU GOT THE TXT FILES FROM (If it's another console you WILL BRICK IT).

    14. Wait until Objective suite displays "PASS" Then power off your console, at this point your console should be a Debug one.

    ** PART 3 **

    15. You will now need to do a drive initialisation in order to use the bluray drive on your console. Put your usb pendrive on your pc, delete all the files you previously put in there, Put "Lv2Diag.self" from the "set up" directory at the root of your pendrive along with PS3UPDAT.PUP (that's 3.30 debug firmware)

    16. Put the pendrive on the usb port on the most right of your console.

    17. Power on the console, The screen will be black and the green led will stay lit, wait until it blinks and the console powers off, once it does the firmware will be installed.

    18. Put the pendrive back on pc, delete the files you put in there previously, and copy the content of the "drivefix" folder to the root of the pendrive.

    19. Put the pendrive at the usb port most on the right of your console and power it on.

    20. The drive initialisation will then occur, wait a couple of seconds, then power off the console (you may have to unplug it from the AC)

    21. Put the pendrive back onto the pc, delete the files you previously put in there, then copy the Lv2diag.self from the "finalize" folder.

    22. Put the pendrive on the usb port on the most right of your console. Power it on. Your console will power on for a few seconds then power off.


    Also today from Sony PlayStation 3 hacker Mathieulh via IRC and Twitter and Snowydew via gitbrew:

    [Mathieulh] basically this allows you to 1. dump cisd from nor
    [Mathieulh] 2. write an eid to the nor
    [Mathieulh] so basically the actual hack
    [Mathieulh] which is generating the eid to be written to the nor
    [Mathieulh] isn't part of this useless leak
    [Mathieulh] cirotheb5 it's already done without sony's servers
    [Mathieulh] do you think they don't have an auth, filtering and whatnot going on there ?
    [Mathieulh] cirotheb5 *hint* Dump your console's eid root key *hint*
    [Mathieulh] seriously...
    [Mathieulh] oh ! and you can do whatever that leak does using progskeet or otheros++
    [Mathieulh] just saying
    [Mathieulh] it's just a matter of using the dd command
    # RequestIdps & write IDps--->
    R 70 create request_idps_in.txt off FILE temp: pd_label.txt Copy temp:request_idps_in.txt 10
    71 append tab to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 \t
    72 append kiban_id to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:kiban_id.txt
    73 append cid to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:cid.txt
    74 append ecid to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:ecid.txt
    75 append config_version to request_idps_in.txt on FILE temp:request_idps_in.txt Append 10 file://temp:idps_bbox_config_version.txt
    76 RequestIdps on PS3PICSY,PS3CS1,00000,M RequestIdps temp:request_idps.txt 250 file://temp:request_idps_in.txt
    77 insert product_label_bin_ascii to idps_data off FILE temp:request_idps.txt Insert 0 10 file://temp: pd_label_bin_ascii.txt
    78 SetIdps on PS3LV2DIAG WriteRead 00000001 10 file://temp:request_idps.txt
    79 GetIdps on PS3LV2DIAG WriteRead 00000005 10
    • No, you need to use hardware.
    • nothing is known, all that does is to write an eid to the nor, like that wasn't known...
    • you don't even have eid keys in this leak. All you have is some tool that writes a whole made eid to the nor....
    • It is useless unless you can generate your own eid. Good luck with that....
    • Basically the actual hack, which is, generating the eid, isn't present in this, I'll let you wonder if it exists or not.
    • Sure, dump your eid, convert to ascii and rename it. Here you go.....
    • very much so, this does nothing more than a nand programmer could do.
    • this is more likely the useless method, as in this zip is useless to begin with.
    • Our two exploits got leaked to other devs. They can either bring them to light or actually use them. We're no longer doing them. (!/gitbrew/status/108732677380775936)
    • Welp, gitbrews 2 exploits are now in the wild. Have fun with them, since we're not even going to bother. (!/Snowydew/status/108277307315191808)
    • They're out there now, unsure if they're being worked on. Don't really care either at this point. (!/Snowydew/status/108345360300261376)

    Here is how to obtain your PS3 IDPS from RikuKH3 as detailed below:

    That's how you can easily get your console IDPS:

    1) Dump your NOR from GameOS using dump_flash.pkg
    2) Open it in hex editor and search for IDPS using this example:


    The IDPS is a 16 byte value that contains console specific information. Exactly what information this stores is not completely known.

