PS3 CEX (Retail) to DEX (Debug) Conversion Method is Released!

Discussion in 'PS3 Hacks / JailBreak' started by AnoRelease, Jul 8, 2012.

Tags: Add Tags
  1. AnoRelease

    AnoRelease Guest

    Following up on the PS3 CEX (Retail) to DEX (Debug) console IDPS updates, DexL0ve release and MultiMAN DEX Mod comes the long-awaited "holy grail" for PlayStation 3 developers, my complete PS3 CEX to DEX conversion method!

    Hi Scene, Sorry for my bad English. I want to give you info you please make public. I want be anonymous. I only can say I'm from Hong Kong. I have way to get a DEX, it works and is complete nothing missing.

    Manual to get a DEX (here is everything you needed) and you have a full working DEX:
    • EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr
    EID0 Key Seed
    AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C
    37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B
    08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4
    D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
    EID0 Section Key Seed
    2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
    • If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV
    • Use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV. The result contains from 0x10 to 0x20 the EID0IV and contains from 0x20 to 0x40 the EID0Key
    • Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV. The result will be the first 0x10 bytes of the EID0 First Section Key
    • The second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes
    • EID0 is located in NAND at 0x80870 and in NOR at 0x2f070, the first 0x20 bytes of EID0 are not encrypted, at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)
    • Use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV
    • Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.
    • At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again, 0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes
    • After you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section
    • Use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).
    • Now install DEX Firmware with the recovery menu.
    HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu.

    You can't login to the PSN because IDPS is obviously not valid from now on.


    有志者,事竟成 “Where a will, there is way”
    一不做二不休 “You start something, you have to finish it”

    Note: You don't need the second 0x00 eid0 first section key of all zeros. Also from an anonymous source (via and and and comes CEX-DEX(2).7z and from the included ReadMe file, to quote:

    Download Mirrors: CEX-DEX(2).7z / CEX-DEX(2).7z / CEX-DEX(2).7z / CEX-DEX(2).7z / CEX-DEX(2).7z / CEX-DEX(2).7z / CEX-DEX(2).7z
    you’ll need openssl for this:
        openssl aes-256-cbc -e -in EID0_Key_Seed.bin -out EID0_key.bin -nosalt -K (eid_root_key erks) -iv (eid_root_key riv) -p -nopad
        generates eid0_key(pass riv to eid0_iv.txt and erks to eid0_key.txt)
        openssl aes-256-cbc -e -in EID0_Section_Key_Seed.bin -out EID0_First_Section_Key.bin -nosalt -K (eid0_key erks) -iv 0 -p -nopad
        generates first eid0 section key(pass to .txt)
        openssl aes-128-cbc -d -in eid0_1st_CEX.bin -out eid0_1st_CEX_decrypt.bin -nosalt -K (EID0_First_Section erks) -iv (EID0 riv) -p -nopad
        generates decrypted first section. make sure everything matches as described
        openssl aes-128-cbc -e -in end.bin -out eid0_1st_DEX.bin -nosalt -K (EID0_First_Section erks) -iv (EID0 riv) -p -nopad
        generates… you’ll see for yourself ;)
        props to rikukh3 for this.
        use the checkpoints as reference.
        good luck.
        PS: key[16] is not static, use your own
        input[168] is not static, use your own
    From deank: It just generates the EID section that you have to overwrite in your flash - that was the whole point of all this. You have to use your data and get the region to rewrite on your own console to convert your retail PS3 (CEX) to debug/test unit (DEX). This modification to the EID allows you to install the Debug firmware and get a DEX.

    From zecoxao: The problem with this is it's easily patchable... Sony will probably patch it on the next OFW... Original retail dump, flash back retail firmware, and that's it. This is basically switching back and forth from CEX to DEX by flashing DEX dump and DEX firmware and from DEX to CEX by flashing CEX dump and CEX firmware.

