A few weeks back we saw a video on Booting Debug on a Retail PS3 Unit via Rebug PS3 CFW, and today zeryos has made available a PS3 CEX to DEX Converter Kit (Retail to Debug) which currently requires IDPS (PlayStation ID via Sony's server in the format of request_idps.txt) by PlayStation 3 hacker "You know who" in order to fully convert a Retail PS3 console to a Debug / Test unit.
Download: [Register or Login to view links] (pass: ps3scene) / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2)
For those interested in the background of this PS3 CEX to DEX method, some leaked IRC logs appear to reveal that initially [Register or Login to view links] gave it to [Register or Login to view links] without [Register or Login to view links] from Sony PlayStation 3 hacker [Register or Login to view links].
To quote from a (now removed) Tweet of [Register or Login to view links]: "BTW Mathieulh I know you gave durandal that CEX-DEX ZIP, that it wasn't you that bundled that up, and you were not supposed to do so either"
Now that the PS3 CEX to DEX Kit has surfaced, other developers can begin to examine it and determine how to generate the required request_idps.txt file without access to Sony servers.
Finally, according to the IRC chat logs an updated method already exists, so only time will tell if that too will surface before the IDPS issue is sorted out by PlayStation 3 developers.
DEX to CEX Converter By "You know who"
**WARNING** IF THIS TUTOTIAL ISN'T FOLLOWED TO THE LETTER YOU MAY BRICK, THE AUTHOR (THAT WOULD BE ME) DENIES ALL KINDS OF RESPONSABILITY SHOULD YOUR PS3 GET DAMAGED IN ANY WAYS. YOU KNOW THE RISKS **WARNING**
1. A playstation 3 on firmware 3.55 or below
2. A dongle to go to Service mode
3. A usb pendrive
4. A brain
5. The author of this little trick.
6. Have your pc connected directly to the ps3 on ethernet with the ip set to 192.168.0.100 and the hostmask to 255.255.255.0 (make sure no firewall is running, not even windows one, this may prevent your console from connecting to the pc)
** PART 1 **
1. Set your console into service mode with any compatible dongle.
2. Put the content of the converter-console folder at the root of your usb pendrive.
3. Extract ObjectiveSuites-GetData on your PC.
4. Put the usb pendrive on the last usb port on the right of your console.
5. Run ObjectiveSuites.exe from ObjectiveSuites-GetData
6. You now have a few seconds to start your console, start it.
7. Objective Suite should display "PASS" and txt files will be created in the Temp dir. Once done, power off your console.
8. Get ALL these txt files from your temp directory and send them to the author (me) with informations about your playstation 3 model (FAT/SLIM, CECH* model)
** PART 2 **
9. You should recieve from the author (Yeah me again) a file called request_idps.txt
10. Extract ObjectiveSuites-SetIdps on your pc.
11. Put the request_idps.txt in your temp folder (MAKE EXTRA SURE IT'S THERE OR YOU WILL BRICK)
12. Run ObjectiveSuites.exe from the ObjectiveSuites-SetIdps directory.
13. Start the SAME CONSOLE YOU GOT THE TXT FILES FROM (If it's another console you WILL BRICK IT).
14. Wait until Objective suite displays "PASS" Then power off your console, at this point your console should be a Debug one.
** PART 3 **
15. You will now need to do a drive initialisation in order to use the bluray drive on your console. Put your usb pendrive on your pc, delete all the files you previously put in there, Put "Lv2Diag.self" from the "set up" directory at the root of your pendrive along with PS3UPDAT.PUP (that's 3.30 debug firmware)
16. Put the pendrive on the usb port on the most right of your console.
17. Power on the console, The screen will be black and the green led will stay lit, wait until it blinks and the console powers off, once it does the firmware will be installed.
18. Put the pendrive back on pc, delete the files you put in there previously, and copy the content of the "drivefix" folder to the root of the pendrive.
19. Put the pendrive at the usb port most on the right of your console and power it on.
20. The drive initialisation will then occur, wait a couple of seconds, then power off the console (you may have to unplug it from the AC)
21. Put the pendrive back onto the pc, delete the files you previously put in there, then copy the Lv2diag.self from the "finalize" folder.
22. Put the pendrive on the usb port on the most right of your console. Power it on. Your console will power on for a few seconds then power off.
CONGRATULATIONS YOU HAVE NOW COMPLETED ALL THE STEPS AND YOUR CONSOLE IS A FULLY FUNCTIONAL DEBUG BOX. YOU NOW JUST NEED TO POWER IT ON AND COMPLETE THE USUAL FIRST TIME SETUP PROCEDURE.
Also today from Sony PlayStation 3 hacker Mathieulh via IRC and Twitter and Snowydew via gitbrew:
[Mathieulh] basically this allows you to 1. dump cisd from nor
[Mathieulh] 2. write an eid to the nor
[Mathieulh] so basically the actual hack
[Mathieulh] which is generating the eid to be written to the nor
[Mathieulh] isn't part of this useless leak
[Mathieulh] cirotheb5 it's already done without sony's servers
[Mathieulh] do you think they don't have an auth, filtering and whatnot going on there ?
[Mathieulh] cirotheb5 *hint* Dump your console's eid root key *hint*
[Mathieulh] oh ! and you can do whatever that leak does using progskeet or otheros++
[Mathieulh] just saying
[Mathieulh] it's just a matter of using the dd command
# RequestIdps & write IDps--->
R 70 create request_idps_in.txt off FILE temp: pd_label.txt Copy temp:request_idps_in.txt 10
71 append tab to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 \t
72 append kiban_id to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:kiban_id.txt
73 append cid to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:cid.txt
74 append ecid to request_idps_in.txt off FILE temp:request_idps_in.txt Append 10 file://temp:ecid.txt
75 append config_version to request_idps_in.txt on FILE temp:request_idps_in.txt Append 10 file://temp:idps_bbox_config_version.txt
76 RequestIdps on PS3PICSY 220.127.116.11:63210,PS3CS1,00000,M RequestIdps temp:request_idps.txt 250 file://temp:request_idps_in.txt
77 insert product_label_bin_ascii to idps_data off FILE temp:request_idps.txt Insert 0 10 file://temp: pd_label_bin_ascii.txt
78 SetIdps on PS3LV2DIAG WriteRead 00000001 10 file://temp:request_idps.txt
79 GetIdps on PS3LV2DIAG WriteRead 00000005 10
- No, you need to use hardware.
- nothing is known, all that does is to write an eid to the nor, like that wasn't known...
- you don't even have eid keys in this leak. All you have is some tool that writes a whole made eid to the nor....
- It is useless unless you can generate your own eid. Good luck with that....
- Basically the actual hack, which is, generating the eid, isn't present in this, I'll let you wonder if it exists or not.
- Sure, dump your eid, convert to ascii and rename it. Here you go.....
- very much so, this does nothing more than a nand programmer could do.
- this is more likely the useless method, as in this zip is useless to begin with.
- Our two exploits got leaked to other devs. They can either bring them to light or actually use them. We're no longer doing them. (twitter.com/#!/gitbrew/status/108732677380775936)
- Welp, gitbrews 2 exploits are now in the wild. Have fun with them, since we're not even going to bother. (twitter.com/#!/Snowydew/status/108277307315191808)
- They're out there now, unsure if they're being worked on. Don't really care either at this point. (twitter.com/#!/Snowydew/status/108345360300261376)
Here is how to obtain your PS3 IDPS from RikuKH3 as detailed below:
That's how you can easily get your console IDPS:
1) Dump your NOR from GameOS using [Register or Login to view links]
2) Open it in hex editor and search for IDPS using this example: ps3devwiki.com/index.php?title=IDPS
The IDPS is a 16 byte value that contains console specific information. Exactly what information this stores is not completely known.
6th byte represents your Target ID
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf
8th byte represents your Motherboard_Revisions // possible sku model
- 0x1 = CECHA (60GB Full PS2) - COK-001 + Memcard Daughterboard
- 0x2 = CECHB (20GB Full PS2) - COK-001
- 0x3 = CECHC (60GB Partial PS2) - COK-002 + Memcard Daughterboard
- 0x4 = CECHE (80GB Partial PS2) - COK-002W + Memcard Daughterboard
- 0x5 = CECHG (40GB No PS2) - SEM-001
- 0x6 = CECHH (40GB No PS2) - DIA-001
- 0x7 = CECHJ / CECHK (40GB/80GB No PS2) - DIA-002
- 0x8 = CECHL / CECHM / CECHP / CECHQ (80GB/160GB No PS2) - VER-001
- 0x9 = CECH20A / CECH20B (120GB/250GB Slim) - DYN-001
- 0xA = CECH21A / CECH21B (120GB/250GB Slim) - SUR-001
- 0xB = CECH25A / CECH25B (160GB/320GB Slim) - JTP-001/JSD-001
The IDPS can be found in EID0 and EID5. Just search for first 8 bytes. For example: 00 00 00 01 00 84 00 09, where '84' is USA target ID and '09' is CECH20A slim motherboard revision). It's 16 bytes long and you find it twice. Here's example of my IDPS (below).
Also, I compiled unself2, but it throws error when I try decrypt game update eboot: 'Error decrypting metadata: No such file or directory'. But I don't have act.dat from my ps3, maybe this is issue.
Note from mallory: The IDPS file must be a raw binary file like all of the other key files. One way of creating it would be by typing your IDPS into a hex editor. Careful about posting your IDPS: Sony likely remembers who has what IDPS.
For those unaware the latest multiMAN shows the PS3 console's IDPS under Information, and below is a brief guide on Changing Your PS3's IDPS via psx-updates.blogspot.com/2011/08/changing-your-ps3s-idps.html:
Changing Your PS3's IDPS
First off you will need a NAND/NOR reader/writer. Second, you can put your PS3 into debugger mode.
You will need a dump of your flash or be able to access and read/write it in someway.
You will find section 0 EID0 which will look like...
This part you will be looking at....
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf 00000010 00 12 00 0B 81 2E 00 A9 59 75 01 CC C1 72 D5 50 .......©Yu.ÌÁrÕP
Here is your IDPS, the 6th byte in there is your Target ID, which is what kind of PS3 your's is. (Retail USA, Retail U.K., e.t.c.)
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%R
So in this code;
The 6th byte which is 89; 89 is equal to Retail Australia/New Zeland.
00000000 00 00 00 01 00 89 00 0B 14 00 EF DD CA 25 52 66 .....‰....ïÝÊ%Rf
Now say you want to put your PS3 into Debugger mode; you would have to change the 89 (which by the way, is a hexadecimal) and the code for System Debugger is... A0. Now, when you change the code it will look something like this...
Now you will just put this back into your NAND (where the flash is located), or NOR (if you are on slim). This concludes Changing your PS3's IDPS and putting it into Debugger mode.
00000000 00 00 00 01 00 A0 00 0B 14 00 EF DD CA 25 52 66 .....*....ïÝÊ%R
Finally, we have received an e-mail from anonym0us (who appears to be LuckLuka ) stating the following:
Hello PS3 Scene, this is another anonymous leak! I would like to be called: anon0 to prevent confusion with all the other 'anonymous' members. 2 months ago, a CEX-to-DEX came out which needed the request-idps.txt
It was all accomplished by .SIG files and ObjectiveSuites, they are encrypted files which carry out specific commands to the PS3
We are now bringing THREE new .SIG files which can be used with 3.73 FW to carry out certain 'tasks' Figure what it can do by yourself... And samples of many files can be found there which can aid in 3.73 getting hacked... To use ObjSuites: Put PS3 in service mode, connect PS3 to PC by ethernet cable, IP Address to 192.168.0.100
- Copy files from objcon to root of your usb drive
- Start ObjectiveSuites, then power the PS3
- All info necessary will be in the temp folder in objectivesuites...
This is a part-of-the-equation of hacking the 3.73
Some notes: I can guarantee something: There are many exploits present when ObjSuites connects to PS3, it forms a trusting bond... ObjSuites gets LV0/LV1 access. Use this with care...
Link: os3sig.zip (removed) / Clean PS3 files: [Register or Login to view links]
And a bonus, Here is some software: ps2_mecha_adj.zip (removed)
10:44 anonym0us – Okay
10:44 anonym0us – let me explain
10:44 anonym0us – ObjectiveSuites is used in combination with a jig
10:45 anonym0us – It allows more things to be done while PS3 is in service mode
10:45 anonym0us – something like 2 months ago
10:45 anonym0us – There was a leak
10:45 anonym0us – that allowed Retail->Debug
10:45 anonym0us – but it required a person getting request_idps.txt
10:45 anonym0us – from Sony
10:45 anonym0us – It was accomplished by a .SIG file
10:46 anonym0us – .SIG files carry out commands to the PS3
10:46 anonym0us – So
10:46 anonym0us – I got hands on 3 more .SIG files
10:46 anonym0us – Which report all kinds of things about the PS3
10:46 anonym0us – But, there is another thing
10:46 anonym0us – When ObjSuites is used with the PS3 in service mode
10:46 anonym0us – We can exploit the PS3
10:47 anonym0us – Sony never bothered fixing bugs between the ObjSuites-PS3 connection
10:47 anonym0us – Reason?
10:47 anonym0us – The original ObjSuites required a membership to SCEDevNet
10:48 anonym0us – this is cracked
10:48 anonym0us – So
10:48 anonym0us – yeha
10:48 anonym0us – yeah
10:48 anonym0us – thats pretty much it
10:48 anonym0us – When PS3 connects to ObjSuites
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – you get LV0/LV1 access
10:48 anonym0us – So with a bit of tinkering
10:48 anonym0us – You can be sure that you can get the PS3 to do what you want ot
10:48 anonym0us – to*
10:48 anonym0us – And thats pretty much it
From eussNL: My thoughts:
- First: objsuites is just the old 2.43 leaked stuff + incomplete CEXDEX - meh, old news is so exciting :/
- Second: just someone wanting his minute wall of fame
- Third: ObjectiveSuites is not even related to decryption of files - especially 3.73
- objectivesuites is used in service mode, just as downgrader and remarry
- only os3sig\ObjectiveSuites\xml seems deviant from cexdex
- afaik objectivesuites runs in lv2 and uses lv1 functions. that is why I don?t see the access to lv0 for it and certainly not the 3.73 part
- there is still the matter of servicemode - afterall, we don?t have a way to enter/exit it on 3.73
All in all: I still have much doubts about it, both because of service mode, using objectivesuit and the source/person.
Shortly following, butnut (ps3crunch.net/forum/threads/1731-ObjectiveSuite?p=17938#post17938) converted the request_idps.txt back to hex code.
Download: [Register or Login to view links]
To quote: This is the request_idps.txt from the leak converted back to hex. It appears to be an eEID from a CECHC that was released in Mexico, but it is smaller than the eEID's from the two slims I looked at, so I don't yet know if it is complete or partial.
The numerical string at the beginning of the file is the pd_label and the same string can also be found in the CONSOLE_FINALIZE.CONF file.
More PlayStation 3 News...