- Following up on the PS3 CEX (Retail) to DEX (Debug) console IDPS
release and MultiMAN DEX Mod
comes the long-awaited "holy grail" for PlayStation 3 developers, my complete PS3 CEX to DEX conversion method!
Hi Scene, Sorry for my bad English. I want to give you info you please make public. I want be anonymous. I only can say I'm from Hong Kong. I have way to get a DEX, it works and is complete nothing missing.
Manual to get a DEX (here is everything you needed) and you have a full working DEX:
- EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr
EID0 Key Seed
[Register or Login to view code]
EID0 Section Key Seed[Register or Login to view code]
- If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV
- Use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV. The result contains from 0x10 to 0x20 the EID0IV and contains from 0x20 to 0x40 the EID0Key
- Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV. The result will be the first 0x10 bytes of the EID0 First Section Key
- The second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes
- EID0 is located in NAND at 0x80870 and in NOR at 0x2f070, the first 0x20 bytes of EID0 are not encrypted, at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)
- Use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV
- Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.
- At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again, 0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes
- After you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section
- Use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).
- Now install DEX Firmware with the recovery menu.
HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu.
You can't login to the PSN because IDPS is obviously not valid from now on.
THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.
有志者，事竟成 “Where a will, there is way”
一不做二不休 “You start something, you have to finish it”
Note: You don't need the second 0x00 eid0 first section key of all zeros. Also from an anonymous source (via bit.ly/M2Oz4Q and lnx.lu/5yD and multiupload.co.uk/TAG2B6G8ZL and multiupload.nl/TAG2B6G8ZL) comes CEX-DEX(2).7z and from the included ReadMe file, to quote:
Download Mirrors: CEX-DEX(2).7z
[Register or Login to view code]
: It just generates the EID section that you have to overwrite in your flash - that was the whole point of all this. You have to use your data and get the region to rewrite on your own console to convert your retail PS3 (CEX) to debug/test unit (DEX). This modification to the EID allows you to install the Debug firmware and get a DEX.
: The problem with this is it's easily patchable... Sony will probably patch it on the next OFW... Original retail dump, flash back retail firmware, and that's it. This is basically switching back and forth from CEX to DEX by flashing DEX dump and DEX firmware and from DEX to CEX by flashing CEX dump and CEX firmware.
You can use flasher, linux or jaicrab's preloader (basically anything that flashes the dump)
only works correctly on NOR's, you'll have problems with NAND's, or so I've tested (thanks to a friend of mine
) in case you need to compare:
If people want to flash this thing so badly WITHOUT a hardware flasher, you only need linux or jaicrab's flasher (for NOR).
- Put these two files on the root of a fat32 formatted stick.
- Rename your DEX dump to rflash.bin
- Execute the self with a self loader such as MultiMAN (use mmOS to go to the stick and load the self there)
- Wait 35 minutes for the console to stop blinking and shutdown with steady red light (THIS ONLY WORKS ON NORS. YOU HAVE BEEN WARNED!)
- Confirm if it boots (alternatively, if you have QA, DEX doesn't have QA when you do the button combo, so you can test it)
flash 3.55 DEX firmware by recovery
PS: If I'm not dead by the next 24 hours, you know where to find me
Note: Don't flash this, this belongs to my console, so I advise you not to flash, this is just for verifying only.
: You'll have to go digging for debug eboots though if you intend on playing anything that is not a retail game on your debug PS3. And those are not easily found. I don't think end-users will get much use out of it - for devs it's a totally different story though.
Below is also a video from lordv
demonstrating Battlefield 3 running on the DEX BD Emulator via USB, who states that games work fine from the BD EMU or BD-R disc (using PS3Gen) without a decrypted/Debug EBOOT. However, PS3 games won't run from DVDs in the newer DEX Firmware.
A COD: MW3 on DEX PS3 (3.55 CEX to 4.11 DEX - BD Emulator HDD) video by sguerrini97
is below as well:
It also appears as though the newer PS3 SDKs will contain the necessary development tools and login information to access Sony's developer network (NP / SP-INT) as well:
The NP communication passphrase and signature will be provided within the Server Management Tools.
Details: NP communication ID, passphrase, and signature, required for certain PSN communication services, had been provided on the DevNet thread upon the completion of the requested PlayStation Network service configurations.
From 2012/07/05 the NP Communication Passphrase and Signature will be provided within the Server Management Tools.
This change affects all the communication IDs issued after 2012/07/05. It will not be possible to access the NP communication passphrase or signature in the support issued after that date.
Only those users who have initially requested the NP communication services and was provided the files on DevNet thread will have access to the file on the request threads.
