PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!

Home PS4 News - Latest PlayStation 4 and PS3 News

September 7, 2011 // 8:23 pm - A few weeks back we saw a video on Booting Debug on a Retail PS3 Unit via Rebug PS3 CFW, and today zeryos has made available a PS3 CEX to DEX Converter Kit (Retail to Debug) which currently requires IDPS (PlayStation ID via Sony's server in the format of request_idps.txt) by PlayStation 3 hacker "You know who" in order to fully convert a Retail PS3 console to a Debug / Test unit.

Download: PS3 CEX to DEX Kit (Retail to Debug) (pass: ps3scene) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror #2)

For those interested in the background of this PS3 CEX to DEX method, some leaked IRC logs appear to reveal that initially Mathieulh gave it to Durandal without permission from Sony PlayStation 3 hacker RichDevX.

To quote from a (now removed) Tweet of Squarepusher2: "BTW Mathieulh I know you gave durandal that CEX-DEX ZIP, that it wasn't you that bundled that up, and you were not supposed to do so either"

Now that the PS3 CEX to DEX Kit has surfaced, other developers can begin to examine it and determine how to generate the required request_idps.txt file without access to Sony servers.

Finally, according to the IRC chat logs an updated method already exists, so only time will tell if that too will surface before the IDPS issue is sorted out by PlayStation 3 developers.

DEX to CEX Converter By "You know who"



1. A playstation 3 on firmware 3.55 or below
2. A dongle to go to Service mode
3. A usb pendrive
4. A brain
5. The author of this little trick.
6. Have your pc connected directly to the ps3 on ethernet with the ip set to and the hostmask to (make sure no firewall is running, not even windows one, this may prevent your console from connecting to the pc)


** PART 1 **

1. Set your console into service mode with any compatible dongle.

2. Put the content of the converter-console folder at the root of your usb pendrive.

3. Extract ObjectiveSuites-GetData on your PC.

4. Put the usb pendrive on the last usb port on the right of your console.

5. Run ObjectiveSuites.exe from ObjectiveSuites-GetData

6. You now have a few seconds to start your console, start it.

7. Objective Suite should display "PASS" and txt files will be created in the Temp dir. Once done, power off your console.

8. Get ALL these txt files from your temp directory and send them to the author (me) with informations about your playstation 3 model (FAT/SLIM, CECH* model)

** PART 2 **

9. You should recieve from the author (Yeah me again) a file called request_idps.txt

10. Extract ObjectiveSuites-SetIdps on your pc.

11. Put the request_idps.txt in your temp folder (MAKE EXTRA SURE IT'S THERE OR YOU WILL BRICK)

12. Run ObjectiveSuites.exe from the ObjectiveSuites-SetIdps directory.

13. Start the SAME CONSOLE YOU GOT THE TXT FILES FROM (If it's another console you WILL BRICK IT).

14. Wait until Objective suite displays "PASS" Then power off your console, at this point your console should be a Debug one.

** PART 3 **

15. You will now need to do a drive initialisation in order to use the bluray drive on your console. Put your usb pendrive on your pc, delete all the files you previously put in there, Put "Lv2Diag.self" from the "set up" directory at the root of your pendrive along with PS3UPDAT.PUP (that's 3.30 debug firmware)

16. Put the pendrive on the usb port on the most right of your console.

17. Power on the console, The screen will be black and the green led will stay lit, wait until it blinks and the console powers off, once it does the firmware will be installed.

18. Put the pendrive back on pc, delete the files you put in there previously, and copy the content of the "drivefix" folder to the root of the pendrive.

19. Put the pendrive at the usb port most on the right of your console and power it on.

20. The drive initialisation will then occur, wait a couple of seconds, then power off the console (you may have to unplug it from the AC)

21. Put the pendrive back onto the pc, delete the files you previously put in there, then copy the Lv2diag.self from the "finalize" folder.

22. Put the pendrive on the usb port on the most right of your console. Power it on. Your console will power on for a few seconds then power off.