    00000000  00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66  .....‰....οέΚ%Rf
                             ^^    ^^
    6th byte represents your Target ID

    8th byte represents your Motherboard_Revisions // possible sku model
    • 0x1 = CECHA (60GB Full PS2) - COK-001 + Memcard Daughterboard
    • 0x2 = CECHB (20GB Full PS2) - COK-001
    • 0x3 = CECHC (60GB Partial PS2) - COK-002 + Memcard Daughterboard
    • 0x4 = CECHE (80GB Partial PS2) - COK-002W + Memcard Daughterboard
    • 0x5 = CECHG (40GB No PS2) - SEM-001
    • 0x6 = CECHH (40GB No PS2) - DIA-001
    • 0x7 = CECHJ / CECHK (40GB/80GB No PS2) - DIA-002
    • 0x8 = CECHL / CECHM / CECHP / CECHQ (80GB/160GB No PS2) - VER-001
    • 0x9 = CECH20A / CECH20B (120GB/250GB Slim) - DYN-001
    • 0xA = CECH21A / CECH21B (120GB/250GB Slim) - SUR-001
    • 0xB = CECH25A / CECH25B (160GB/320GB Slim) - JTP-001/JSD-001

    The IDPS can be found in EID0 and EID5. Just search for first 8 bytes. For example: 00 00 00 01 00 84 00 09, where '84' is USA target ID and '09' is CECH20A slim motherboard revision). It's 16 bytes long and you find it twice. Here's example of my IDPS (below).

    Also, I compiled unself2, but it throws error when I try decrypt game update eboot: 'Error decrypting metadata: No such file or directory'. But I don't have act.dat from my ps3, maybe this is issue.

    Note from mallory: The IDPS file must be a raw binary file like all of the other key files. One way of creating it would be by typing your IDPS into a hex editor. Careful about posting your IDPS: Sony likely remembers who has what IDPS.

    For those unaware the latest multiMAN shows the PS3 console's IDPS under Information, and below is a brief guide on Changing Your PS3's IDPS via

    Changing Your PS3's IDPS

    First off you will need a NAND/NOR reader/writer. Second, you can put your PS3 into debugger mode.

    You will need a dump of your flash or be able to access and read/write it in someway.

    You will find section 0 EID0 which will look like...
    00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....οέΚ%Rf 00000010 00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ΜΑrΥP
    This part you will be looking at....
    00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....οέΚ%R
    Here is your IDPS, the 6th byte in there is your Target ID, which is what kind of PS3 your's is. (Retail USA, Retail U.K., e.t.c.)

    So in this code;
    00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....οέΚ%Rf
    The 6th byte which is 89; 89 is equal to Retail Australia/New Zeland.

    Now say you want to put your PS3 into Debugger mode; you would have to change the 89 (which by the way, is a hexadecimal) and the code for System Debugger is... A0. Now, when you change the code it will look something like this...
    00000000 00 00 00 01 00 A0 00 0B 14 00 EF DD CA 25 52 66 .....*....οέΚ%R
    Now you will just put this back into your NAND (where the flash is located), or NOR (if you are on slim). This concludes Changing your PS3's IDPS and putting it into Debugger mode.

    Finally, we have received an e-mail from anonym0us (who appears to be LuckLuka ) stating the following:

    Hello PS3 Scene, this is another anonymous leak! I would like to be called: anon0 to prevent confusion with all the other 'anonymous' members. 2 months ago, a CEX-to-DEX came out which needed the request-idps.txt

    It was all accomplished by .SIG files and ObjectiveSuites, they are encrypted files which carry out specific commands to the PS3

    We are now bringing THREE new .SIG files which can be used with 3.73 FW to carry out certain 'tasks' Figure what it can do by yourself... And samples of many files can be found there which can aid in 3.73 getting hacked... To use ObjSuites: Put PS3 in service mode, connect PS3 to PC by ethernet cable, IP Address to
    • Copy files from objcon to root of your usb drive
    • Start ObjectiveSuites, then power the PS3
    • All info necessary will be in the temp folder in objectivesuites...

    This is a part-of-the-equation of hacking the 3.73

    Some notes: I can guarantee something: There are many exploits present when ObjSuites connects to PS3, it forms a trusting bond... ObjSuites gets LV0/LV1 access. Use this with care...

    Link: (removed) / Clean PS3 files:

    And a bonus, Here is some software: (removed)

    From IRC:

    10:44 anonym0us – Okay
    10:44 anonym0us – let me explain
    10:44 anonym0us – ObjectiveSuites is used in combination with a jig
    10:45 anonym0us – It allows more things to be done while PS3 is in service mode
    10:45 anonym0us – something like 2 months ago
    10:45 anonym0us – There was a leak
    10:45 anonym0us – that allowed Retail->Debug
    10:45 anonym0us – but it required a person getting request_idps.txt
    10:45 anonym0us – from Sony
    10:45 anonym0us – It was accomplished by a .SIG file
    10:46 anonym0us – .SIG files carry out commands to the PS3
    10:46 anonym0us – So
    10:46 anonym0us – I got hands on 3 more .SIG files
    10:46 anonym0us – Which report all kinds of things about the PS3
    10:46 anonym0us – But, there is another thing
    10:46 anonym0us – When ObjSuites is used with the PS3 in service mode
    10:46 anonym0us – We can exploit the PS3
    10:47 anonym0us – Sony never bothered fixing bugs between the ObjSuites-PS3 connection
    10:47 anonym0us – Reason?
    10:47 anonym0us – The original ObjSuites required a membership to SCEDevNet
    10:48 anonym0us – this is cracked
    10:48 anonym0us – So
    10:48 anonym0us – yeha
    10:48 anonym0us – yeah
    10:48 anonym0us – thats pretty much it
    10:48 anonym0us – When PS3 connects to ObjSuites
    10:48 anonym0us – you get LV0/LV1 access
    10:48 anonym0us – you get LV0/LV1 access
    10:48 anonym0us – So with a bit of tinkering
    10:48 anonym0us – You can be sure that you can get the PS3 to do what you want ot
    10:48 anonym0us – to*
    10:48 anonym0us – And thats pretty much it