    You can use flasher, linux or jaicrab's preloader (basically anything that flashes the dump)

    Jaicrab's Preloader only works correctly on NOR's, you'll have problems with NAND's, or so I've tested (thanks to a friend of mine :)) in case you need to compare:

    If people want to flash this thing so badly WITHOUT a hardware flasher, you only need linux or jaicrab's flasher (for NOR).

    To Flash:
    • Put these two files on the root of a fat32 formatted stick.
    • Rename your DEX dump to rflash.bin
    • Execute the self with a self loader such as MultiMAN (use mmOS to go to the stick and load the self there)
    • Wait 35 minutes for the console to stop blinking and shutdown with steady red light (THIS ONLY WORKS ON NORS. YOU HAVE BEEN WARNED!)
    • Confirm if it boots (alternatively, if you have QA, DEX doesn't have QA when you do the button combo, so you can test it)
      flash 3.55 DEX firmware by recovery
    PS: If I'm not dead by the next 24 hours, you know where to find me :D

    Note: Don't flash this, this belongs to my console, so I advise you not to flash, this is just for verifying only.

    From Squarepusher2: You'll have to go digging for debug eboots though if you intend on playing anything that is not a retail game on your debug PS3. And those are not easily found. I don't think end-users will get much use out of it - for devs it's a totally different story though.


    Below is also a video from lordv demonstrating Battlefield 3 running on the DEX BD Emulator via USB, who states that games work fine from the BD EMU or BD-R disc (using PS3Gen) without a decrypted/Debug EBOOT. However, PS3 games won't run from DVDs in the newer DEX Firmware.


    A COD: MW3 on DEX PS3 (3.55 CEX to 4.11 DEX - BD Emulator HDD) video by sguerrini97 is below as well:


    It also appears as though the newer PS3 SDKs will contain the necessary development tools and login information to access Sony's developer network (NP / SP-INT) as well:

    The NP communication passphrase and signature will be provided within the Server Management Tools.

    Details: NP communication ID, passphrase, and signature, required for certain PSN communication services, had been provided on the DevNet thread upon the completion of the requested PlayStation Network service configurations.

    From 2012/07/05 the NP Communication Passphrase and Signature will be provided within the Server Management Tools.

    This change affects all the communication IDs issued after 2012/07/05. It will not be possible to access the NP communication passphrase or signature in the support issued after that date.

    Only those users who have initially requested the NP communication services and was provided the files on DevNet thread will have access to the file on the request threads.

    Note that the NP communication passphrase and signature are required with NP Matching 2 and Title Small Storage.

    From PlayStation 3: I have found a way to access SP-INT (or developer) PSN. Those who remember, this also worked a year ago until Sony had fixed it. It is now working again for existing users. Making a new account will not work, but existing users who have made SP-INT accounts last year when it had worked can sign in (for now).

    Here is how to do it:

    1) Install Rebug 3.55.2 CFW. Also install the latest update package (0.7)
    2) Set it to Rebug mode in Rebug Selector. Set the Rebug Menu to #2.
    3) Install SEN Enabler 4.21 to spoof the firmware to 4.21.
    4) Go to Debug Settings and change NP environment to 'SP-INT'.
    5) Reboot PS3.
    6) The PS3 will attempt to sign in to your NP (retail) PSN account and it will give an error because your NP PSN will not work on developers PSN. Now you must sign in to your SP-INT account that you made last year. Making an new account will not work.

    If anyone can somehow find a way to make an new account on SP-INT, please let us know. Thank you!

    From PlayStation 3 developer naehrwert (via to quote:

    eEID Cryptography

    When metldr is encrypted at factory, a special keyset is set in the binary before encryption. Later when an isolated loader is loaded by metldr, it will copy the keyset to LS offset 0x00000. It consists of eid_root_key and eid_root_iv. To not having to use the same key for all eEID parts, several subkeys are generated from special data called individual information seed.

    These seeds are stored in the metadata header of isolated modules loaded by isoldr. When isoldr will load a module, it will call a subroutine that encrypts each seed chunk (0x40 bytes) using eid_root_key and eid_root_iv. Then the so-called individual infos are passed in registers r7 to r22 (= 0x100 bytes in total) to the loaded module where they are used further.

    Usually isolated modules have a seed section of 0x100 bytes but all of them (except sb_iso_spu_module) have all zeroes but the first 0x40 bytes chunk. You can, for example, find the recently published EID0 seed in the metadata section of aim_spu_module. Appliance info manager is used to get e.g. the target ID or the PSID from EID0. This explains why the seed can also be found in isoldr directly, since that one is checking EID0 too.

    As you can probably think, a fair amount of reversing time and knowledge has gone into finding this, so stop calling us *swearwords* for not releasing information that could potentially lead to more piracy, because we think that this would do more harm to the “scene” than just keeping some information in private (for now).

    Also I can only encourage everyone that thinks about us this way or is greedy demanding for developers/reverse engineers to release their stuff, to fire up isoldr in IDA or disassemble it with objdump and try to reverse all this from start to end. We’ll see, who is able to pull this through on his own...

    From evilsperm (via Here is some code if you all want to flash from petitboot: This is to R/W entire NOR or just the eEID section. Make sure to take a valid dump from gameOS as well so you can match both dumps also if you have a hardware flasher I highly advise you do, check that dump against the soft dumps to make 100% sure :p

    How to W/R NOR from petiteboot:

    READ NOR : dd if=/dev/ps3nflasha of=/tmp/petitboot/mnt/sda1/cexnor.bin bs=1024

    WRITE NOR: dd if=dexnor.bin of=/dev/ps3nflasha bs=1024

    READ eEID : dd if=/dev/ps3nflasha skip=$((0x2F000)) of=/tmp/petitboot/mnt/sda1/eid.bin bs=1 count=$((0x10000))

    WRITE eEID: dd if=eid.bin.dex of=/dev/ps3nflasha bs=1 seek=$((0x2F000)) count=$((0x10000))

    I'm not going to bother with the NAND because its a pain in the balls (and thats if you can even get it to work) :p

    /tmp/petitboot/mnt/sda1/ is a flash dive formatted to ext4 in petitboot to make life easy when moving dumps around. you can always scp your files across also :p

    From badhabit: For the BD playback recovery on DEX you can also use the "drivefix" lv2diag.. it can be found in the original CEX-DEX leak by youknow..

    I uploaded it here if needed:

    Manual CEXDEX converted summary - what a thrill ride hehe... massive settings there... looking good haha:

    What worked for me, thx everyone!!
    • put flashdex.bin on USB stick
    • Petitboot
    • chmod 777 /dev/sda
    • umount /dev/sda
    • mount /dev/sda /tmp/petitboot/mnt/sda
    • type cd tmp/petitboot/mnt/sda
    • dd if=flashdex.bin of=/dev/ps3nflasha bs=1024
    • ENTER, blinking - for awhile... fck it broke... finally some output (in-out) and back to the prompt patience is a must
    • type ps3-flash-util -g to set/boot GameOS ( = emer init? not sure)
    • type pb-cui
    • Boot GameOS option in Petitboot
    • Boots normal into XMB feew lol...
    • QA combo not working as it should
    • Used Service Mode for final install using cex2dexkit files
    • replaced the 3.30 PUP with 355DEX alongside "lv2diag.self" from "setup" folder and put on USB stick
    • Put PS3 into FSM using dongle (pull cable out-dongle in-cable in)
    • Shutdown - Replaced dongle with USB stick ( setup Lv2Diag.self/PS3UPDAT.PUP
    • Boot Ps3 - Ps3 shutsdown
    • Replaced files with step3 "drivefix" (linked above) files on USB stick
    • Put USB into right slot
    • Boot PS3
    • On screen: Drive Init / Drive Init Fail - It needs a Original Blu-Ray movie like Remarry? and/or the 3.30 PUP to work? Please confirm anyone?
    • Pull power cable
    • Replaced USB files with "finalize" folder Lv2Diag.self file
    • Put into right slot and boot - Ps3 shuts down
    • PS3 boots a normal into DEX
    • All working except for blu-ray/dvd's = not working obvious... GAMES works fine, shame on me for not having one, need to rent one.. can someone verify it needs blu-ray and/or .30 pup thx
    From svenmullet: Use mathieulh's leaked tools to get the required info, then use the new leaked algos to change it to DEX, flash back using Objsuites/FSM. You don't need a flasher or linux to do this. And don't let anyone tell you different!

    Remember CrashSerious released a tool to decrypt/encrypt SIG files? Reverse what those SIG files in the math leak are doing.

    Also, I recall theorizing that the serial number (yes, that sticker on the console) has something to do with PCK. All we need now is some brainiac to figure it all out (and release the info).

    Actually to play PS3 3.60+ backups all you need to do is install an update for the game. Since DEX can't install retail PKG you have to downgrade to 3.55 DEX with peek and poke install the update and re upgrade.

    Also ps3gen.exe will happily create image with the retail EBOOT, it just won't run because retail EBOOTs have the "run only from authenticated bd" capability flag; having installed an update for the game bypasses it.

    From Lordv (via to quote:

    Instead of having an edit war could we discuss it on irc? I can prove that what you write here are (un?)intentional lies.

    1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by some sprx copying and xml editing. Just unpack a dex fw for 3.55 and a cex fw for 3.55 and note the differences in sprx. Then just add the correct xml keys. For example for ps store add the #seg_commerce_new key to category_psn.xml.

    Answer from Mathieulh: You can't play blurays/dvds on 3.60+ DEX because you do not have the keys to craft a custom DEX firmware and the bd/dvd player app will check your console's idps target and see 0x82 and will fail one (of too many) check(s) and will issue an error code and not proceed. (not to mention 0x82 leads to an invalid region) I don't know/care about ps store but as far as I know, the DEX vsh.self will not display it

    2) I did, however i can't prove it. Should you cex2dex and have latest dex fw you too will be able to sign in to PSN.

    Answer from Mathieulh: You can't because your idps is NOT in sony's database, as such it will not pass PSN authentication, there is nothing you can do to fake this, you would need to use a real debug idps, end of story.

    3) Can't comment on that one but would very much like a statement from whoever wrote it.

    Answer from Mathieulh: This is obviously not true, however you CAN brick/ylod if you rebuild your EID wrong (the likeliness is high)

    4) Do you want a video of it? Use ps3 generator tools to create a master disc or a usb image. Ever wondered what that item labeled Blu-ray Disc Access in Debug Settings did? Now you can find out.

    Answer from Mathieulh: The retail selfs are signed with special capabilities that make them only able to run from original discs (Masterdiscs != Original discs, lv2 can tell the difference) That's why you need decrypted selfs/fself to run games from masterdiscs or bdemu images, forget about running your "backups" (or should I say ,warez) Because ps3gen creates masterdiscs does not mean you can magically warez on the box. You can however play originals ! (I strongly advise you to start BUYING your games, (just saying))

    5) Can't comment on that one.

    Answer from Mathieulh: I can comment that most of your so called affirmations are a bunch of BS. (in fact I just debunked most of them, feel free to try though and see for yourself.)

    There's really no way to know if AnoRelease is really the source or a leaker, as other devs in the circle may not know of or agree with his wishes to finally release it which may be why it was done anonymously.

    If he is a leaker though, it would be the same as anything that gets leaked from the Rebug PSN passphrase for CFW users to the old R:FoM exploits, it benefits some for a period of time until Sony takes action and the next hole surfaces... although those cashing in on dongles may never admit it, it's called progress and is great for real PS3 scene developers not on the Max Louarn / Paul Owen payroll.

    [imglink=|PS3 CEX (Retail) to DEX (Debug) Conversion Method is Released!][/imglink]
    [imglink=|PS3 CEX (Retail) to DEX (Debug) Conversion Method is Released!][/imglink]
    More PlayStation 3 News...
  2. kira30

    kira30 Guest

    wonder if it works and what can be achieved with this ?
  3. technodon

    technodon Guest

    i can't get metldrpwn to work, i'm using red ribbon RC5 when i type sudo insmod ./metldrpwn.ko i get error inserting './metldrpwn.ko' -1 invalid module format any help would be great..
  4. plangston

    plangston Guest

    technodon, have a look here mate from Rnd:

    btw, thank you AnoRelease!! a BIG thanks to all devs behind the scenes that have spent countless hours piecing together this puzzle!
  5. admin

    admin Administrator Staff Member

    Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well. :tup:

    I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks. ;)
  6. tiefputin1

    tiefputin1 Guest

    AnoRelease what was the ID on your console before you changed it to 0x82 (Debug Target ID) ? :)
  7. djpelle

    djpelle Guest

    By releasing this method Sony now knows how to fix it for the upcoming DEX FW. That was not without a reason why devs not made public this method!!! For devs with converted consoles it will be a massive hit in the face in the future!!!
  8. Night Hawk

    Night Hawk Guest

    I love how many devs whine that it destroyed the ps3's hacking future. Please cut the bs, everybody knows that you kept it to yourself in order to enjoy the high fw privileges. If you were going to hack your way through the l0 and the keys you would have done it a long time ago... Higher versions only have more layers of protection.
  9. technodon

    technodon Guest

    i tried this method, right i burnt the Linux-2.6.39-Rnd.iso to a disc, go into petitboot then i just get a black screen, so it says run so i did that and rebooted then i get the linux loading screen but it hangs on Registering the dns_resolver key type.

    anyway i'm downloading the iso again just incase it was corrupted somehow and i will extract them to a usb.. and try again
  10. cfwprophet

    cfwprophet Guest

    The RedRibin.iso will not work for that. Metldrpwn use some files from your linux kernel source that you (normally) have previous compiled on your ps3. Just do the manual installer with debian and you will see that everything works fine. ;)

    If you need help and serious word come to irc channel #TeaM_AC1D at Hellcat and we will help you ;)
  11. joke1

    joke1 Guest

    sounds great
  12. sguerrini97

    sguerrini97 Guest

    Can someone explain how to encrypt with AES? Thanks.
  13. CJPC

    CJPC Guest

    You could probably use openssl to handle the encryption, since you know the data you need to encrypt, with what key, and the iv. However, if it pans out you may want to wait for someone to make something a bit easier to use - you probably don't want a brick!
  14. sguerrini97

    sguerrini97 Guest

    Thank you for the answer, and I've got a flasher for the brick problem :)

    Sorry for my english.
  15. thatcher

    thatcher Guest

    I hope something comes from this, the scene is pretty much dead bar a few HB devs that release some quality dev stuff. Not too fussed about the backups but would love more homebrew...
  16. sguerrini97

    sguerrini97 Guest

    CJPC with OpenSSL what AES encryption method should I use?

    aes-128-cbc, aes-128-ecb, aes-192-cbc, aes-192-ecb, aes-256-cbc or aes-256-ecb ?

    Thank you.
  17. Thomazbj

    Thomazbj Guest

    going to try this :)
  18. gukha

    gukha Guest

    Sorry for asking a stupid question but will this be able to jailbreak Ps3 in 4.11 firmware...
  19. Foo

    Foo Guest

    If I'm not mistaken... with this info there should be a way (or atleast a step closer) for QA Flag instead of converting completely to DEX. It has a lot to do with EID.