Sponsored Links

PS4 News on Facebook! PS4 News on Twitter! PS4 News on YouTube! PS4 News RSS Feed!
Sponsored Links
Sponsored Links
Home PS4 News - Latest PlayStation 4 and PS3 News

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

Sponsored Links
186w ago - A few weeks back we saw a video on Booting Debug on a Retail PS3 Unit via Rebug PS3 CFW, and today zeryos has made available a PS3 CEX to DEX Converter Kit (Retail to Debug) which currently requires IDPS (PlayStation ID via Sony's server in the format of request_idps.txt) by PlayStation 3 hacker "You know who" in order to fully convert a Retail PS3 console to a Debug / Test unit.

Download: PS3 CEX to DEX Kit (Retail to Debug) (pass: ps3scene) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror) / PS3 CEX to DEX Kit (Retail to Debug) (Mirror #2)

For those interested in the background of this PS3 CEX to DEX method, some leaked IRC logs appear to reveal that initially Mathieulh gave it to Durandal without permission from Sony PlayStation 3 hacker RichDevX.

To quote from a (now removed) Tweet of Squarepusher2: "BTW Mathieulh I know you gave durandal that CEX-DEX ZIP, that it wasn't you that bundled that up, and you were not supposed to do so either"

Now that the PS3 CEX to DEX Kit has surfaced, other developers can begin to examine it and determine how to generate the required request_idps.txt file without access to Sony servers.

Finally, according to the IRC chat logs an updated method already exists, so only time will tell if that too will surface before the IDPS issue is sorted out by PlayStation 3 developers.

DEX to CEX Converter By "You know who"



1. A playstation 3 on firmware 3.55 or below
2. A dongle to go to Service mode
3. A usb pendrive
4. A brain
5. The author of this little trick.
6. Have your pc connected directly to the ps3 on ethernet with the ip set to and the hostmask to (make sure no firewall is running, not even windows one, this may prevent your console from connecting to the pc)


** PART 1 **

1. Set your console into service mode with any compatible dongle.

2. Put the content of the converter-console folder at the root of your usb pendrive.

3. Extract ObjectiveSuites-GetData on your PC.

4. Put the usb pendrive on the last usb port on the right of your console.

5. Run ObjectiveSuites.exe from ObjectiveSuites-GetData

6. You now have a few seconds to start your console, start it.

7. Objective Suite should display "PASS" and txt files will be created in the Temp dir. Once done, power off your console.

8. Get ALL these txt files from your temp directory and send them to the author (me) with informations about your playstation 3 model (FAT/SLIM, CECH* model)

** PART 2 **

9. You should recieve from the author (Yeah me again) a file called request_idps.txt

10. Extract ObjectiveSuites-SetIdps on your pc.

11. Put the request_idps.txt in your temp folder (MAKE EXTRA SURE IT'S THERE OR YOU WILL BRICK)

12. Run ObjectiveSuites.exe from the ObjectiveSuites-SetIdps directory.

13. Start the SAME CONSOLE YOU GOT THE TXT FILES FROM (If it's another console you WILL BRICK IT).

14. Wait until Objective suite displays "PASS" Then power off your console, at this point your console should be a Debug one.

** PART 3 **

15. You will now need to do a drive initialisation in order to use the bluray drive on your console. Put your usb pendrive on your pc, delete all the files you previously put in there, Put "Lv2Diag.self" from the "set up" directory at the root of your pendrive along with PS3UPDAT.PUP (that's 3.30 debug firmware)

16. Put the pendrive on the usb port on the most right of your console.

17. Power on the console, The screen will be black and the green led will stay lit, wait until it blinks and the console powers off, once it does the firmware will be installed.

18. Put the pendrive back on pc, delete the files you put in there previously, and copy the content of the "drivefix" folder to the root of the pendrive.

19. Put the pendrive at the usb port most on the right of your console and power it on.

20. The drive initialisation will then occur, wait a couple of seconds, then power off the console (you may have to unplug it from the AC)

21. Put the pendrive back onto the pc, delete the files you previously put in there, then copy the Lv2diag.self from the "finalize" folder.

22. Put the pendrive on the usb port on the most right of your console. Power it on. Your console will power on for a few seconds then power off.


Also today from Sony PlayStation 3 hacker Mathieulh via IRC and Twitter and Snowydew via gitbrew:

[Mathieulh] basically this allows you to 1. dump cisd from nor
[Mathieulh] 2. write an eid to the nor
[Mathieulh] so basically the actual hack
[Mathieulh] which is generating the eid to be written to the nor
[Mathieulh] isn't part of this useless leak
[Mathieulh] cirotheb5 it's already done without sony's servers
[Mathieulh] do you think they don't have an auth, filtering and whatnot going on there ?
[Mathieulh] cirotheb5 *hint* Dump your console's eid root key *hint*
[Mathieulh] seriously...
[Mathieulh] oh ! and you can do whatever that leak does using progskeet or otheros++
[Mathieulh] just saying
[Mathieulh] it's just a matter of using the dd command

[Register or Login to view code]

  • No, you need to use hardware.
  • nothing is known, all that does is to write an eid to the nor, like that wasn't known...
  • you don't even have eid keys in this leak. All you have is some tool that writes a whole made eid to the nor....
  • It is useless unless you can generate your own eid. Good luck with that....
  • Basically the actual hack, which is, generating the eid, isn't present in this, I'll let you wonder if it exists or not.
  • Sure, dump your eid, convert to ascii and rename it. Here you go.....
  • very much so, this does nothing more than a nand programmer could do.
  • this is more likely the useless method, as in this zip is useless to begin with.
  • Our two exploits got leaked to other devs. They can either bring them to light or actually use them. We're no longer doing them. (twitter.com/#!/gitbrew/status/108732677380775936)
  • Welp, gitbrews 2 exploits are now in the wild. Have fun with them, since we're not even going to bother. (twitter.com/#!/Snowydew/status/108277307315191808)
  • They're out there now, unsure if they're being worked on. Don't really care either at this point. (twitter.com/#!/Snowydew/status/108345360300261376)

Here is how to obtain your PS3 IDPS from RikuKH3 as detailed below:

That's how you can easily get your console IDPS:

1) Dump your NOR from GameOS using dump_flash.pkg
2) Open it in hex editor and search for IDPS using this example: ps3devwiki.com/index.php?title=IDPS


The IDPS is a 16 byte value that contains console specific information. Exactly what information this stores is not completely known.


[Register or Login to view code]

6th byte represents your Target ID

8th byte represents your Motherboard_Revisions // possible sku model

  • 0x1 = CECHA (60GB Full PS2) - COK-001 + Memcard Daughterboard
  • 0x2 = CECHB (20GB Full PS2) - COK-001
  • 0x3 = CECHC (60GB Partial PS2) - COK-002 + Memcard Daughterboard
  • 0x4 = CECHE (80GB Partial PS2) - COK-002W + Memcard Daughterboard
  • 0x5 = CECHG (40GB No PS2) - SEM-001
  • 0x6 = CECHH (40GB No PS2) - DIA-001
  • 0x7 = CECHJ / CECHK (40GB/80GB No PS2) - DIA-002
  • 0x8 = CECHL / CECHM / CECHP / CECHQ (80GB/160GB No PS2) - VER-001
  • 0x9 = CECH20A / CECH20B (120GB/250GB Slim) - DYN-001
  • 0xA = CECH21A / CECH21B (120GB/250GB Slim) - SUR-001
  • 0xB = CECH25A / CECH25B (160GB/320GB Slim) - JTP-001/JSD-001

The IDPS can be found in EID0 and EID5. Just search for first 8 bytes. For example: 00 00 00 01 00 84 00 09, where '84' is USA target ID and '09' is CECH20A slim motherboard revision). It's 16 bytes long and you find it twice. Here's example of my IDPS (below).

Also, I compiled unself2, but it throws error when I try decrypt game update eboot: 'Error decrypting metadata: No such file or directory'. But I don't have act.dat from my ps3, maybe this is issue.

Note from mallory: The IDPS file must be a raw binary file like all of the other key files. One way of creating it would be by typing your IDPS into a hex editor. Careful about posting your IDPS: Sony likely remembers who has what IDPS.

For those unaware the latest multiMAN shows the PS3 console's IDPS under Information, and below is a brief guide on Changing Your PS3's IDPS via psx-updates.blogspot.com/2011/08/changing-your-ps3s-idps.html:

Changing Your PS3's IDPS

First off you will need a NAND/NOR reader/writer. Second, you can put your PS3 into debugger mode.

You will need a dump of your flash or be able to access and read/write it in someway.

You will find section 0 EID0 which will look like...

[Register or Login to view code]

This part you will be looking at....

[Register or Login to view code]

Here is your IDPS, the 6th byte in there is your Target ID, which is what kind of PS3 your's is. (Retail USA, Retail U.K., e.t.c.)

So in this code;

[Register or Login to view code]

The 6th byte which is 89; 89 is equal to Retail Australia/New Zeland.

Now say you want to put your PS3 into Debugger mode; you would have to change the 89 (which by the way, is a hexadecimal) and the code for System Debugger is... A0. Now, when you change the code it will look something like this...

[Register or Login to view code]

Now you will just put this back into your NAND (where the flash is located), or NOR (if you are on slim). This concludes Changing your PS3's IDPS and putting it into Debugger mode.

Finally, we have received an e-mail from anonym0us (who appears to be LuckLuka :rolleyes stating the following:

Hello PS3 Scene, this is another anonymous leak! I would like to be called: anon0 to prevent confusion with all the other 'anonymous' members. 2 months ago, a CEX-to-DEX came out which needed the request-idps.txt

It was all accomplished by .SIG files and ObjectiveSuites, they are encrypted files which carry out specific commands to the PS3

We are now bringing THREE new .SIG files which can be used with 3.73 FW to carry out certain 'tasks' Figure what it can do by yourself... And samples of many files can be found there which can aid in 3.73 getting hacked... To use ObjSuites: Put PS3 in service mode, connect PS3 to PC by ethernet cable, IP Address to

  • Copy files from objcon to root of your usb drive
  • Start ObjectiveSuites, then power the PS3
  • All info necessary will be in the temp folder in objectivesuites...

This is a part-of-the-equation of hacking the 3.73

Some notes: I can guarantee something: There are many exploits present when ObjSuites connects to PS3, it forms a trusting bond... ObjSuites gets LV0/LV1 access. Use this with care...

Link: os3sig.zip (removed) / Clean PS3 files: http://www.multiupload.com/LALIXM08VQ

And a bonus, Here is some software: ps2_mecha_adj.zip (removed)

From IRC:

10:44 anonym0us – Okay
10:44 anonym0us – let me explain
10:44 anonym0us – ObjectiveSuites is used in combination with a jig
10:45 anonym0us – It allows more things to be done while PS3 is in service mode
10:45 anonym0us – something like 2 months ago
10:45 anonym0us – There was a leak
10:45 anonym0us – that allowed Retail->Debug
10:45 anonym0us – but it required a person getting request_idps.txt
10:45 anonym0us – from Sony
10:45 anonym0us – It was accomplished by a .SIG file
10:46 anonym0us – .SIG files carry out commands to the PS3
10:46 anonym0us – So
10:46 anonym0us – I got hands on 3 more .SIG files
10:46 anonym0us – Which report all kinds of things about the PS3
10:46 anonym0us – But, there is another thing
10:46 anonym0us – When ObjSuites is used with the PS3 in service mode
10:46 anonym0us – We can exploit the PS3
10:47 anonym0us – Sony never bothered fixing bugs between the ObjSuites-PS3 connection
10:47 anonym0us – Reason?
10:47 anonym0us – The original ObjSuites required a membership to SCEDevNet
10:48 anonym0us – this is cracked
10:48 anonym0us – So
10:48 anonym0us – yeha
10:48 anonym0us – yeah
10:48 anonym0us – thats pretty much it
10:48 anonym0us – When PS3 connects to ObjSuites
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – So with a bit of tinkering
10:48 anonym0us – You can be sure that you can get the PS3 to do what you want ot
10:48 anonym0us – to*
10:48 anonym0us – And thats pretty much it

From eussNL: My thoughts:

  • First: objsuites is just the old 2.43 leaked stuff + incomplete CEXDEX - meh, old news is so exciting :/
  • Second: just someone wanting his minute wall of fame
  • Third: ObjectiveSuites is not even related to decryption of files - especially 3.73


  • objectivesuites is used in service mode, just as downgrader and remarry
  • only os3sig\ObjectiveSuites\xml seems deviant from cexdex
  • afaik objectivesuites runs in lv2 and uses lv1 functions. that is why I don?t see the access to lv0 for it and certainly not the 3.73 part
  • there is still the matter of servicemode - afterall, we don?t have a way to enter/exit it on 3.73

All in all: I still have much doubts about it, both because of service mode, using objectivesuit and the source/person.

Shortly following, butnut (ps3crunch.net/forum/threads/1731-ObjectiveSuite?p=17938#post17938) converted the request_idps.txt back to hex code.

Download: PS3 ObjectiveSuites Request_IDPS.txt Hex Code

To quote: This is the request_idps.txt from the leak converted back to hex. It appears to be an eEID from a CECHC that was released in Mexico, but it is smaller than the eEID's from the two slims I looked at, so I don't yet know if it is complete or partial.

The numerical string at the beginning of the file is the pd_label and the same string can also be found in the CONSOLE_FINALIZE.CONF file.

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

PS3 CEX to DEX Kit (Retail to Debug) Surfaces, Requires IDPS

Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter, Facebook and drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene and PlayStation 4 scene updates and fresh homebrew PS3 Downloads. Enjoy!

Comments 140

• Please Register at PS4News.com or Login to make comments on Site News articles.
#130 - Siggy12 - 153w ago
Siggy12's Avatar
I'm sorry but I have to reply... sorry for the OT. DUDE!!!! did you ask to you why Sony remove OtherOS ? which his the person that cause that ? Sony KNOW VERY WELL that if OTHEROS was still inside the PS3 GAMEOS also the 9.99 firmware could be hacked.... without Geohot and the study coming after, psjailbreak NEVER HIT the market.

is too simple find a USB buffer overflow when a exploit is released and give to you access to the ENTIRE system and last question for YOU... WHO obtain the keys of the system ? something that everyone says is impossible is impossible is impossible... Santa Claus ?

My apologize AGAIN for the OT...

#129 - ps3hen - 153w ago
ps3hen's Avatar
You were saying someone was wrong, when they were not. I was being calm and I was only stating facts. The JIG Sony uses, is an intentional backdoor for administration purposes.

The first Jailbreak, exploited a bug in how the PS3 handles connected USB devices, after a precedure bugging/glitching, the Jailbreak device gets read and write access to the ram.

But I'll let the this explain (ps3devwiki.com/wiki/PSJailbreak_Exploit_Payload_Reverse_Engineering). The JIG just tells the PS3 to enter Factory Service Mode, there is no ".self" on a JIG which launches Factory Service Mode.

#128 - elser1 - 153w ago
elser1's Avatar
drink some chai tea man.. LOL

we got it and that's all that matters eh.

#127 - cfwprophet - 153w ago
cfwprophet's Avatar
ps3en i know plz calm down. The first Jailbreak stick was a modded clone of sonys official JIG there for it is called JIG not that i meant sonys official JIG. Oh Boy

They used the master key and the method aka backdore that sony use with the JIG to inject a factory service mode self for injecting a payload to allow homebrew and all that stuff.

#126 - elser1 - 153w ago
elser1's Avatar
yeah well i guess most people have everything they want except all the new games.. its a real shame its not "xbox" or "ps2"cracked.. but i still love my ps3 and tbh i haven't turned my jb ps3 on for at least 6 months.

i love psn too much! i'd have to say i like ps3 news a lot more than the "scene"..

#125 - niwakun - 153w ago
niwakun's Avatar
As far as I know, this what happens on PS3 scene last 2010:

  • PSJailbreak was announced around August 17 2010. With solid proofs live action feed how it works and such.
  • September 1 2010 PSJailbreak was released with OMFG price of $150.
  • September 10, 2010 PSJailbreak reversed engineered, documented how it works, opensource code and hex codes for development usb jigs released.
  • September 21 , 2010 Sony updates to 3.42, kills PSJailbreak
  • October 2010 PSjailbreak downgrade announced/released.
  • November 2010 opensource downgrade jig reversed engineered, released opensource, ported to development usb jigs
    December 2010 Fail0verfl0w announced that they totally defeated the PS3's security schema, they call it epic fail.
  • January 2011 GeoHot CFW released, NPDRM 3.55 defeated. Allows user to sign their own application on PS3 using the ECDSA bug. Private and Public Keys released.
  • February 2011 Rebug CFW released. Allows users to login on Developers PSN network. Allows user to fake credits and buy stuff on PSN for free (no credit card fraud happens) [that was really good, it lasted for about 3 months before they patched it]
  • April 2011 PSN got hacked, more than 10million user account got hacked. Nice!
  • August 2011, PSN resumed, they took long enough.

#124 - GotNoUsername - 153w ago
GotNoUsername's Avatar
If anyone wants a timeline: First USB devices (called Jailbreak), payloads (with all their features), than CCC, than geohot and so and so on, and pls guys stay at topic.

Special downgrade pup's only work on dex consoles and not on cex consoles sorry

#123 - ps3hen - 153w ago
ps3hen's Avatar
No the first usable Jailbreak was not Sony's factory service mode JIG. The first 'usable' jailbreak was a USB device, which in a nutshell, pretended to be a USB hub and glitched the PS3 FW and modified the ram, patching lv2 allowing for peek and poke.

Of course it is more complicated than that, go watch team failoverflow's CCC presentation if you want to learn more about the 3.41 OFW Jailbreak, they have a segment where they explain the crux it. The JIG, is used by Sony to service PS3's by giving special access, but it doesn't allow the user to run unsigned code or game backups.

#122 - cfwprophet - 153w ago
cfwprophet's Avatar
miandad, no they don't work it's a full debug fw and thoes also don't work on a retail without converting to a dex machine.

No really ? So it wasn't the JIG who enabled Homebrew and game backups ? Geohot gived that to the scene ? Also it wasn't failoverflow who released some keys first and after that egohot also released something just to say "Hey look at me im so good" ?

And by the way his Hardware exploit don't work without linux and you can't clitch the RAM under GameOS. Also he has released nothing from this files he dumped. So what.

#121 - miandad - 153w ago
miandad's Avatar
Quote Originally Posted by cfwprophet View Post
They are already public. But it seems that most users even don't know how a special downgrader pup will be called and where they are included.

And to correct myself it's not a 3.72 SDG (how they called it) it's a 3.74.

and 1 more thing does special downgrade pup's work with retail pup 3.60+ to downgrade without any tools! if yes how?


Sponsored Links

Sponsored Links

Advertising - Affiliates - Contact Us - PS4 Downloads - PS4 Forums - Privacy Statement - Site Rules - Top - © 2015 PlayStation 4 News