Sponsored Links

Sponsored Links

CEX2DEX Application for Any PS3 NOR / NAND Flash Dump Arrives


Sponsored Links
113w ago - Following up on the recent PS3 C2D CEX to DEX Flash Patcher and PS3Tools GUI Edition v2.6, today I have released a CEX2DEX application that will allow you to extract the METLDR from ANY (NOR / NAND) PlayStation 3 flash dump and create a valid DEX (Debug / Test) flash from the given CEX (Retail) flash.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Required) / [Register or Login to view links] / [Register or Login to view links] (Runtime Libraries are built in, shouldn't require MS VC++)

Features:

  • Can be used to extract the METLDR from ANY (NOR/NAND) flash dump.
  • Can be used to create a valid DEX flash from any given CEX flash (NOR/NAND).

I will explain the two main options the program has.

Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.

I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.

P.S : Controversy to what the main post says, I flashed my FAT 256MB NAND PS3 via Preloader Advance 3.1.

Also, make it clear that the Extract METLDR function only extracts the METLDR Binary from the flash and DOES NOT dump the root key, linux is required for this!

Also, some insight on how I dumped/flashed my NAND.

Using Preloader Advance 3.1 (JFW is NOT required) I put my PS3 into service mode, put Lv2diag.self and the advance.cfg on a memory stick and put it into USB000 (far right slot). Powered the PS3 on and let it do its work.

Dump NAND Flash

Use my program to create a modified dump, put the dump on the memory stick and name it rflash.bin, make the previous setting (#Backup "rflash" to "/dev_usb000/Backuprflash.bin") to 0 and set this (look below) setting to 1 :

Write NAND Flash

From aldostools on comparing CEX2DEX to the C2D application: If I understand it right, the major differences from this and andbey0nd's C2D.exe are that:

1- This tool supports NAND/NOR flash dumps of CEX, while C2D only supports NOR flash dump of CEX
2- This tool extracts the EID root key (per_console_key) directly from the metldrpwn. So it is not required to hex edit the metldr to extract the first 3 lines (48 bytes).

3- This tool does not require the Win32OpenSSL_Light installed

For the CEX dump, it is still necessary the glevand's dump_flash.pkg (aka USB Flash Dump.pkg I guess that 2 dumps are recommended to compare md5/sha-1 hashes and be sure that it's valid)

For the metldr dump, it is still necessary to have an OFW (<=3.15) or a CFW with dual boot support to boot linux (CFW355-OTHEROS++.PUP), then make and run metldrpwn to dump metldr and a flasher or a tool like JaiCrab's Preloader Advance v3.1 to flash the NOR DEX dump created by this tool. Am I right? or am I missing something ?

PS3 CEX 2 DEX Guide:

Requirements:

1) A PS3 with Firmware 3:55 or less (if less than you should upgrade to 3.55), you must install this CFW using Recovery Mode: gitbrew.org/~glevand/ps3/cfw/CFW355-OTHEROS++-SPECIAL.PUP
2) A USB keyboard and mouse;
3) Red Ribbon Linux on your PS3, you should download and burn this ISO: [Register or Login to view links] (Mirrors: [Register or Login to view links] or also ps3devwiki.com/files/devtools/dump-metldr/Red_Ribbon_RC5.iso)
4) CEX2DEX, downloadable from here: [Register or Login to view links]
5) metldrpwn, downloadable from here: ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip
6) (Optional) although unlikely, is possible brick, so I recommend you have E3 flasher.

Installing Linux:

PKG download these:


And download one of these two files (if you have a NOR take the first, if you have a second NAND).
1. dtbImage.ps3.bin (NOR): [Register or Login to view links]

2. dtbImage.ps3.bin.minimal (NAND, to be renamed in dtbImage.ps3.bin): [Register or Login to view links]

Put everything in the root of a USB device and install the PKG. Each application you start before returning to the XMB will make 3 beeps the console, if you do not hear these 3 beeps try again.

1. Run "Setup for OtherOS FLASH", turn the console back to the XMB and restart.
2. Start the "Install OtherOS" (the key with the file dtbImage.ps3.bin must be inserted).

Now connect a USB keyboard and a USB to the console and launched from the XMB "OtherOS Boot" and "Reboot". You'll find yourself in "Petitboot". Using the keyboard, select "Exit to shell" and press enter. Type the following commands:



Now you dump your NOR / NAND USB stick. Turn off the console (ctrl + alt + delete or power button).

Now insert the stick into your PC and extract the folder "metldrpwn" from the "metldrpwn.zip" in the root of the USB stick.
CEX2DEX Start, select your dump and click "Extract metldr", save the file as "metldr" folder "metldrpwn" on your USB stick.

Go back to your PS3, plug in the USB key and the CD with the iso burned previously. From the XMB start again "OtherOS Boot" and "Reboot". This time from Petitboot selected "Red Ribbon OTHEROS live" and wait for the upload. If you do not have a USB hub you unplug the keyboard and mouse to attack, click the first icon in the upper left -> Accessories -> Terminal. Reconnect the keyboard.

Type the following commands in Terminal:


Will appear written, if all goes well you should read it somewhere "problem status (0x00000089)". Type the following commands:


The system will shut down. Go back to your PC and start CEX2DEX, select new dump your flash and the file "dump" that will be on your USB stick, click CEX-> DEX, now you save a file, name it "flashDEX.bin" and save it in the root USB stick.

Return to the PS3, connect the USB stick and remove the CD. Start again "OtherOS Boot" and "Reboot" on Petitboot select "Exit to shell" and Type the following commands:


WARNING : The following command will write the changes on your flash (NOR / NAND) and if you did something wrong you could brick. I do not take responsibility.

Now download a firmware from here DEX: [Register or Login to view links]

And place it in X: \ PS3 \ UPDATE \ PS3UPDAT.PUP (X: is your USB stick)

Turn on the console in recovery mode and select system update. Now you have a Debugging Station.

Finally, below is another PS3 CEX to DEX Guide with No Linux or Hardware Required by ChocoErased (via nextgenupdate.com/forums/playstation-3-exploits-hacks/572924-full-tutorial-cex-dex-no-linux-hardware-required.html):

This is a tutorial from start to finish on how to convert a CEX console to a DEX console. If you don't know what you're doing or need someone to explain what DEX is to you, you should probably leave now. Also, be warned - if you mess up anything in this tutorial, you risk bricking your console. Follow the instructions right and you should be fine.

Note: This conversion does not require the installation of Linux or any hardware modifications, but it is recommended you have an E3 flasher or similar device in case you do end up bricking your console.

You're going to need:

  • 3.55 PS3 (preferably running Kmeaw's custom firmware): [Register or Login to view links]
  • USB Device with around 1 gigabyte of free space
  • Jaicrab's preloader: [Register or Login to view links]
  • FactoryServiceMode Tool: [Register or Login to view links]
  • eEID_RKDumper: [Register or Login to view links]
  • CEX2DEX Tool: [Register or Login to view links]

Once you have all of the above, you're ready to get started

Tutorial

1. Install the FactoryServiceMode pkg on your PS3 and use it to boot your PS3 into Factory Service Mode. When done, confirm your console is in service mode by turning it on and seeing if the red box is there in the lower right hand corner. Power down your PS3.

2. Take all the files from Preloader.zip and extract them onto the root of your USB stick. Rename "Lv2diag.self.flash" to "Lv2diag.self".

3. Eject your USB from your PC and place it in the rightmost USB port of your PS3 (your PS3 needs to be turned off). Once it is securely in place, turn on the console. Nothing is going to come up on the screen, and eventually the PS3 power LED will start blinking. DO NOT TURN OFF THE CONSOLE, it is dumping your NAND/NOR. Wait for it to power down itself.

4. Once your console turns itself off, remove the USB from your PS3 and plug it back into your PC. There will now be a file on it named "Backuprflash.bin" (Note: You may have to enable displaying of system files in order for it to be shown). This is your dump of your NOR/NAND - if your console is NOR, the filesize should be 16mb. If your console is NAND, it will be 256mb.

5. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode.

6. Install the eEID_RKDumper on your PS3. Run it, and it should cause your console to blackscreen. It will reboot after a few seconds, just give it it's time and don't interrupt it (it is dumping your root key). Once it reboots, proceed to the next step.

7. Use a filemanager or FTP server to retrieve your root key dump from your PS3 - it is located at dev_hdd0/tmp/eid_root_key. It should be 256kb. Get it onto your USB, it should be in the same directory as your Backuprflash.bin. Rename it to "dump" (no file extension).

9. Start up CEX2DEX again on your PC. For the NOR/NAND flash dump, select your Backuprflash.bin. For the METLDR dump, select your rootkey (file named "dump"). Click on CEX -> DEX, and when it prompts you save the new file as "rflash.bin" and put it onto the root of your USB stick. Your NOR/NAND dump is now fully converted to DEX, all that is left is to flash it back onto your PS3. The filesize for rflash.bin should be 16mb for NOR consoles and 256mb for NAND consoles.

10. On your PS3, use FactoryServiceMode Tool to boot into Factory Service Mode again. On your USB, rename "Lv2diag.self" to "Lv2diag.self.exit" and rename "Lv2diag.flash.self" to "Lv2diag.self". Delete the advance.cfg file from the USB, and put this one onto the root of it: advance.cfg

11. Make sure your PS3 is fully powered off, then plug your USB into the rightmost USB port. Turn on the PS3, and it will begin writing to your NAND/NOR. DO NOT TURN OFF THE PS3!!! If you do, it is a guaranteed brick. Just leave it alone until the PS3 turns itself off, it may take 15 minutes or more. Don't worry if it's taking too long, mine took about 40 minutes to write completely. Once your PS3 has powered itself off continue to the next step.

12. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode. Congratulations, you are now ready to install DEX firmware. I would recommend downloading and installing this debug firmware, from there you can go to 4.20 debug or whatever other version you want.

Important Notes:

  • Once you convert to DEX, your console can no longer access the Playstation Network. Your IDPS becomes invalid.
  • You cannot data transfer from a DEX console to a CEX console.
  • If you choose to install a debug update of version 3.56 or higher, Peek & Poke will be disabled. This will make certain homebrew applications no longer work.
  • Most PKGs and homebrew applications will have to be resigned as debug files before they can be installed/run on DEX firmwares above 3.55.

I hope this makes the whole process of converting from CEX to DEX easier for some of you. Remember, this is NOT something that the average jailbroken PS3 owner should undertake. Have fun and be safe.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 618 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Night Hawk's Avatar
#8 - Night Hawk - 114w ago
I love how many devs whine that it destroyed the ps3's hacking future. Please cut the bs, everybody knows that you kept it to yourself in order to enjoy the high fw privileges. If you were going to hack your way through the l0 and the keys you would have done it a long time ago... Higher versions only have more layers of protection.

djpelle's Avatar
#7 - djpelle - 114w ago
By releasing this method Sony now knows how to fix it for the upcoming DEX FW. That was not without a reason why devs not made public this method!!! For devs with converted consoles it will be a massive hit in the face in the future!!!

tiefputin1's Avatar
#6 - tiefputin1 - 114w ago
AnoRelease what was the ID on your console before you changed it to 0x82 (Debug Target ID) ?

PS3 News's Avatar
#5 - PS3 News - 114w ago
Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well.

I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks.

plangston's Avatar
#4 - plangston - 114w ago
technodon, have a look here mate from Rnd: wiki.gitbrew.org/wikibrew/Metldrpwn


Metldrpwn

Dear all,

Many of you may have heard about Metldrpwn which allows to obtain Perconsole Key set.

I bet some of you have not gone for it because of many things to install and do, like linux and etc.

Well, since now, you won't have to do all that, the only thing you will need to have/install is Otheros (Petitboot) and that's it, the image of the FULL LINUX distro with glevand's kernel patches and all is in this tutorial.

So, let me tell what you have to do in order to pwn your metldr and get you perconsole keys faster:

1. Install Petitboot

Only these steps from the orginial glevand's tutorial are needed:

1. Install my latest CFW (gitbrew.org/~glevand/ps3/cfw/)
2. When installation is finished, reboot in Recovery Mode (not the Backup/Restore in XMB) and choose "Restore PS3 System"
3. Now your GameOS should use only the half of your HDD (Currently working on a better approach)
4. Run setup_flash_for_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/setup_flash_for_otheros.pkg - for all PS3 models)
5. Reboot (It's important to shut down and turn on your PS3)
6. Store dtbImage.ps3.bin (gitbrew.org/~glevand/ps3/petitboot/dtbImage.ps3.bin) on USB drive, plug it in and run install_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/install_otheros.pkg - NAND owners should use dtbImage.ps3.bin.minimal, rename it to dtbImage.ps3.bin). Try different USB ports if you don't get any beeps.
7. Run boot_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/boot_otheros.pkg)
8. Run reboot.pkg (gitbrew.org/~glevand/ps3/pkgs/reboot.pkg - use the package, not manually reboot!)
9. You should be in petitboot now.

3.15 stock firmware (OFW) users:

Put petitboot on a memory stick


2. Boot Linux

1. Download my distro of Linux (gitbrew.org/~rnd/Linux-2.6.39-Rnd.iso)
2. Unpack in the root of your USB stick/or burn the image to a DVD
3. Plug in your USB/Insert the disc in your PS3 and you should see 2 different boot options, boot the first one

Login details (there are 2 of them, ps3 and root):

Username: root
Password: root

Username: ps3
Password: ps3

If you need to mount a usb stick, I made a dir for that /dev/usb

Here is the mount command:


So now you can access your USB by going here /dev/usb/

3. Metldrpwn part:

Step by Step instuctions

Precompiled metldrpwn : Here (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)

you can do this over ssh or on console.

Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out

1. ssh into the ps3
2. download the files:


3. untar the files:


4. enter the directory and compile:


5. run the following commands now:


6. there now you have a dump check it out:



7. now copy the dump somewhere or youll lose it:


now you have a copy in your home directory for safe keeping, congrats you've completed about < 10 mins of actual work.

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

example:


the first 2 lines are erk the 3rd is riv and together they are eid0 root key

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment theres also a nifty program on the dev tools page (ps3devwiki.com/wiki/Dev_Tools) to turn your hex into key its called hex2key:

hexkey2bin.c: [Register or Login to view links]
hex2key.c edit: [Register or Login to view links]

If you have any further questions don't hesitate to contact me,

Sincerely,

Rnd
btw, thank you AnoRelease!! a BIG thanks to all devs behind the scenes that have spent countless hours piecing together this puzzle!

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News