    From eussNL: My thoughts:
    • First: objsuites is just the old 2.43 leaked stuff + incomplete CEXDEX - meh, old news is so exciting :/
    • Second: just someone wanting his minute wall of fame
    • Third: ObjectiveSuites is not even related to decryption of files - especially 3.73

    • objectivesuites is used in service mode, just as downgrader and remarry
    • only os3sig\ObjectiveSuites\xml seems deviant from cexdex
    • afaik objectivesuites runs in lv2 and uses lv1 functions. that is why I don?t see the access to lv0 for it and certainly not the 3.73 part
    • there is still the matter of servicemode - afterall, we don?t have a way to enter/exit it on 3.73

    All in all: I still have much doubts about it, both because of service mode, using objectivesuit and the source/person.

    Shortly following, butnut (*********.net/forum/threads/1731-ObjectiveSuite?p=17938#post17938) converted the request_idps.txt back to hex code.

    Download: PS3 ObjectiveSuites Request_IDPS.txt Hex Code

    To quote: This is the request_idps.txt from the leak converted back to hex. It appears to be an eEID from a CECHC that was released in Mexico, but it is smaller than the eEID's from the two slims I looked at, so I don't yet know if it is complete or partial.

    The numerical string at the beginning of the file is the pd_label and the same string can also be found in the CONSOLE_FINALIZE.CONF file.

    Update: PlayStation 3 developer zecoxao has now made available the DEX / CEX Objective Suites with clean executables for reverse engineering by other developers.

    Download: dex-cex.7z (2.1 MB) / ObjectiveSuites.c (1.6 MB)

    To quote: Back when dex-cex or cex-dex was leaked, the original leaker decided it'd be a fun prank to put .net obfuscation on the main ObjectiveSuites executable, and probably bundle it with some viruses.

    When i got this, i wasn't sure what to expect, until i looked at the exes and compared them. yes, the file size differs. no, sony didn't add any obfuscation to objective suites. yes, this was meant to slow us down.

    So, there you have it. the full source exes and dlls, without any virus report. This was shared with the permission of Mr. Math. Mr. Math, if you can see this message, french potatoes are the only good sht in France. rest sucks.

    [imglink=|PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS][/imglink]
    [imglink=|PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS][/imglink]
    [imglink=|PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS][/imglink]
    More PlayStation 3 News...

  2. #2
    elser1 Guest
    thats kool. so then you can upggrade and downgrade as you like with the new debug downgrade pup? thanks!!

  3. #3
    CJPC Guest
    Well, if the IDPS stuff is somehow reversed, this means that any < 3.55 retail console could be converted into a 100% true debug. Which would, at least until now be able to use the latest available debug updates!

  4. #4
    TUHTA Guest
    Well, its always like that, releasing something big, without something small which is a key fact...

  5. #5
    ZerotakerZX Guest
    That just... Unbelievablely cool news! Its a dream come true! PS3 scene becoming alive again!

  6. #6
    DAXGr Guest


    Has any of you checked anonfiles? The leaked rar was already leaked...

  7. #7
    condorstrike Guest
    actually, it's cool and all... but the irc is flaming and people will leave the scene cause of this leak, we think we know who L... any ways, hope people cool off and don't leave the scene cause of this... and a shameless plug. Solar 2 very, very soon.

  8. #8
    Join Date
    Apr 2005
    Quote Originally Posted by DAXGr View Post
    Has any of you checked anonfiles? The leaked rar was already leaked...
    I just gave it a peek there now, it appears to be the same archive just compressed differently but unpacked they both are 168 MB (177,168,689 bytes) in size.

    Here are the related links/mirrors for it from there if anyone needs them: (dex-cex.rar 2011-08-28 08:06:13)

  9. #9
    elser1 Guest
    so does that mean if i had a ps3 with this on it if its finished, then upgraded to 3.70 debug i can use the debug downgrade or am i wrong?


  10. #10
    Join Date
    Apr 2005
    Assuming this gets finished or the version that doesn't require IDPS surfaces then yes you could convert your Retail PS3 to a Debug and use the downgrade PUP as mentioned above.

Page 1 of 15 1211 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts