Since there are several problems in the original tutorial (also in English) may even have failures in this guide c2d do about it. Clarification. First they say that by doing this you lose the BD married this is false not only what I say.
Naehrwert wrote on messing with your box eid4 will destroy your bd-drive pairing, so I would not do that
Naehrwert: Altering the eEID4 on your console you will destroy the married bd-drive, so I would not do that.
Touch and change something else that if you could let eEID0 without BD Married eg the eEID4 but here we do not change any of it only works with the first segment of eEID0.
Trick to get dump on Linux and the rules and eEID (NOR)
First of all this works from petitboot (Like the tutorial below to get granberro metldr) inclusive so as not to install such a distribution, only OtherOS + +.
- "Sda1" in the commands is the usb already mounted correctly.
TUTORIAL (eEID0 DEX)
- First we need the dump of metldr since in his first 0x30 bytes have all the Eid root key (erk and riv) by granberro (via elotrolado.net/hilo_dump-metldr-sin-usar-otheros_1725034):
Hello, I know that the dump the metldr is nothing new, but those who, like me, ye have the keys to your console without installing a CFW or messing with internal hard disk partitions, you can follow this method.
It is not complicated, but requires a basic knowledge of Linux.
List of ingredients:
Red Ribbon Linux. The Linux distribution: elotrolado.net/hilo_red-ribbon-gnu-linux-para-ps3-21-11-2011_1631472 ro4drunner
The dmpatch.sh script that allows patching the SS to use lv1
In NOR dump as you see in the image from 0x2F090 to 0x2F14F is the first section of the talk here is marked with the red square you can see the first section of which I speak.
In the part marked by the blue color I want that you see what I mean by PID those first 0x20 bytes are decrypted factory and is the beginning of eEID0 but the PID is in the first 0x10 bytes.
eid0_1st_Section_CEX.bin: The name you put for example to that section of eEID we draw directly from offset 0x20 to 0xDF eEID0 (In a dump Nor is being offset from 0x2f090 to 0x2F14F) 0xC0 their length bytes from the same hex editor, we put CEX at the end of his name to identify it as it is the original section CEX our console, this part is encrypted and contains the PID, we pass input to openssl.
eid0_1st_CEX_decrypt.bin: output is the name we put to the 1st segment CEX input we gave him for us to decipher what his first line to know if it was decrypted properly.
To upload hex if everything was correct and should be deciphered in the first line should be your IDP as it was in the first 0x10 bytes of eEID0 in (NOR = 0x2F070 | NAND = 0x80870) an example in my case something like this:
These same bytes in my case are the same as those in the beginning of eEID0 and the photo you check first with the blue square that is what is necessary to compare to see if good or not decipher this first section.
At least the first 5 bytes might be the same as if the rest are data PCK or 84 per console that comes out in the fifth byte in my case is the target id is an American console but you should find something similar with your target ID.
If you have noticed that in fact if it was decrypted should find your target id to the nakedeye as I said.
Note that the first 16 bytes of the first section of EID0 decrypted must match the first 16 bytes of eEID0 should also match the PID found in their dumps (NOR = 0x2F070 | = 0x80870 NAND), IF IT IS NOT NO CONTINUE WITH THIS and review the steps again.
Now it is necessary to generate the CMAC (OMAC1) Hash of the first section EID0 unscrambled from 0x00 to 0xA8, that first section was the one that we have deciphered the first steps we call "eid0_1st_CEX_decrypt.bin" that file as you can see in Hex 0xC0 length.
We will use the key and also generate EID0 First Section of Key and follow the tutorial you ought to download this utility to schedule algorithm based on CMAC's source leaked 1 month ago.
Sure the numbers will be different since they are PCK by the way we generate,
You ought to copy the hash calculated that you return the program and compare it with the kind on the eid0_1st_CEX_decrypt.bin of 0xA8 to 0xb8 and should be the SAME exact (again in the first section we decoded input) 0xA8 to 0xb8, if not it is something wrong, Look back steps again, if so then all is well for the next step.
Now in the 0x5 byte of the first section of EID0 decipher is that our target ID and you must change it to 0x82.
After you change the Target ID of the first section EID0 unscrambled, you must create a new hash CMAC valid for your new DEX and this new hash you write in the same section in the offsets where checks before the previous value of the hash is 0xA8 to 0xb8 (Bone to replace the old with the new hash) the hash as they once again generate the same with CMAC.
CMAC eid0_1st_CEX_decrypt.bin (now DEX because we changed the target id) EID0_First_Section_Key.bin
The Hash resulting from this step as I write in the first section decrypted with the target id and changed (again with the same target eid0_1st_CEX_decrypt.bin and just modified it to use with CMAC to generate this new hash) of 0xA8 to 0xb8 replacing the old one.
Once that we have listed the modification of the first section deciphered (eid0_1st_CEX_decrypt.bin) finally proceed to encrypt it again.
Running Homebrew and any eboot signed FSELF with the SDK in any debug until the last fw 4.11.
Run last new original games disk 3.6 + including 4.11 (Bone homebrew games and new original disks but no backups because EBOOTs must be refirmados as FSELF).
Ability to use absolutely all possibilities of the SDK (debugging, development, etc.)
Run backups maximum 3.55 PS3Gen through debug or using pkgs and EBOOTs FSELF 0x8000 (reaffirming with psn_package_npdrm pkg and preparing any type EBOOTs geohot).
Direct downgrade to 3.6 + 3.55 with just a pup so fast.
Features the latest fw available (Support for new devices, etc).
Cons of PS3 Debug Test Console
Only for the moment nothing complicated to solve do not have BD or DVD playback (Because in the DEX not play) but that in 3.55 dex is solved easily in any 3.6 + dex needs some check is made. What do you mean retail functionality? You can restore dvd playback and ps store to name a few by copying and sprx Some xml editing. Just unpack to 3.55 dex for fw fw and to cex for 3.55 and note the Differences in sprx. Then just add the correct xml keys. For example for ps store seg_commerce_new add the # key to category_psn.xml.
Maybe some more burden on FAT consoles overheated.
No PSN that to get into the network of developers need at least an existing account last year when it could create accounts SP-INT or be in the database sony consoles and still your target Dex dex do not pass the check to enter retail PSN (alterable be changed to activate the icon of the store and enter the retail).
There is also the possibility that if you try to get a lot in the debug psn in the default environment of sp-int banning you for trying to do as you send the PID via the network to your server is as well so check again beware.
You see the best links to have CFW and OFW and need original disks bought as OFW for games but also new 3.6 + Homebrew and also have many features of development and practice, plus you can download the fw when you want... Greetings.
i'm working on a guide if anyone stuck with this, i just got metldrpwn to work on a different console. i'm just trying this method on another console of mine to see if i can shorten the guide a little anyway if you know how to setup and install linux get started by downloading Red_Ribbon_RC5.iso from the wiki and burn it to a cd-r disc and install it to your ps3.
Download Red Ribbon RC5 and burn it to a CD-R ps3devwiki.com/files/devtools/dump-metldr/Red_Ribbon_RC5.iso
1. Install OtherOS++ with SS Patches CFW ps3devwiki.com/wiki/OtherOS%2B%2B
2. When installation is finished, go to recovery menu and choose "Restore PS3 System" (WARNING! this will delete all data on gameOS)
3. Put boot_otheros.pkg, dump_flash.pkg, dtbImage.ps3.bin, install_otheros.pkg, reboot.pkg and setup_flash_for_otheros.pkg on a usb stick.
press triangle on install packages and install all packages is this folder technosounds.co.uk/pkgs_for_otheros.rar
(NAND owners should use dtbImage.ps3.bin-nand.only, rename it to dtbImage.ps3.bin).
4. Run dump_flash.pkg dont remove your memory stick the console will sit on a black screen and will beep when ready. once finnished you will have flash.bin on usb
5. Run setup_flash_for_otheros.pkg (for all PS3 models)
7. Run boot_otheros.pkg
8. Run reboot.pkg
9. You should be in petitboot now.
10. wget http://gitbrew.org/~glevand/ps3/scri..._hdd_region.sh
11. chmod a+x create_hdd_region.sh
14. while at the ps3 xmb screen pop the red ribbon CD-R into your ps3 drive and wait for the data disc icon to show under video category
15. Run reboot.pkg you should be in petitboot again. (if not run boot_otheros.pkg then Run reboot.pkg)
16. you should see some new choices select live-otheros: (not the failsafe one)
17. once in red ribbon double click the install icon on the desktop
18. choose your language
19. select Yes continue
20. Hard disk space reserverd by OtherOs++ do you want to use this to isntall? select Yes
21. select Automatic Partition
22. installer /dev/ps3dd Yes
23. Use Current Partitions Yes
24. select mount point specification finished.
25. contune (Yes to All)
26. choose username and password default is ps3/ps3 no need to change it
27. Reboot and remove the CD-R
The following commands can be copy and pasted using Telnet
28. umount /dev/ps3dd1
29. mount /dev/ps3dd1 /tmp/petitboot/mnt/ps3dd1
30. cd /tmp/petitboot/mnt/ps3dd1/boot
31. wget http://www.technosounds.co.uk/vmlinu...d156-dirty.tar
32. tar -xvf vmlinux-2.6.39-gd49d156-dirty.tar
33. cd /tmp/petitboot/mnt/ps3dd1/etc
34. nano kboot.conf
35. add the following lines to the end of kboot.conf
36. press CTRL+X keys to quit and Y to save changes as kboot.conf
37. Boot Red Ribbon Linux-2.6.38-powerpc64-otheros
Red Ribbon disables logging on as root by default; this re-enables that ability
Use the Command-line to activate root account
Open a terminal window (on desktop click on terminal icon in upper left)
at the prompt type: sudo passwd root
it responds: [sudo] password for ps3:
enter your password
it responds: Enter new Unix password:
enter the password you want to use for the root account
it responds: Retype new Unix password:
enter the same password again to confirm
it responds: passwd: password updated successfully
Close the terminal window.
On the desktop click on the shutdown icon (upper right corner)
The shutdown dialogue window opens:
click on switch user then push F10 on the keyboard and Click on Configure Login Manager
then Enter the root password that you created and The configure Login Manager Window opens
Click on the Security tab to display the security page and check the Allow local system administrator login box
then Click the close button at the bottom
log back in and click the file manager icon in the top left of the screen
you will see a window change /home/ps3 to / and press enter
now click into lib and modules folders
once there click tools and open current folder as Root
now type in your password
download this rar and extract it to a usb: technosounds.co.uk/lib-2.6.39-gd49d156.rar
copy the folder from the usb to the /lib/modules folder
so you should now have three directories in there. 2.6.38-powerpc64-asbestos, 2.6.38-powerpc64-otheros and 2.6.39-gd49d156
select Byte reverse a dump. option and browse for the flash.bin file created by dump_flash.pkg
click execute operation and a file called flash.swap.bin will be created
now select Byte reverse and EXTRACT a NOR dump file. and choose the new flash.swap.bin file
a folder called flash.swap.swap.ext will be created inside that you have asecure_loader then metldr.
copy metldr to the root of your usb stick you need to copy this file to metldrpwn folder on the ps3.
(you need root permissions for the above tasks so click tools and open current folder as Root then enter your password)
sudo sh run.sh
congratulations on obtaining your consoles root key.
goto the file manager icon and change /home/ps3 to / then press enter
now click into proc then metldrpwn and copy the dump file to a usb.
note: it's "insmod metldrpwn.ko" for those following the guide that didn't know
you will need a hex editor, i recommend hxd. open your dump and the first 3 lines are the keys you require!
CEX2DEX Application for Any PS3 NOR / NAND Flash Dump Arrives
Following up on the recent PS3 C2D CEX to DEX Flash Patcher and PS3Tools GUI Edition v2.6, today I have released a CEX2DEX application that will allow you to extract the METLDR from ANY (NOR / NAND) PlayStation 3 flash dump and create a valid DEX (Debug / Test) flash from the given CEX (Retail) flash.
Can be used to extract the METLDR from ANY (NOR/NAND) flash dump.
Can be used to create a valid DEX flash from any given CEX flash (NOR/NAND).
I will explain the two main options the program has.
Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.
I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.
Also, make it clear that the Extract METLDR function only extracts the METLDR Binary from the flash and DOES NOT dump the root key, linux is required for this!
Also, some insight on how I dumped/flashed my NAND.
Using Preloader Advance 3.1 (JFW is NOT required) I put my PS3 into service mode, put Lv2diag.self and the advance.cfg on a memory stick and put it into USB000 (far right slot). Powered the PS3 on and let it do its work.
Use my program to create a modified dump, put the dump on the memory stick and name it rflash.bin, make the previous setting (#Backup "rflash" to "/dev_usb000/Backuprflash.bin") to 0 and set this (look below) setting to 1 :
From aldostools on comparing CEX2DEX to the C2D application: If I understand it right, the major differences from this and andbey0nd's C2D.exe are that:
1- This tool supports NAND/NOR flash dumps of CEX, while C2D only supports NOR flash dump of CEX
2- This tool extracts the EID root key (per_console_key) directly from the metldrpwn. So it is not required to hex edit the metldr to extract the first 3 lines (48 bytes).
3- This tool does not require the Win32OpenSSL_Light installed
For the CEX dump, it is still necessary the glevand's dump_flash.pkg (aka USB Flash Dump.pkg I guess that 2 dumps are recommended to compare md5/sha-1 hashes and be sure that it's valid)
For the metldr dump, it is still necessary to have an OFW (<=3.15) or a CFW with dual boot support to boot linux (CFW355-OTHEROS++.PUP), then make and run metldrpwn to dump metldr and a flasher or a tool like JaiCrab's Preloader Advance v3.1 to flash the NOR DEX dump created by this tool. Am I right? or am I missing something ?
PS3 CEX 2 DEX Guide:
1) A PS3 with Firmware 3:55 or less (if less than you should upgrade to 3.55), you must install this CFW using Recovery Mode: gitbrew.org/~glevand/ps3/cfw/CFW355-OTHEROS++-SPECIAL.PUP
2) A USB keyboard and mouse;
3) Red Ribbon Linux on your PS3, you should download and burn this ISO: http://garr.dl.sourceforge.net/proje...ribbon_rc5.rar (Mirrors: http://sourceforge.net/projects/redr...5.rar/download or also ps3devwiki.com/files/devtools/dump-metldr/Red_Ribbon_RC5.iso)
4) CEX2DEX, downloadable from here: http://puu.sh/IY92
5) metldrpwn, downloadable from here: ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip
6) (Optional) although unlikely, is possible brick, so I recommend you have E3 flasher.
Put everything in the root of a USB device and install the PKG. Each application you start before returning to the XMB will make 3 beeps the console, if you do not hear these 3 beeps try again.
1. Run "Setup for OtherOS FLASH", turn the console back to the XMB and restart.
2. Start the "Install OtherOS" (the key with the file dtbImage.ps3.bin must be inserted).
Now connect a USB keyboard and a USB to the console and launched from the XMB "OtherOS Boot" and "Reboot". You'll find yourself in "Petitboot". Using the keyboard, select "Exit to shell" and press enter. Type the following commands:
Now you dump your NOR / NAND USB stick. Turn off the console (ctrl + alt + delete or power button).
Now insert the stick into your PC and extract the folder "metldrpwn" from the "metldrpwn.zip" in the root of the USB stick.
CEX2DEX Start, select your dump and click "Extract metldr", save the file as "metldr" folder "metldrpwn" on your USB stick.
Go back to your PS3, plug in the USB key and the CD with the iso burned previously. From the XMB start again "OtherOS Boot" and "Reboot". This time from Petitboot selected "Red Ribbon OTHEROS live" and wait for the upload. If you do not have a USB hub you unplug the keyboard and mouse to attack, click the first icon in the upper left -> Accessories -> Terminal. Reconnect the keyboard.
The system will shut down. Go back to your PC and start CEX2DEX, select new dump your flash and the file "dump" that will be on your USB stick, click CEX-> DEX, now you save a file, name it "flashDEX.bin" and save it in the root USB stick.
Return to the PS3, connect the USB stick and remove the CD. Start again "OtherOS Boot" and "Reboot" on Petitboot select "Exit to shell" and Type the following commands:
And place it in X: \ PS3 \ UPDATE \ PS3UPDAT.PUP (X: is your USB stick)
Turn on the console in recovery mode and select system update. Now you have a Debugging Station.
Finally, below is another PS3 CEX to DEX Guide with No Linux or Hardware Required by ChocoErased (via nextgenupdate.com/forums/playstation-3-exploits-hacks/572924-full-tutorial-cex-dex-no-linux-hardware-required.html):
This is a tutorial from start to finish on how to convert a CEX console to a DEX console. If you don't know what you're doing or need someone to explain what DEX is to you, you should probably leave now. Also, be warned - if you mess up anything in this tutorial, you risk bricking your console. Follow the instructions right and you should be fine.
Note: This conversion does not require the installation of Linux or any hardware modifications, but it is recommended you have an E3 flasher or similar device in case you do end up bricking your console.
Once you have all of the above, you're ready to get started
1. Install the FactoryServiceMode pkg on your PS3 and use it to boot your PS3 into Factory Service Mode. When done, confirm your console is in service mode by turning it on and seeing if the red box is there in the lower right hand corner. Power down your PS3.
2. Take all the files from Preloader.zip and extract them onto the root of your USB stick. Rename "Lv2diag.self.flash" to "Lv2diag.self".
3. Eject your USB from your PC and place it in the rightmost USB port of your PS3 (your PS3 needs to be turned off). Once it is securely in place, turn on the console. Nothing is going to come up on the screen, and eventually the PS3 power LED will start blinking. DO NOT TURN OFF THE CONSOLE, it is dumping your NAND/NOR. Wait for it to power down itself.
4. Once your console turns itself off, remove the USB from your PS3 and plug it back into your PC. There will now be a file on it named "Backuprflash.bin" (Note: You may have to enable displaying of system files in order for it to be shown). This is your dump of your NOR/NAND - if your console is NOR, the filesize should be 16mb. If your console is NAND, it will be 256mb.
5. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode.
6. Install the eEID_RKDumper on your PS3. Run it, and it should cause your console to blackscreen. It will reboot after a few seconds, just give it it's time and don't interrupt it (it is dumping your root key). Once it reboots, proceed to the next step.
7. Use a filemanager or FTP server to retrieve your root key dump from your PS3 - it is located at dev_hdd0/tmp/eid_root_key. It should be 256kb. Get it onto your USB, it should be in the same directory as your Backuprflash.bin. Rename it to "dump" (no file extension).
9. Start up CEX2DEX again on your PC. For the NOR/NAND flash dump, select your Backuprflash.bin. For the METLDR dump, select your rootkey (file named "dump"). Click on CEX -> DEX, and when it prompts you save the new file as "rflash.bin" and put it onto the root of your USB stick. Your NOR/NAND dump is now fully converted to DEX, all that is left is to flash it back onto your PS3. The filesize for rflash.bin should be 16mb for NOR consoles and 256mb for NAND consoles.
10. On your PS3, use FactoryServiceMode Tool to boot into Factory Service Mode again. On your USB, rename "Lv2diag.self" to "Lv2diag.self.exit" and rename "Lv2diag.flash.self" to "Lv2diag.self". Delete the advance.cfg file from the USB, and put this one onto the root of it: advance.cfg
11. Make sure your PS3 is fully powered off, then plug your USB into the rightmost USB port. Turn on the PS3, and it will begin writing to your NAND/NOR. DO NOT TURN OFF THE PS3!!! If you do, it is a guaranteed brick. Just leave it alone until the PS3 turns itself off, it may take 15 minutes or more. Don't worry if it's taking too long, mine took about 40 minutes to write completely. Once your PS3 has powered itself off continue to the next step.
12. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode. Congratulations, you are now ready to install DEX firmware. I would recommend downloading and installing this debug firmware, from there you can go to 4.20 debug or whatever other version you want.
Once you convert to DEX, your console can no longer access the Playstation Network. Your IDPS becomes invalid.
You cannot data transfer from a DEX console to a CEX console.
If you choose to install a debug update of version 3.56 or higher, Peek & Poke will be disabled. This will make certain homebrew applications no longer work.
Most PKGs and homebrew applications will have to be resigned as debug files before they can be installed/run on DEX firmwares above 3.55.
I hope this makes the whole process of converting from CEX to DEX easier for some of you. Remember, this is NOT something that the average jailbroken PS3 owner should undertake. Have fun and be safe.