Note that the NP communication passphrase and signature are required with NP Matching 2 and Title Small Storage.
From PlayStation 3
: I have found a way to access SP-INT (or developer) PSN. Those who remember, this also worked a year ago until Sony had fixed it. It is now working again for existing users. Making a new account will not work, but existing users who have made SP-INT accounts last year when it had worked can sign in (for now).
Here is how to do it:
1) Install Rebug 3.55.2 CFW. Also install the latest update package (0.7)
2) Set it to Rebug mode in Rebug Selector. Set the Rebug Menu to #2.
3) Install SEN Enabler 4.21 to spoof the firmware to 4.21.
4) Go to Debug Settings and change NP environment to 'SP-INT'.
5) Reboot PS3.
6) The PS3 will attempt to sign in to your NP (retail) PSN account and it will give an error because your NP PSN will not work on developers PSN. Now you must sign in to your SP-INT account that you made last year. Making an new account will not work.
If anyone can somehow find a way to make an new account on SP-INT, please let us know. Thank you!
From PlayStation 3 developer naehrwert
(via nwert.wordpress.com/2012/07/11/eeid-cryptography/) to quote:
When metldr is encrypted at factory, a special keyset is set in the binary before encryption. Later when an isolated loader is loaded by metldr, it will copy the keyset to LS offset 0x00000. It consists of eid_root_key and eid_root_iv. To not having to use the same key for all eEID parts, several subkeys are generated from special data called individual information seed.
These seeds are stored in the metadata header of isolated modules loaded by isoldr. When isoldr will load a module, it will call a subroutine that encrypts each seed chunk (0x40 bytes) using eid_root_key and eid_root_iv. Then the so-called individual infos are passed in registers r7 to r22 (= 0x100 bytes in total) to the loaded module where they are used further.
Usually isolated modules have a seed section of 0x100 bytes but all of them (except sb_iso_spu_module) have all zeroes but the first 0x40 bytes chunk. You can, for example, find the recently published EID0 seed in the metadata section of aim_spu_module. Appliance info manager is used to get e.g. the target ID or the PSID from EID0. This explains why the seed can also be found in isoldr directly, since that one is checking EID0 too.
As you can probably think, a fair amount of reversing time and knowledge has gone into finding this, so stop calling us *swearwords* for not releasing information that could potentially lead to more piracy, because we think that this would do more harm to the “scene” than just keeping some information in private (for now).
Also I can only encourage everyone that thinks about us this way or is greedy demanding for developers/reverse engineers to release their stuff, to fire up isoldr in IDA or disassemble it with objdump and try to reverse all this from start to end. We’ll see, who is able to pull this through on his own...
(via ps3crunch.net/forum/threads/4023-Method?p=45195#post45195): Here is some code if you all want to flash from petitboot: This is to R/W entire NOR or just the eEID section. Make sure to take a valid dump from gameOS as well so you can match both dumps also if you have a hardware flasher I highly advise you do, check that dump against the soft dumps to make 100% sure
How to W/R NOR from petiteboot:
READ NOR : dd if=/dev/ps3nflasha of=/tmp/petitboot/mnt/sda1/cexnor.bin bs=1024
WRITE NOR: dd if=dexnor.bin of=/dev/ps3nflasha bs=1024
READ eEID : dd if=/dev/ps3nflasha skip=$((0x2F000)) of=/tmp/petitboot/mnt/sda1/eid.bin bs=1 count=$((0x10000))
WRITE eEID: dd if=eid.bin.dex of=/dev/ps3nflasha bs=1 seek=$((0x2F000)) count=$((0x10000))
I'm not going to bother with the NAND because its a pain in the balls (and thats if you can even get it to work)
/tmp/petitboot/mnt/sda1/ is a flash dive formatted to ext4 in petitboot to make life easy when moving dumps around. you can always scp your files across also
: For the BD playback recovery on DEX you can also use the "drivefix" lv2diag.. it can be found in the original CEX-DEX leak by youknow..
I uploaded it here if needed: http://www.share-online.biz/dl/NWHS097MF2ZA
Manual CEXDEX converted summary - what a thrill ride hehe... massive settings there... looking good haha:
What worked for me, thx everyone!!
- put flashdex.bin on USB stick
- chmod 777 /dev/sda
- umount /dev/sda
- mount /dev/sda /tmp/petitboot/mnt/sda
- type cd tmp/petitboot/mnt/sda
- dd if=flashdex.bin of=/dev/ps3nflasha bs=1024
- ENTER, blinking - for awhile... fck it broke... finally some output (in-out) and back to the prompt patience is a must
- type ps3-flash-util -g to set/boot GameOS ( = emer init? not sure)
- type pb-cui
- Boot GameOS option in Petitboot
- Boots normal into XMB feew lol...
- QA combo not working as it should
- Used Service Mode for final install using cex2dexkit files
- replaced the 3.30 PUP with 355DEX alongside "lv2diag.self" from "setup" folder and put on USB stick
- Put PS3 into FSM using dongle (pull cable out-dongle in-cable in)
- Shutdown - Replaced dongle with USB stick ( setup Lv2Diag.self/PS3UPDAT.PUP
- Boot Ps3 - Ps3 shutsdown
- Replaced files with step3 "drivefix" (linked above) files on USB stick
- Put USB into right slot
- Boot PS3
- On screen: Drive Init / Drive Init Fail - It needs a Original Blu-Ray movie like Remarry? and/or the 3.30 PUP to work? Please confirm anyone?
- Pull power cable
- Replaced USB files with "finalize" folder Lv2Diag.self file
- Put into right slot and boot - Ps3 shuts down
- PS3 boots a normal into DEX
- All working except for blu-ray/dvd's = not working obvious... GAMES works fine, shame on me for not having one, need to rent one.. can someone verify it needs blu-ray and/or .30 pup thx
: Use mathieulh's leaked tools to get the required info, then use the new leaked algos to change it to DEX, flash back using Objsuites/FSM. You don't need a flasher or linux to do this. And don't let anyone tell you different!
Remember CrashSerious released
a tool to decrypt/encrypt SIG files? Reverse what those SIG files in the math leak are doing.
Also, I recall theorizing that the serial number (yes, that sticker on the console) has something to do with PCK. All we need now is some brainiac to figure it all out (and release the info).
Actually to play PS3 3.60+ backups all you need to do is install an update for the game. Since DEX can't install retail PKG you have to downgrade to 3.55 DEX with peek and poke install the update and re upgrade.
Also ps3gen.exe will happily create image with the retail EBOOT, it just won't run because retail EBOOTs have the "run only from authenticated bd" capability flag; having installed an update for the game bypasses it.
(via ps3devwiki.com/wiki/User_talk:Lordv) to quote:
Instead of having an edit war could we discuss it on irc? I can prove that what you write here are (un?)intentional lies.
1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by some sprx copying and xml editing. Just unpack a dex fw for 3.55 and a cex fw for 3.55 and note the differences in sprx. Then just add the correct xml keys. For example for ps store add the #seg_commerce_new key to category_psn.xml.
Answer from Mathieulh
: You can't play blurays/dvds on 3.60+ DEX because you do not have the keys to craft a custom DEX firmware and the bd/dvd player app will check your console's idps target and see 0x82 and will fail one (of too many) check(s) and will issue an error code and not proceed. (not to mention 0x82 leads to an invalid region) I don't know/care about ps store but as far as I know, the DEX vsh.self will not display it
2) I did, however i can't prove it. Should you cex2dex and have latest dex fw you too will be able to sign in to PSN.
Answer from Mathieulh
: You can't because your idps is NOT in sony's database, as such it will not pass PSN authentication, there is nothing you can do to fake this, you would need to use a real debug idps, end of story.
3) Can't comment on that one but would very much like a statement from whoever wrote it.
Answer from Mathieulh
: This is obviously not true, however you CAN brick/ylod if you rebuild your EID wrong (the likeliness is high)
4) Do you want a video of it? Use ps3 generator tools to create a master disc or a usb image. Ever wondered what that item labeled Blu-ray Disc Access in Debug Settings did? Now you can find out.
Answer from Mathieulh
: The retail selfs are signed with special capabilities that make them only able to run from original discs (Masterdiscs != Original discs, lv2 can tell the difference) That's why you need decrypted selfs/fself to run games from masterdiscs or bdemu images, forget about running your "backups" (or should I say ,warez) Because ps3gen creates masterdiscs does not mean you can magically warez on the box. You can however play originals ! (I strongly advise you to start BUYING your games, (just saying))
5) Can't comment on that one.
Answer from Mathieulh
: I can comment that most of your so called affirmations are a bunch of BS. (in fact I just debunked most of them, feel free to try though and see for yourself.)
There's really no way to know if AnoRelease
is really the source or a leaker, as other devs in the circle may not know of or agree with his wishes to finally release it which may be why it was done anonymously.
If he is a leaker though, it would be the same as anything that gets leaked from the Rebug PSN passphrase for CFW users to the old R:FoM exploits, it benefits some for a period of time until Sony takes action and the next hole surfaces... although those cashing in on dongles may never admit it, it's called progress and is great for real PS3 scene developers not on the Max Louarn / Paul Owen payroll.