Page 16 of 67 FirstFirst ... 61516172666 ... LastLast
Results 151 to 160 of 663

Thread: PS3 CEX (Retail) to DEX (Debug) Conversion Method is Released!

  1. #151
    germainm Guest
    I want to know if i should backup something if eventually i need to return to cex firmware to have the bd working. Can i return to cfw ? Can i downgrade version from dex?

  2. #152
    cfwprophet Guest
    DECR = Reference Tool and have diff hardware and software as DEX

    Except BD Movies you can do everything on a dex cfw and even more then on a normal retail cfw. I haven't tried yet but im guess when you convert back everything will be normal.

  3. #153
    maxiosuna Guest

    [GUIDE] Conversion Method PS3 DEX (TEST - DEBUG) Step by Step

    anyone see this, from ing_pereira on EOL (

    Rough translation: [GUIDE] Conversion Method PS3 DEX (TEST - DEBUG) Step by Step

    Since there are several problems in the original tutorial (also in English) may even have failures in this guide c2d do about it. Clarification. First they say that by doing this you lose the BD married this is false not only what I say.

    Naehrwert wrote on messing with your box eid4 will destroy your bd-drive pairing, so I would not do that

    Naehrwert: Altering the eEID4 on your console you will destroy the married bd-drive, so I would not do that.

    Touch and change something else that if you could let eEID0 without BD Married eg the eEID4 but here we do not change any of it only works with the first segment of eEID0.

    Trick to get dump on Linux and the rules and eEID (NOR)

    First of all this works from petitboot (Like the tutorial below to get granberro metldr) inclusive so as not to install such a distribution, only OtherOS + +.

    - First ascended the USB:
    mount-n-o remount, rw / dev/sda1 / tmp/petitboot/mnt/sda1
    - Dump the NOR
    dd if = / dev/ps3nflasha of = / tmp/petitboot/mnt/sda1/cexnor.bin bs = 1024
    - Dump the eEID
    dd if = / dev/ps3nflasha skip = $ ((0x2F000)) of = / tmp/petitboot/mnt/sda1/eid.bin bs = 1 count = $ ((0x10000))
    You see that was easy using DD well known by anyone who knows Linux.

    - EEID0-dump directly (only on Linux with ps3dm of graf, recommended use with RedRibbon Live cd).
    ps3dm_iim / dev/ps3dmproxy get_data 0x0> EID0.bin
    - "Sda1" in the commands is the usb already mounted correctly.


    - First we need the dump of metldr since in his first 0x30 bytes have all the Eid root key (erk and riv) by granberro (via

    Hello, I know that the dump the metldr is nothing new, but those who, like me, ye have the keys to your console without installing a CFW or messing with internal hard disk partitions, you can follow this method.

    It is not complicated, but requires a basic knowledge of Linux.

    List of ingredients:
    • Red Ribbon Linux. The Linux distribution: ro4drunner
    • The script that allows patching the SS to use lv1

        #! / Bin / sh
        # Copyright Graf_chokolo
        # All rights reserved.
        # This program is free software; you can redistribute it and / or modify
        # It under the terms of the GNU General Public License as published by
        # The Free Software Foundation version 2 of the License.
        # This program is Distributed in the hope That it will be useful,
        # WITHOUT ANY WARRANTY But, without the implied warranty of events
        # GNU General Public License for more details.
        # You Should Have received a copy of the GNU General Public License
        # Along With This program, if not, write to the Free Software
        # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
        # Ram_write_val_32
        ram_write_val_32 ()
           _OFF = $ 1
           _val = $ 2
           printf $ _val | dd of = $ bs = 1 count PS3RAM_DEV = 4 seek = $ (($ _OFF)) 2> / dev / null
        PS3HVC_DEV = / dev/ps3hvc
        PS3HVC_HVCALL = ps3hvc_hvcall
        PS3RAM_DEV = / dev/ps3ram
        # Offsets
        DISPMGR_SS_ID_OFFSET = 0x16F3E0
        # Disable overwriting of LAID
        $ ram_write_val_32 DISPMGR_SET_LAID_OFFSET ' x60  x00  x00  x00'
        # Disable SS ID check
        $ ram_write_val_32 DISPMGR_SS_ID_OFFSET ' x38  x60  x00  x01'
        # Disable SPM (Security Policy Manager) check
        $ ram_write_val_32 DISPMGR_SEND_SPM_REQ_OFFSET ' X3B  xE0  x00  x01'
        ram_write_val_32 $ ((DISPMGR_SEND_SPM_REQ_OFFSET + 4)) ' x9B  XE1  x00  x70'
        ram_write_val_32 $ ((DISPMGR_SEND_SPM_REQ_OFFSET + 8)) ' x38  x60  x00  x00'
    The exploit

    After installing everything, compile the exploit and add the files you need it, just run the script to patch lv1 and to run the exploit.

    If all goes well, you get something like this
        PPE id (0x0000000000000001) VAS id (0x0000000000000019)
        lv1_construct_logical_spe (0x00000000)
        SPE id (0x0000000000000032)
        lv1_enable_logical_spe (0x00000000)
        lv1_set_spe_interrupt_mask (0) (0x00000000)
        lv1_set_spe_interrupt_mask (1) (0x00000000)
        lv1_set_spe_interrupt_mask (2) (0x00000000)
        lv1_set_spe_privilege_state_area_1_register (0x00000000)
        ea (0xc00000000a860000) ESID (0xc000000008000000) vsid (0x0000408f92c94500)
        lv1_get_spe_interrupt_status (0) (0x00000000)
        lv1_get_spe_interrupt_status (1) (0x00000000)
        lv1_get_spe_interrupt_status (2) (0x00000000)
        lv1_get_spe_interrupt_status (0) (0x00000000)
        lv1_get_spe_interrupt_status (1) (0x00000000)
        lv1_get_spe_interrupt_status (2) (0x00000000)
        mbox interrupt out (0x0000000000000001)
        lv1_clear_spe_interrupt_status (2) (0x00000000)
        Transferring EID0, ldr and revoke list args to LS
        Until waiting MFC transfers are finished
        MFC transfers done
        mbox out (0x00000001)
        problem status (0x00000089)
        lv1_destruct_logical_spe (0x00000000)
    The memory dump is in / proc / metldrpwn / dump, copy it to / home / username and voila. Regards

    Using hex editor from 0x00 to 0x1F eEID will get the Root Key and from 0x20 to 0x2F the Root eEID IV all with the dump of metldr.

    Once you have that you only need to have OpenSSL installed to manage the cryptographic:

    You need to have already downloaded 2 files and the EID0_Key_Seed EID0_First_Section_Key_Seed.

    Download: / (Mirror)

    As for the OpenSSL options at least the most basic we will use are:
    -In: Specifies the input file to take to encrypt.
    -Out: it is to specify the filename that will be the final output that cifremos after the first.
    -K: is to specify that we will use a specific key in place after this command.
    -Iv: In this case to indicate that iv post a riv or specific to our encryption.
    Getting everything in order in the same working folder with those 2 files as well as be kind enough to hand around your EID EID Root Root Key and IV, we begin with the 1st step.
    openssl aes-256-cbc-e-in-out EID0.txt EID0_Key_Seed.txt NoSalt-K-VA HERE YOUR ROOT KEY-iv EID VA HERE YOUR ROOT EID IV-p-nopad
    Using as input the cifraremos EID0_Key_Seed.txt our PCK the KEY and IV as shown in the command.

    Open EID0.txt generated by the previous step in hex editor and from 0x10 to 0x1F have your EID0 IV and 0x20 to 0x3F have the EID0 KEY.

    For more comfortable you can save them respectively for easy access while in other files aside something like eid0_iv.txt and eid0_key.txt.

    And here and generate the KEY and EID0 EID0 IV of our console.
    openssl aes-256-cbc-e-in EID0_Section_Key_Seed.txt-out-NoSalt EID0_First_Section_Key.bin EID0 TU-K KEY-iv 0-p-nopad
    Up there is normal to leave the IV to 0 and after that command in the file will EID0_First_Section_Key.bin the key or key to decrypt the first section which is the target id in eEID encryption.

    In the next step using the same key to decipher the first section of which we have spoken of eEID0.
    openssl aes-128-cbc-d-in-out eid0_1st_Section_CEX.bin eid0_1st_CEX_decrypt.bin-NoSalt-K EID0 First Section Key-iv IV EID0 HERE your back-p-nopad

    In NOR dump as you see in the image from 0x2F090 to 0x2F14F is the first section of the talk here is marked with the red square you can see the first section of which I speak.

    In the part marked by the blue color I want that you see what I mean by PID those first 0x20 bytes are decrypted factory and is the beginning of eEID0 but the PID is in the first 0x10 bytes.

    eid0_1st_Section_CEX.bin: The name you put for example to that section of eEID we draw directly from offset 0x20 to 0xDF eEID0 (In a dump Nor is being offset from 0x2f090 to 0x2F14F) 0xC0 their length bytes from the same hex editor, we put CEX at the end of his name to identify it as it is the original section CEX our console, this part is encrypted and contains the PID, we pass input to openssl.

    eid0_1st_CEX_decrypt.bin: output is the name we put to the 1st segment CEX input we gave him for us to decipher what his first line to know if it was decrypted properly.

    To upload hex if everything was correct and should be deciphered in the first line should be your IDP as it was in the first 0x10 bytes of eEID0 in (NOR = 0x2F070 | NAND = 0x80870) an example in my case something like this:
    00 00 00 01 00 84 00 0B 14 January A6 AE C3 1A 80 28 (THIS IS MY CONSOLE ;), watch it :D)
    These same bytes in my case are the same as those in the beginning of eEID0 and the photo you check first with the blue square that is what is necessary to compare to see if good or not decipher this first section.

    At least the first 5 bytes might be the same as if the rest are data PCK or 84 per console that comes out in the fifth byte in my case is the target id is an American console but you should find something similar with your target ID.

    If you have noticed that in fact if it was decrypted should find your target id to the nakedeye as I said.

    Note that the first 16 bytes of the first section of EID0 decrypted must match the first 16 bytes of eEID0 should also match the PID found in their dumps (NOR = 0x2F070 | = 0x80870 NAND), IF IT IS NOT NO CONTINUE WITH THIS and review the steps again.
    Now it is necessary to generate the CMAC (OMAC1) Hash of the first section EID0 unscrambled from 0x00 to 0xA8, that first section was the one that we have deciphered the first steps we call "eid0_1st_CEX_decrypt.bin" that file as you can see in Hex 0xC0 length.

    We will use the key and also generate EID0 First Section of Key and follow the tutorial you ought to download this utility to schedule algorithm based on CMAC's source leaked 1 month ago.

    Download: / (Mirror)

    CMAC file_in key_file

    In our case looks like this: CMAC eid0_1st_CEX_decrypt.bin EID0_First_Section_Key.bin

    That eid0_1st_CEX_decrypt.bin as I have said several times is the first section and the key to decipher the EID0_First_Section_Key also generated in the last steps.

    The purpose of doing this with the program is to obtain the original CMAC our section without changing the target id to Dex yet, the program's output should be something like:

    Hash CMAC (OMAC1): f1053cc3818dd6ce2775f0273dfc212e

    Sure the numbers will be different since they are PCK by the way we generate,

    You ought to copy the hash calculated that you return the program and compare it with the kind on the eid0_1st_CEX_decrypt.bin of 0xA8 to 0xb8 and should be the SAME exact (again in the first section we decoded input) 0xA8 to 0xb8, if not it is something wrong, Look back steps again, if so then all is well for the next step.

    Now in the 0x5 byte of the first section of EID0 decipher is that our target ID and you must change it to 0x82.

    After you change the Target ID of the first section EID0 unscrambled, you must create a new hash CMAC valid for your new DEX and this new hash you write in the same section in the offsets where checks before the previous value of the hash is 0xA8 to 0xb8 (Bone to replace the old with the new hash) the hash as they once again generate the same with CMAC.

    CMAC eid0_1st_CEX_decrypt.bin (now DEX because we changed the target id) EID0_First_Section_Key.bin

    The Hash resulting from this step as I write in the first section decrypted with the target id and changed (again with the same target eid0_1st_CEX_decrypt.bin and just modified it to use with CMAC to generate this new hash) of 0xA8 to 0xb8 replacing the old one.

    Once that we have listed the modification of the first section deciphered (eid0_1st_CEX_decrypt.bin) finally proceed to encrypt it again.
    openssl aes-128-cbc-e-in section as amended (eid0_1st_CEX_decrypt.bin)-out-NoSalt-K eid0_1st_DEX.bin EID0 First Section Key-iv Again your EID0 IV-p-nopad
    Here we use with-in the eid0_1st_CEX_decrypt.bin input and generate output modified and the file will eid0_1st_DEX.bin that we will have to copy and paste to replace the previous dump CEX.

    Offsets where you repeat this section are the same as where the NOR extraimos in this segment is in 0x2F090 and NAND'm not sure about but should be 0x80890 which have a NAND would claim me.

    Once ready with the dump and you only have to flash it changed any of your media by soft or hard (obviously hard to be the safest).

    DEX FW Repository TEST:

    Benefits of PS3 Debug Test Console
    • Running Homebrew and any eboot signed FSELF with the SDK in any debug until the last fw 4.11.
    • Run last new original games disk 3.6 + including 4.11 (Bone homebrew games and new original disks but no backups because EBOOTs must be refirmados as FSELF).
    • Ability to use absolutely all possibilities of the SDK (debugging, development, etc.)
    • Run backups maximum 3.55 PS3Gen through debug or using pkgs and EBOOTs FSELF 0x8000 (reaffirming with psn_package_npdrm pkg and preparing any type EBOOTs geohot).
    • Direct downgrade to 3.6 + 3.55 with just a pup so fast.
    • Features the latest fw available (Support for new devices, etc).

    Cons of PS3 Debug Test Console
    • Only for the moment nothing complicated to solve do not have BD or DVD playback (Because in the DEX not play) but that in 3.55 dex is solved easily in any 3.6 + dex needs some check is made. What do you mean retail functionality? You can restore dvd playback and ps store to name a few by copying and sprx Some xml editing. Just unpack to 3.55 dex for fw fw and to cex for 3.55 and note the Differences in sprx. Then just add the correct xml keys. For example for ps store seg_commerce_new add the # key to category_psn.xml.
    • Maybe some more burden on FAT consoles overheated.
    • No PSN that to get into the network of developers need at least an existing account last year when it could create accounts SP-INT or be in the database sony consoles and still your target Dex dex do not pass the check to enter retail PSN (alterable be changed to activate the icon of the store and enter the retail).
    • There is also the possibility that if you try to get a lot in the debug psn in the default environment of sp-int banning you for trying to do as you send the PID via the network to your server is as well so check again beware.

    You see the best links to have CFW and OFW and need original disks bought as OFW for games but also new 3.6 + Homebrew and also have many features of development and practice, plus you can download the fw when you want... Greetings.

  4. #154
    technodon Guest
    i'm working on a guide if anyone stuck with this, i just got metldrpwn to work on a different console. i'm just trying this method on another console of mine to see if i can shorten the guide a little anyway if you know how to setup and install linux get started by downloading Red_Ribbon_RC5.iso from the wiki and burn it to a cd-r disc and install it to your ps3.

  5. #155
    mehrab2603 Guest
    Can someone please upload the required ps3gen app?

  6. #156
    Join Date
    Apr 2005


    Here is a link to it, probably not the latest version but it should work:

  7. #157
    technodon Guest

    Pawnmetldr Using Red Ribbon by TechnoDon

    here is the guide i made. hope it helps people:

    Pawnmetldr Using Red Ribbon by TechnoDon

    Download Red Ribbon RC5 and burn it to a CD-R
    1. Install OtherOS++ with SS Patches CFW
    2. When installation is finished, go to recovery menu and choose "Restore PS3 System" (WARNING! this will delete all data on gameOS)
    3. Put boot_otheros.pkg, dump_flash.pkg, dtbImage.ps3.bin, install_otheros.pkg, reboot.pkg and setup_flash_for_otheros.pkg on a usb stick.
    press triangle on install packages and install all packages is this folder
    (NAND owners should use dtbImage.ps3.bin-nand.only, rename it to dtbImage.ps3.bin).
    4. Run dump_flash.pkg dont remove your memory stick the console will sit on a black screen and will beep when ready. once finnished you will have flash.bin on usb
    5. Run setup_flash_for_otheros.pkg (for all PS3 models)
    6. Reboot
    7. Run boot_otheros.pkg
    8. Run reboot.pkg
    9. You should be in petitboot now.
    10. wget
    11. chmod a+x
    12. ./
    13. reboot
    14. while at the ps3 xmb screen pop the red ribbon CD-R into your ps3 drive and wait for the data disc icon to show under video category
    15. Run reboot.pkg you should be in petitboot again. (if not run boot_otheros.pkg then Run reboot.pkg)
    16. you should see some new choices select live-otheros: (not the failsafe one)
    17. once in red ribbon double click the install icon on the desktop
    18. choose your language
    19. select Yes continue
    20. Hard disk space reserverd by OtherOs++ do you want to use this to isntall? select Yes
    21. select Automatic Partition
    22. installer /dev/ps3dd Yes
    23. Use Current Partitions Yes
    24. select mount point specification finished.
    25. contune (Yes to All)
    26. choose username and password default is ps3/ps3 no need to change it
    27. Reboot and remove the CD-R

    The following commands can be copy and pasted using Telnet

    28. umount /dev/ps3dd1
    29. mount /dev/ps3dd1 /tmp/petitboot/mnt/ps3dd1
    30. cd /tmp/petitboot/mnt/ps3dd1/boot
    31. wget
    32. tar -xvf vmlinux-2.6.39-gd49d156-dirty.tar
    33. cd /tmp/petitboot/mnt/ps3dd1/etc
    34. nano kboot.conf
    35. add the following lines to the end of kboot.conf

    debian=/boot/vmlinux-2.6.39-gd49d156 root=/dev/ps3dd1
    debian_Hugepages=/boot/vmlinux-2.6.39-gd49d156 root=/dev/ps3dd1 hugepages=1

    36. press CTRL+X keys to quit and Y to save changes as kboot.conf
    37. Boot Red Ribbon Linux-2.6.38-powerpc64-otheros

    Red Ribbon disables logging on as root by default; this re-enables that ability

    Use the Command-line to activate root account
    Open a terminal window (on desktop click on terminal icon in upper left)

    at the prompt type: sudo passwd root
    it responds: [sudo] password for ps3:
    enter your password
    it responds: Enter new Unix password:
    enter the password you want to use for the root account
    it responds: Retype new Unix password:
    enter the same password again to confirm
    it responds: passwd: password updated successfully
    [email protected]:~$

    Close the terminal window.

    On the desktop click on the shutdown icon (upper right corner)
    The shutdown dialogue window opens:

    click on switch user then push F10 on the keyboard and Click on Configure Login Manager
    then Enter the root password that you created and The configure Login Manager Window opens
    Click on the Security tab to display the security page and check the Allow local system administrator login box
    then Click the close button at the bottom

    log back in and click the file manager icon in the top left of the screen
    you will see a window change /home/ps3 to / and press enter

    now click into lib and modules folders

    once there click tools and open current folder as Root
    now type in your password

    download this rar and extract it to a usb:

    copy the folder from the usb to the /lib/modules folder

    so you should now have three directories in there. 2.6.38-powerpc64-asbestos, 2.6.38-powerpc64-otheros and 2.6.39-gd49d156

    open terminal again and write:

    cd /usr/src
    sudo wget
    sudo unzip
    sudo ln -s /usr/src/linux-2.6 /lib/modules/2.6.39-gd49d156/build
    cd /usr/src/linux-2.6
    sudo cp ps3_linux_config .config

    now reboot the ps3 and select the debian vmlinux-2.6.39

    sudo unzip

    Download Flowrebuilder

    select Byte reverse a dump. option and browse for the flash.bin file created by dump_flash.pkg

    click execute operation and a file called flash.swap.bin will be created

    now select Byte reverse and EXTRACT a NOR dump file. and choose the new flash.swap.bin file

    a folder called flash.swap.swap.ext will be created inside that you have asecure_loader then metldr.

    copy metldr to the root of your usb stick you need to copy this file to metldrpwn folder on the ps3.
    (you need root permissions for the above tasks so click tools and open current folder as Root then enter your password)

    cd metldrpwn
    sudo sh

    congratulations on obtaining your consoles root key.
    goto the file manager icon and change /home/ps3 to / then press enter
    now click into proc then metldrpwn and copy the dump file to a usb.

    note: it's "insmod metldrpwn.ko" for those following the guide that didn't know

    you will need a hex editor, i recommend hxd. open your dump and the first 3 lines are the keys you require!

  8. #158
    Gunner54 Guest

    CEX2DEX Application for Any PS3 NOR / NAND Flash Dump Arrives

    Following up on the recent PS3 C2D CEX to DEX Flash Patcher and PS3Tools GUI Edition v2.6, today I have released a CEX2DEX application that will allow you to extract the METLDR from ANY (NOR / NAND) PlayStation 3 flash dump and create a valid DEX (Debug / Test) flash from the given CEX (Retail) flash.

    Download: PS3 CEX2DEX Application / PS3 CEX2DEX Application (Mirror) / MSVCP100.DLL (Required) / Microsoft Visual C++ 2010 Redistributable Package (x86) / PS3 CEX2DEX Application r1 (Runtime Libraries are built in, shouldn't require MS VC++)

    • Can be used to extract the METLDR from ANY (NOR/NAND) flash dump.
    • Can be used to create a valid DEX flash from any given CEX flash (NOR/NAND).

    I will explain the two main options the program has.

    Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
    CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.

    I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.

    P.S : Controversy to what the main post says, I flashed my FAT 256MB NAND PS3 via Preloader Advance 3.1.

    Also, make it clear that the Extract METLDR function only extracts the METLDR Binary from the flash and DOES NOT dump the root key, linux is required for this!

    Also, some insight on how I dumped/flashed my NAND.

    Using Preloader Advance 3.1 (JFW is NOT required) I put my PS3 into service mode, put Lv2diag.self and the advance.cfg on a memory stick and put it into USB000 (far right slot). Powered the PS3 on and let it do its work.

    Dump NAND Flash
    #Backup "rflash" to "/dev_usb000/Backuprflash.bin"
    # 0 = Disabled
    # 1 = 16MB Nor models and first 16MB from NAND models.
    # 2 = 16MB Nor models and 256MB from NAND models.
    Use my program to create a modified dump, put the dump on the memory stick and name it rflash.bin, make the previous setting (#Backup "rflash" to "/dev_usb000/Backuprflash.bin") to 0 and set this (look below) setting to 1 :

    Write NAND Flash
    #Restore "rflash" Fichero origen  "/dev_usb000/rflash.bin"
    # 0 = Disabled
    # 1 = Delete and restore all sectors.
    # 2 = Check sectors and only delete/write the differents sectors.(SLOW)
    From aldostools on comparing CEX2DEX to the C2D application: If I understand it right, the major differences from this and andbey0nd's C2D.exe are that:

    1- This tool supports NAND/NOR flash dumps of CEX, while C2D only supports NOR flash dump of CEX
    2- This tool extracts the EID root key (per_console_key) directly from the metldrpwn. So it is not required to hex edit the metldr to extract the first 3 lines (48 bytes).

    3- This tool does not require the Win32OpenSSL_Light installed

    For the CEX dump, it is still necessary the glevand's dump_flash.pkg (aka USB Flash Dump.pkg I guess that 2 dumps are recommended to compare md5/sha-1 hashes and be sure that it's valid)

    For the metldr dump, it is still necessary to have an OFW (<=3.15) or a CFW with dual boot support to boot linux (CFW355-OTHEROS++.PUP), then make and run metldrpwn to dump metldr and a flasher or a tool like JaiCrab's Preloader Advance v3.1 to flash the NOR DEX dump created by this tool. Am I right? or am I missing something ?

    PS3 CEX 2 DEX Guide:


    1) A PS3 with Firmware 3:55 or less (if less than you should upgrade to 3.55), you must install this CFW using Recovery Mode:
    2) A USB keyboard and mouse;
    3) Red Ribbon Linux on your PS3, you should download and burn this ISO: (Mirrors: or also
    4) CEX2DEX, downloadable from here:
    5) metldrpwn, downloadable from here:
    6) (Optional) although unlikely, is possible brick, so I recommend you have E3 flasher.

    Installing Linux:

    PKG download these:

    And download one of these two files (if you have a NOR take the first, if you have a second NAND).
    1. dtbImage.ps3.bin (NOR):

    2. dtbImage.ps3.bin.minimal (NAND, to be renamed in dtbImage.ps3.bin):

    Put everything in the root of a USB device and install the PKG. Each application you start before returning to the XMB will make 3 beeps the console, if you do not hear these 3 beeps try again.

    1. Run "Setup for OtherOS FLASH", turn the console back to the XMB and restart.
    2. Start the "Install OtherOS" (the key with the file dtbImage.ps3.bin must be inserted).

    Now connect a USB keyboard and a USB to the console and launched from the XMB "OtherOS Boot" and "Reboot". You'll find yourself in "Petitboot". Using the keyboard, select "Exit to shell" and press enter. Type the following commands:
    mount -n -o remount,rw /dev/sda1 /tmp/petitboot/mnt/sda1
    dd if=/dev/ps3nflasha of=/tmp/petitboot/mnt/sda1/flashCEX.bin bs=1024
    Now you dump your NOR / NAND USB stick. Turn off the console (ctrl + alt + delete or power button).

    Now insert the stick into your PC and extract the folder "metldrpwn" from the "" in the root of the USB stick.
    CEX2DEX Start, select your dump and click "Extract metldr", save the file as "metldr" folder "metldrpwn" on your USB stick.

    Go back to your PS3, plug in the USB key and the CD with the iso burned previously. From the XMB start again "OtherOS Boot" and "Reboot". This time from Petitboot selected "Red Ribbon OTHEROS live" and wait for the upload. If you do not have a USB hub you unplug the keyboard and mouse to attack, click the first icon in the upper left -> Accessories -> Terminal. Reconnect the keyboard.

    Type the following commands in Terminal:
    sudo umount /dev/sda1
    sudo mkdir usb
    sudo mount /dev/sda1 usb
    cd usb/metldrpwn/
    sudo make
    sudo sh
    Will appear written, if all goes well you should read it somewhere "problem status (0x00000089)". Type the following commands:
    cd ..
    sudo cp /proc/metldrpwn/dump usb/dump
    sudo shutdown -h now
    The system will shut down. Go back to your PC and start CEX2DEX, select new dump your flash and the file "dump" that will be on your USB stick, click CEX-> DEX, now you save a file, name it "flashDEX.bin" and save it in the root USB stick.

    Return to the PS3, connect the USB stick and remove the CD. Start again "OtherOS Boot" and "Reboot" on Petitboot select "Exit to shell" and Type the following commands:
    mount -n -o remount,rw /dev/sda1 /tmp/petitboot/mnt/sda1
    WARNING : The following command will write the changes on your flash (NOR / NAND) and if you did something wrong you could brick. I do not take responsibility.
    dd if=/tmp/petitboot/mnt/sda1/flashDEX.bin of=/dev/ps3nflasha bs=1024
    Now download a firmware from here DEX:

    And place it in X: \ PS3 \ UPDATE \ PS3UPDAT.PUP (X: is your USB stick)

    Turn on the console in recovery mode and select system update. Now you have a Debugging Station.

    Finally, below is another PS3 CEX to DEX Guide with No Linux or Hardware Required by ChocoErased (via

    This is a tutorial from start to finish on how to convert a CEX console to a DEX console. If you don't know what you're doing or need someone to explain what DEX is to you, you should probably leave now. Also, be warned - if you mess up anything in this tutorial, you risk bricking your console. Follow the instructions right and you should be fine.

    Note: This conversion does not require the installation of Linux or any hardware modifications, but it is recommended you have an E3 flasher or similar device in case you do end up bricking your console.

    You're going to need:

    Once you have all of the above, you're ready to get started


    1. Install the FactoryServiceMode pkg on your PS3 and use it to boot your PS3 into Factory Service Mode. When done, confirm your console is in service mode by turning it on and seeing if the red box is there in the lower right hand corner. Power down your PS3.

    2. Take all the files from and extract them onto the root of your USB stick. Rename "Lv2diag.self.flash" to "Lv2diag.self".

    3. Eject your USB from your PC and place it in the rightmost USB port of your PS3 (your PS3 needs to be turned off). Once it is securely in place, turn on the console. Nothing is going to come up on the screen, and eventually the PS3 power LED will start blinking. DO NOT TURN OFF THE CONSOLE, it is dumping your NAND/NOR. Wait for it to power down itself.

    4. Once your console turns itself off, remove the USB from your PS3 and plug it back into your PC. There will now be a file on it named "Backuprflash.bin" (Note: You may have to enable displaying of system files in order for it to be shown). This is your dump of your NOR/NAND - if your console is NOR, the filesize should be 16mb. If your console is NAND, it will be 256mb.

    5. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode.

    6. Install the eEID_RKDumper on your PS3. Run it, and it should cause your console to blackscreen. It will reboot after a few seconds, just give it it's time and don't interrupt it (it is dumping your root key). Once it reboots, proceed to the next step.

    7. Use a filemanager or FTP server to retrieve your root key dump from your PS3 - it is located at dev_hdd0/tmp/eid_root_key. It should be 256kb. Get it onto your USB, it should be in the same directory as your Backuprflash.bin. Rename it to "dump" (no file extension).

    9. Start up CEX2DEX again on your PC. For the NOR/NAND flash dump, select your Backuprflash.bin. For the METLDR dump, select your rootkey (file named "dump"). Click on CEX -> DEX, and when it prompts you save the new file as "rflash.bin" and put it onto the root of your USB stick. Your NOR/NAND dump is now fully converted to DEX, all that is left is to flash it back onto your PS3. The filesize for rflash.bin should be 16mb for NOR consoles and 256mb for NAND consoles.

    10. On your PS3, use FactoryServiceMode Tool to boot into Factory Service Mode again. On your USB, rename "Lv2diag.self" to "Lv2diag.self.exit" and rename "Lv2diag.flash.self" to "Lv2diag.self". Delete the advance.cfg file from the USB, and put this one onto the root of it: advance.cfg

    11. Make sure your PS3 is fully powered off, then plug your USB into the rightmost USB port. Turn on the PS3, and it will begin writing to your NAND/NOR. DO NOT TURN OFF THE PS3!!! If you do, it is a guaranteed brick. Just leave it alone until the PS3 turns itself off, it may take 15 minutes or more. Don't worry if it's taking too long, mine took about 40 minutes to write completely. Once your PS3 has powered itself off continue to the next step.

    12. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode. Congratulations, you are now ready to install DEX firmware. I would recommend downloading and installing this debug firmware, from there you can go to 4.20 debug or whatever other version you want.

    Important Notes:
    • Once you convert to DEX, your console can no longer access the Playstation Network. Your IDPS becomes invalid.
    • You cannot data transfer from a DEX console to a CEX console.
    • If you choose to install a debug update of version 3.56 or higher, Peek & Poke will be disabled. This will make certain homebrew applications no longer work.
    • Most PKGs and homebrew applications will have to be resigned as debug files before they can be installed/run on DEX firmwares above 3.55.

    I hope this makes the whole process of converting from CEX to DEX easier for some of you. Remember, this is NOT something that the average jailbroken PS3 owner should undertake. Have fun and be safe.

    [imglink=|CEX2DEX Application for Any PS3 NOR / NAND Flash Dump Arrives][/imglink]
    More PlayStation 3 News...

  9. #159
    Randalajoe Guest
    What to do when you get this error: "creating new storage region (312581808, -8) ... ps3stor_region: invalid option -- 8"

    after running ./ on a nor console

  10. #160
    pepijndamen Guest
    Hi Gunner,

    I'm getting a CMAC fail. Do you know why?

Page 16 of 67 FirstFirst ... 61516172666 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts