Page 17 of 67 FirstFirst ... 716171827 ... LastLast
Results 161 to 170 of 663

Thread: PS3 CEX (Retail) to DEX (Debug) Conversion Method is Released!

  1. #161
    Brenza Guest
    No more need to dump metldr!!!

    EDIT: I got this error

    - CMAC-EID0 [CEX] : ** ** ** ** * ** ** ** ** ** ** ** ** ** ** *
    - CMAC : FAIL!
    (i replaced the CMAC with *)

  2. #162
    Gunner54 Guest
    I was going to write more information on my post, but there wasn't an edit button so here it goes.

    I will explain the two main options the program has.

    Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
    CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.

    I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.

  3. #163
    Brenza Guest
    You're right, i was loading the metldr i extracted from my flash

    If it save to install linux on the ps3 could you link us a page that explain how to use the metldrpwn exploit with the dump? I'd like to use ubuntu on the pc if it is possible

  4. #164
    rodq Guest
    The software works perfectly with partial (without bootloader) or full dump of NAND!

    NICE JOB!!!

  5. #165
    Prince Valiant Guest
    What's the point of converting a retail until into a debug unit?

  6. #166
    filipezwicker Guest
    CEX is only DEX to 3.55??

  7. #167
    plangston Guest
    Randalajoe if you're having -8 errors, you may want to check out:

  8. #168
    Weezum Guest
    so does it mean anything that i still have the 4.10 dev firware from febuary..still stuck now stuck at cmac gosh dangit

  9. #169
    CaptainCPSX Guest
    Interesting , I wish Gunner54 released the source code.

    btw, If Gunner54 is reading, you can actually link the C/C++ runtime libraries statically by doing this in your project:

    Configuration Properties -> C/C++ -> Code Generation -> Runtime Library

    Then select: Multi-threaded (/MT)

    This will save users the need to install any runtime libraries to their PCs to use this.

    Oh and please consider releasing the source code, so that this method can be documented easily. Anyway, thanks

  10. #170
    Foo Guest
    From wololo:

    CEX to DEX, connecting the dots

    I’m a bit late on the “CEX to DEX” news, but sometimes it’s better to be late, in order to have a good overview of something.

    If you’ve been following the PS3 scene sites this week, you’ve probably seen that a new “hack” was released, that has been nicknamed “CEX to DEX”. Later on, PS3 dev naehrwert explained the process on how the information was obtained, although most scene websites failed to make a connection between his quite complex technical explanation and the leak. Most of them treated that as two pieces of unrelated information.

    In this article I’ll try to connect the dots, but please bear with me as I am still an external observer of the PS3 scene, being myself stuck in 4.11 (damn you, Uncharted 3!)

    Why this is interesting for the end users

    Ok, first of all, what is this hack useful for, in other words, what does it do?

    Let’s start with the basics. Retail PS3 units (the ones we buy in stores) are codenamed CEX. Debug PS3 units are codenamed DEX. What this hack does is allow any Retail unit (CEX) to be converted into a Debug unit (DEX). A DEX unit lets you, among other things, install a Debug firmware on the PS3 through the recovery menu (you can’t do that on a CEX PS3).

    A Debug firmware is interesting because it allows to run official blu rays as well as unsigned content. This means homebrews, but also potentially unsigned official games. In theory a 4.21 Debug firmware could run backups of newer games (3.6+), which is where it gets interesting (currently AFAIK the only way to do that is to use one of the piracy dongles, and it only works for a few games).

    There is of course a “catch” to this: 3.6+ games backups would need to be not signed, and such things are not easy to find on the internets (if they can be found at all).

    So in theory this release could be good for pirates, and bad for dongles, but practically it doesn’t change much on that front.

    However, this opens something new for people who have been on 3.55 CFW and don’t want to upgrade: the possibility to run official 3.6+ Blu rays.

    So let me summarize here. A 4.xx Debug firmware can:
    • run unsigned < 3.55 game backups (those are apparently easy to find) (a 3.55 CFW can do that)
    • run unsigned eboots (homebrews) (a 3.55 CFW can do that)
    • run unsigned 3.6+ game backups (a 3.55 CFW can’t do that, but those are impossible to find anyways)
    • run all official (legit blu ray) games up to 4.xx (a 3.55 CFW can only run up to 3.55! That’s the interesting bit)
    • Upgrade and downgrade at will between all versions of Debug firmwares

    And please don’t quote me on that, as this is just my understanding of what a debug firmware allows, but I can’t confirm this myself as I don’t have a CFW. I’m just gathering the bits of information I’ve read here and there. But my understanding is, a 4.xx debug firmware gives you the best of both OFW and CFW: 3.6+ games and homebrews

    What this cannot do

    Since in order to convert your console from CEX to DEX, some per-console specific information needs to be obtained directly from your ps3, this is not a magical solution if you are currently stuck on a 3.6+ official firmware. You would still need to downgrade to a 3.55 CFW first (in order to run the tools necessary for the hack) using a hardware chip, and then run the hack from there to install a Debug firmware.