Also today from Sony PlayStation 3 hacker Mathieulh via IRC and Twitter and Snowydew via gitbrew:

[Mathieulh] basically this allows you to 1. dump cisd from nor
[Mathieulh] 2. write an eid to the nor
[Mathieulh] so basically the actual hack
[Mathieulh] which is generating the eid to be written to the nor
[Mathieulh] isn't part of this useless leak
[Mathieulh] cirotheb5 it's already done without sony's servers
[Mathieulh] do you think they don't have an auth, filtering and whatnot going on there ?
[Mathieulh] cirotheb5 *hint* Dump your console's eid root key *hint*
[Mathieulh] seriously...
[Mathieulh] oh ! and you can do whatever that leak does using progskeet or otheros++
[Mathieulh] just saying
[Mathieulh] it's just a matter of using the dd command

[Register or Login to view code]

  • No, you need to use hardware.
  • nothing is known, all that does is to write an eid to the nor, like that wasn't known...
  • you don't even have eid keys in this leak. All you have is some tool that writes a whole made eid to the nor....
  • It is useless unless you can generate your own eid. Good luck with that....
  • Basically the actual hack, which is, generating the eid, isn't present in this, I'll let you wonder if it exists or not.
  • Sure, dump your eid, convert to ascii and rename it. Here you go.....
  • very much so, this does nothing more than a nand programmer could do.
  • this is more likely the useless method, as in this zip is useless to begin with.
  • Our two exploits got leaked to other devs. They can either bring them to light or actually use them. We're no longer doing them. (!/gitbrew/status/108732677380775936)
  • Welp, gitbrews 2 exploits are now in the wild. Have fun with them, since we're not even going to bother. (!/Snowydew/status/108277307315191808)
  • They're out there now, unsure if they're being worked on. Don't really care either at this point. (!/Snowydew/status/108345360300261376)

Here is how to obtain your PS3 IDPS from RikuKH3 as detailed below:

That's how you can easily get your console IDPS:

1) Dump your NOR from GameOS using dump_flash.pkg
2) Open it in hex editor and search for IDPS using this example:


The IDPS is a 16 byte value that contains console specific information. Exactly what information this stores is not completely known.


[Register or Login to view code]

6th byte represents your Target ID

8th byte represents your Motherboard_Revisions // possible sku model

  • 0x1 = CECHA (60GB Full PS2) - COK-001 + Memcard Daughterboard
  • 0x2 = CECHB (20GB Full PS2) - COK-001
  • 0x3 = CECHC (60GB Partial PS2) - COK-002 + Memcard Daughterboard
  • 0x4 = CECHE (80GB Partial PS2) - COK-002W + Memcard Daughterboard
  • 0x5 = CECHG (40GB No PS2) - SEM-001
  • 0x6 = CECHH (40GB No PS2) - DIA-001
  • 0x7 = CECHJ / CECHK (40GB/80GB No PS2) - DIA-002
  • 0x8 = CECHL / CECHM / CECHP / CECHQ (80GB/160GB No PS2) - VER-001
  • 0x9 = CECH20A / CECH20B (120GB/250GB Slim) - DYN-001
  • 0xA = CECH21A / CECH21B (120GB/250GB Slim) - SUR-001
  • 0xB = CECH25A / CECH25B (160GB/320GB Slim) - JTP-001/JSD-001

The IDPS can be found in EID0 and EID5. Just search for first 8 bytes. For example: 00 00 00 01 00 84 00 09, where '84' is USA target ID and '09' is CECH20A slim motherboard revision). It's 16 bytes long and you find it twice. Here's example of my IDPS (below).

Also, I compiled unself2, but it throws error when I try decrypt game update eboot: 'Error decrypting metadata: No such file or directory'. But I don't have act.dat from my ps3, maybe this is issue.

Note from mallory: The IDPS file must be a raw binary file like all of the other key files. One way of creating it would be by typing your IDPS into a hex editor. Careful about posting your IDPS: Sony likely remembers who has what IDPS.

For those unaware the latest multiMAN shows the PS3 console's IDPS under Information, and below is a brief guide on Changing Your PS3's IDPS via

Changing Your PS3's IDPS

First off you will need a NAND/NOR reader/writer. Second, you can put your PS3 into debugger mode.

You will need a dump of your flash or be able to access and read/write it in someway.

You will find section 0 EID0 which will look like...

[Register or Login to view code]

This part you will be looking at....

[Register or Login to view code]

Here is your IDPS, the 6th byte in there is your Target ID, which is what kind of PS3 your's is. (Retail USA, Retail U.K., e.t.c.)

So in this code;

[Register or Login to view code]

The 6th byte which is 89; 89 is equal to Retail Australia/New Zeland.

Now say you want to put your PS3 into Debugger mode; you would have to change the 89 (which by the way, is a hexadecimal) and the code for System Debugger is... A0. Now, when you change the code it will look something like this...

[Register or Login to view code]

Now you will just put this back into your NAND (where the flash is located), or NOR (if you are on slim). This concludes Changing your PS3's IDPS and putting it into Debugger mode.

Finally, we have received an e-mail from anonym0us (who appears to be LuckLuka :rolleyes stating the following:

Hello PS3 Scene, this is another anonymous leak! I would like to be called: anon0 to prevent confusion with all the other 'anonymous' members. 2 months ago, a CEX-to-DEX came out which needed the request-idps.txt

It was all accomplished by .SIG files and ObjectiveSuites, they are encrypted files which carry out specific commands to the PS3

We are now bringing THREE new .SIG files which can be used with 3.73 FW to carry out certain 'tasks' Figure what it can do by yourself... And samples of many files can be found there which can aid in 3.73 getting hacked... To use ObjSuites: Put PS3 in service mode, connect PS3 to PC by ethernet cable, IP Address to

  • Copy files from objcon to root of your usb drive
  • Start ObjectiveSuites, then power the PS3
  • All info necessary will be in the temp folder in objectivesuites...

This is a part-of-the-equation of hacking the 3.73

Some notes: I can guarantee something: There are many exploits present when ObjSuites connects to PS3, it forms a trusting bond... ObjSuites gets LV0/LV1 access. Use this with care...

Link: (removed) / Clean PS3 files:

And a bonus, Here is some software: (removed)

From IRC:

10:44 anonym0us – Okay
10:44 anonym0us – let me explain
10:44 anonym0us – ObjectiveSuites is used in combination with a jig
10:45 anonym0us – It allows more things to be done while PS3 is in service mode
10:45 anonym0us – something like 2 months ago
10:45 anonym0us – There was a leak
10:45 anonym0us – that allowed Retail->Debug
10:45 anonym0us – but it required a person getting request_idps.txt
10:45 anonym0us – from Sony
10:45 anonym0us – It was accomplished by a .SIG file
10:46 anonym0us – .SIG files carry out commands to the PS3
10:46 anonym0us – So
10:46 anonym0us – I got hands on 3 more .SIG files
10:46 anonym0us – Which report all kinds of things about the PS3
10:46 anonym0us – But, there is another thing
10:46 anonym0us – When ObjSuites is used with the PS3 in service mode
10:46 anonym0us – We can exploit the PS3
10:47 anonym0us – Sony never bothered fixing bugs between the ObjSuites-PS3 connection
10:47 anonym0us – Reason?
10:47 anonym0us – The original ObjSuites required a membership to SCEDevNet
10:48 anonym0us – this is cracked
10:48 anonym0us – So
10:48 anonym0us – yeha
10:48 anonym0us – yeah
10:48 anonym0us – thats pretty much it
10:48 anonym0us – When PS3 connects to ObjSuites
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – So with a bit of tinkering
10:48 anonym0us – You can be sure that you can get the PS3 to do what you want ot
10:48 anonym0us – to*
10:48 anonym0us – And thats pretty much it

From eussNL: My thoughts:

  • First: objsuites is just the old 2.43 leaked stuff + incomplete CEXDEX - meh, old news is so exciting :/
  • Second: just someone wanting his minute wall of fame
  • Third: ObjectiveSuites is not even related to decryption of files - especially 3.73


  • objectivesuites is used in service mode, just as downgrader and remarry
  • only os3sig\ObjectiveSuites\xml seems deviant from cexdex
  • afaik objectivesuites runs in lv2 and uses lv1 functions. that is why I don?t see the access to lv0 for it and certainly not the 3.73 part
  • there is still the matter of servicemode - afterall, we don?t have a way to enter/exit it on 3.73

All in all: I still have much doubts about it, both because of service mode, using objectivesuit and the source/person.

Shortly following, butnut ( converted the request_idps.txt back to hex code.

Download: PS3 ObjectiveSuites Request_IDPS.txt Hex Code

To quote: This is the request_idps.txt from the leak converted back to hex. It appears to be an eEID from a CECHC that was released in Mexico, but it is smaller than the eEID's from the two slims I looked at, so I don't yet know if it is complete or partial.

The numerical string at the beginning of the file is the pd_label and the same string can also be found in the CONSOLE_FINALIZE.CONF file.

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

Follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 CFW forums for the latest PlayStation 3 scene and PS4 Hacks & JailBreak updates with PlayStation 4 homebrew.

#140 - VSPROD - July 9, 2012 // 6:25 pm
VSPROD's Avatar
Cex to dex is possible now with the released information of the anonymous guy from hong kong

#139 - cfwprophet - April 24, 2012 // 12:39 am
cfwprophet's Avatar
For what i know not really. Best would be learning by doing and reversing some stuff. Also you can use graf's work on lv1 for better understanding.

#138 - miandad - April 23, 2012 // 12:36 pm
miandad's Avatar
thx sir, if i want to start learning idps (eid) or spu lv0 lv1 where should i start?

is there any tutorial site except ps3 wiki dev

#137 - GotNoUsername - April 21, 2012 // 12:00 pm
GotNoUsername's Avatar
Miandad the first problem is the PS3 is a lot more complex than any andriod device and has plenty of security in place + additional checks. In theory it is possible to write your own gameOS (CFW is nothing more or less than a modded GameOs with some tweaks.)

Well to get dex pup's installed on an Reatil maschine was done before , but it is kind of useless the PS3 checks if you try to use dex features on a retail if it is a dex, the process is kind of complictaed but the IDPS playes a main role here if y want to know more I recommend

The last part of your question I don't understand.

By the way graf's work is resumed, just wait and you'll see great things to come, I can't name any dev's here they are undercover after the egohot debacle.

#136 - miandad - April 21, 2012 // 9:14 am
miandad's Avatar
cfwprophet does ps3 developer can't make there own gameos or own factory service like android recovery mode? why devs can't make dex pup's signed for retail?

is there any difference between ps3 nor chip with usb flash drive nor chip? bcz usb flash drive chip easily read write with chinese program!

can anyone resume graf chokolo work!

#135 - cfwprophet - April 21, 2012 // 7:09 am
cfwprophet's Avatar
Yea sure and there for i don't know how it works and i need to teach my self, one well know dev gived yesterday a lot of gifts and underground work to me and my team and to a few other potential teams in scene ^^

Anyway i'm done here.

#134 - Siggy12 - April 21, 2012 // 6:28 am
Siggy12's Avatar
Ok I'll stay on topic and sorry for my behavior. I have to say last thing Heap Overflow = BUFFER OVerflow. Backdoor if you want named like this is ok but I'm not perfectly agree about the guy in china worked in SONY i'm not agree because the article that I posted before say that the credits go to GEOHOT about this no one else.


#133 - GotNoUsername - April 20, 2012 // 9:30 pm
GotNoUsername's Avatar
Guys pls stay on topic !!

But I have say some words on the PSJailbreak, yes the exploit uses Sony’s Personal backdoor a function Sony implemented !! (

The exploit is a Heap Overflow and makes use of the PS3's behavior to expect a JIG (= backdoor). Nothing more and nothing less and its origin was most likely China where some guys worked in a Sony service center!!!

And now pls stay on Topic and let the Past rest pls, focus on the future.

#132 - Siggy12 - April 20, 2012 // 9:05 pm
Siggy12's Avatar
You know what we are talking about ???? do you know how they attack this PERSONAL BACKDOOR how you named ???? simple question.. DO you know how the PSJailbreak HACK work ?? I think NO!!!! SURE IS NOT can't be different the reason believe me..... and anyway you have your Idea and I have mine so we have to stay in peace even if mine or yours are wrong.

and for the buffer overflow that make you laugh please read here:

and also here

please teach yourself to be more humble especially when you don't know What you are talking about the article that I posted will help you to reflect that you don't know how that psjailbreak HACK work.

stay in peace.

#131 - cfwprophet - April 20, 2012 // 7:30 pm
cfwprophet's Avatar
You have no clue what you talking about !!!

First the usb master key only is within the lv2_kernel if you have for minimum one time used it on this console. So egohots work have absolutly nothing to do with the jailbreak JIG. Ok not true they used his peek poke but that's it. The analyzing and copieng of the JIG have absolutely nothing to do with his OtherOS RAM clitch. And by the way no i don't have meaned the reason why sony have removed the OtherOS.

Hell what you talking about. USB buffer overflow ?? Seriously ?? This is Sonys personally backdoor and have nothing to do with a USB buffer overflow. ^^ :P Your so funny man !!