    In other words, Going through 3.55 is a necessary step of this hack.

    It is also worth noting that by running a Debug unit, you lose access to the PSN (which you can get back by installing a clean flash back).

    Ok, let’s do this thing, where are the tools?

    Ok, so, if you have a 3.55 console (if not, you need to downgrade, read the paragraph above!), you might want to try and convert your own console into a Debug version. For now, no “easy” tool is available to do this, sadly, and if you mess things up you could end up with a brick (also, do not try to get somebody else to send you their modified Flash, some of the encryption keys involved are specific to each console!). It is strongly recommended that you have a hardware flasher (and a clean dump of your flash) handy in case you mess things up..

    If you’re lucky enough to have a 16MB NOR console (that’s the recent PS3 FAT and all PS3 Slim, see details here), you can use the tool C2D by andbey0nd to ease the process. It will build the stuff to flash for you, but you still have to provide the EID root key (obtained with metldrpwn)

    If you’re a developer, you might want to download libeeid, and use the sample provided as a base to build your own tool.

    But ironically, the easiest way for now seems to follow the linked guide below and do it manually.

    The connection with naehrwert

    This hack was revealed as a leak. It seems obvious (based on his recent blog post) that naehrwert was part of the people working on all the reversing work required to access this information. It is likely that this information was part of a larger scale work, and obviously for these devs the leak was not a good piece of news. I can relate, getting your work leaked at the most inappropriate time is never good. This is probably what pushed later on an “anonymous” dev to publish the work that led to this hack in the first place, in the form of a C library that any dev can now use (libeeid).

    Then again, as I described above, I don’t see why this could lead to anymore piracy than there is already on the PS3 (3.6+ games are still “safe” until somebody can publicly decrypt them), so the excuses about this work leading to piracy are probably just words. On the other hand, as naehrwert mentioned, I can picture an army of noobs asking questions on how they can pirate 3.6+ games on DEX machines from now on

    The Technical details

    So how does that hack work? Ok, I’m trying to dumb that down as much as possible here: there are special locations in the flash memory of the PS3 that indicate if the unit is a Retail machine or a Debug machine. Reading/Writing this information requires to both know where it is located and how to decrypt/encrypt it. How this information was found is what naehrwert explains in his blog post (note: Finding and understanding this required dozens – hundreds? – of hours of reverse engineering of some parts of the PS3 firmware, which also explains why some people are pissed about that leak.).

    The information lies in the Appliance Info Manager module, a module in charge of …describing the specs of the current unit, I assume, given its name.

    The encryption/decryption keys are all inferred from the eid0 key seeds for this specific module. These key seeds were obtained by reading the metadata of the module, as explained by naehrwert. From there, the whole process explained in the leak is just a series of decrypt / replace / encrypt data, based on the algorithms that were reverse engineered.

    The key point here is that the Target ID of the unit is replaced with 0x82 (you’ll see that number a lot in the leaked CEX to DEX hack), which symbolizes a Debug unit. The target ID is a key identifying the type of a unit, as described here (

    Target ID

    A Target ID is a single byte or hexadecimal identifier that determines what type of console you have.

    Known Target ID's
    Value 	Console Type 	Shortcode 	Region Code
    0x80 	TEST AVTest / DECR 	TEST 	TEST
    0x81 	DECR Reference Tool / DECR 	TOOL 	TOOL
    0x82 	DEX Debug / DEX 	DEX 	DEX
    0x83 	CEX Retail Japan 	CEX 	J1
    0x84 	CEX Retail USA 	CEX 	UC2
    0x85 	CEX Retail Europe 	CEX 	CEL
    0x86 	CEX Retail Korea 	CEX 	KR2
    0x87 	CEX Retail United Kingdom 	CEX 	CEK
    0x88 	CEX Retail Mexico 	CEX 	MX2
    0x89 	CEX Retail Australia/New Zealand 	CEX 	AU3
    0x8A 	CEX Retail South Asia 	CEX 	E12
    0x8B 	CEX Retail Taiwan 	CEX 	TW1
    0x8C 	CEX Retail Russia 	CEX 	RU3
    0x8D 	CEX Retail China (Never released) 	CEX 	CN9
    0x8E 	CEX Retail Hong Kong 	CEX 	HK5
    0xA0 	ARC System Debugger / Arcade 	ARC 	ARCADE
    The 6th byte in IDPS (can be found in EID0 and EID5, see Flash) represents your Target ID.

    Speaking of TargetID, the holy grail of the Debug units is 081, the DECR unit which apparently can also decrypt anything we want. Those are suspected to require specific hardware and firmwares however... and the legend says that some scene devs own one.


    Until this week, people who legitimately wanted to stay on a Custom Firmware for homebrew reasons could not play recent PS3 games they owned. With such a technique, they now have a possibility to run their 3.6+ blu rays without sacrificing homebrew. As far as I can tell, this does not “bring more piracy to the PS3″, for now. It just allows more legitimate use of the PS3 for honest homebrew users.
    Thought this was interesting and wanted to share it ^-^

Page 17 of 67 FirstFirst ... 716171827 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts