Sponsored Links

Sponsored Links

PS3 C2D CEX to DEX Flash Patcher, LibEEID EID0 Library Arrives


Sponsored Links
107w ago - Following up on the PS3 CEX (Retail) to DEX (Debug) Conversion Method from earlier this week, today PlayStation 3 developer andbey0nd has released an easy C2D CEX to DEX Flash Patcher conversion tool for Windows (currently only works with the 16mb NOR) alongside PS3 LibEEID (library related to EID0) source code below.

Download: [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links]

To quote: andbey0nd has released (pastie.org/4243807) another tool to us this morning. c2d is a Cex 2 Dex Flash Patcher. Currently it only works with 16mb NOR. Slowly but surely the scene seems to be coming back to life. 1 hack at time... Thanks andbey0nd and keep up the awesome work!

[andbey0nd] works for 16MB flash dumps (NOR) only
[andbey0nd] also if for some reason a WRONG EID key is provided - the program will abort and will not generate invalid DEX flash.. so no chance for bricking
[andbey0nd] if an output DEX flash file is created - it means that it is valid

c2d.exe (win32 app)

Requires:

  • OpenSSL 1.0.1 installed in c:\openssl or d:\openssl ([Register or Login to view links])
  • EID root key (per_console_key) obtained with metldrpwn
  • CEX (NOR) flash dump
  • Extract c2d.rar in a local folder (c:\c2d or d:\c2d)

Usage:

  • c2d.exe eid_key_file.bin in_cex_flash.bin out_dex_flash.bin

Output:

Enjoy!
andbey0nd

From [Register or Login to view links]: oh look what a little bird has brought us: libeeid crypto library <3 also if someone want's to get a set of cprm device keys, he should look at eid3_decrypt_buffer

messing with eid4 on your box will destroy your bd-drive pairing, so I wouldn't do that.

PS3 LibEEID Source Code

A >>PS3D<< original: libeeid (C) 2011-2012 ps3dev.net

If you can't deliver the complete stuff, you should just keep your mouth shut and not spread the EID0 algo out. This lib was meant to stay private because we didn't like the idea of every 1337 kiddo having a DEX console and annoying developers with questions about running pirated games on it. Now we decided to release it all into public although we won't provide any support or do any further work on it.

A lot of dedication, knowledge and time has gone into reversing ALL of the SPU binaries to collect the informations in this library (that's the fun part). This is as far as you will get with firmware versions <= 3.56.

Btw.: have fun reversing the SPU modules to find the required keys...

Special thanks to the people there: gitorious.ps3dev.net/+ps3dev-net

How to W/R NOR from petitboot:


After getting the tip on howto build OMAC cex/dex hash with FileHash and passing me the "batch" files to AES EN/Decrypt, then you need to check/read it a couple time to fit the puzzle together.. i recommended if you perform this, do not to rely on the 1click tools at first, c2d works perfect and makes valid dexdump, you can use it to compare it with the one u did by hand, they MUST be identical, at least do it a couple times so you'll understand proccess.

I used run.sh like this without providing eid0 as it's commented out in the script and not required, only "metldr" from original cexdump

In terminal:


outputs correct root_key

To be on the save side, pwn metldr couple times to see if you get matched ones, some are having weird "dump" or must reboot to get correct "dump" need to use either debian/ubuntu install or live disc linux2.6.39_rnd.ISO / or new prebuild petitboot image/or rc5 red ribbon a little modified.. options enough.

From dlbogdan: I've dumped NOR (and eEID) from petitboot.. for linux n00bs. It doesn't work until you remount your usb drive as RW.


then you dump with:


as written above.

From badhabit: I can confirm the cex2dex patcher method works.

  • used memdump to dump the Nor (thx an0n, you tha man !!)
  • HW Flasher output is exactly the same.. tried it
  • used Flowrebuilder to unpack the Nor Dump (btw. Flowrebuilder can also unpack 4.11 dumps where norunpack fails..)
  • had to recompile the metldrpwn as the compiled one from glevant didnt work for me ..
  • used petitboot and red ribbon for the root key
  • used cex2dex patcher (thx andbey0nd, acab, zadow) for dex.bin
  • flashed back via hw flasher / also tried petitboot works good aswell

So now i am on 3.55 dex ; gonna try E3 cex/dex dualboot.. has anyone an idea if i need to patch the dex FW "no check" for downngraded consoles ?? kudos to zecoxao and the others for helping all the people out !! that's the spirit dudes !!

From butnut: I am on 3.74 debug and playing a backup of my FF XIII-2 from a sd card formatted as bd-emu. I can go into the casino and play the games and bet on chocobo's and what not. I used psdevs gui tools to unpack the 1.06 update and then when I was still on 3.55 debug I used multiman to transfer the update to my dev/hdd0/game. then I went into recovery mode and chose rebuild database, when the system rebooted I updated to 3.74. None of my homebrew works now but I can downgrade later.

Oh yeah here is how to get those keys you want... Major thanks to everybody who helped me, without you I would still be sitting here with my thumb up my butt.

  • Dump your flash name it cexnor.bin
  • Use flow rebuilder to get metldr file
  • Use XMB EIDX Dumper to get EID0
  • Install petitboot and red ribbon rc5

Note: Do not type any words with quotes around them.

Open a terminal and type:


when that is done type:

After it has downloaded type:

and then type:

"Just press exit, when you will see the grey and blue menu."

"open a file manager and go to /etc/ and copy the kboot.config to a usb drive"

"open the kboot with a text editor and add as the last line"

"save the kboot and put it back where you found it"

"go to /boot/ and rename vmlinux-2.6.39 to vmlinux"

"restart ps3 into petitboot and boot test=/boot/vmlinux root=/dev/ps3dd1"

"open a terminal and type"

unzip metldrpwn.zip

"open the file manager and transfer your metldr file to metldrpwn"

"I think you should put the EID0 file in there too, but some people say it is not needed."

"go back to terminal window and type"

"open a file manager and transfer the file called dump to usb"

"move it to your pc and use a hex editor to copy the first three lines(48 bytes) to a new hex file. Save this file as key.bin "

"install c2d"

"put key.bin and cexnor.bin in the same folder as c2d.exe"

"open a command prompt and type"

"If you did every thing right you will see a message saying done"

"if this message gives you an error then you must reboot your ps3"

"and try again from "

"if you did not get an error then flash dexnor.bin to your ps3 and install 3.55 debug from the xmb"

From JLM (via ps3crunch.net/forum/threads/4023-Method?p=45359#post45359):

You don't need to fiddle with kboot.

The red ribbon 5 headers are here (7.03mb): [Register or Login to view links]

1. unpack it in a subdirectory of your home directory: /home/username/headers

2. Create a link to it in the appropriate lib/modules directory
link command syntax: ln -s target linkname
(-s means it's a symbolic link/shortcut)

for mine it is:

/lib/modules/2.6.38-powerpc64-otheros

open a terminal (as root) in that folder and create the link:

ln -s /home/username/headers/usr/src/linux-headers-2.6.38-powerpc64-otheros /lib/modules/2.6.38-powerpc64-otheros/build

that command will create a symlink (shortcut) to the header files/module.symvers, the link will be called build. If you already have a build link (in /lib/modules/directory with kernel name/) then you prolly don't need those header files or to create the link.

3. Compile the exploit(not as root):

cd metldr838exploit && make

Depending on your compiler settings you may get these two warnings(it's ok): warning label 'bad5' defined but not used or warning '/*' within comment.

4. Copy the other files you will need for running the exploit to the exploit directory:

For example, someone on rebug 3.41.3 other os with ss patches:
metldr (extracted from a flash dump of the nor, use yours)

from ofw 3.41v2 (using fail tools or ps3tools gui):
isoldr, spp-verifier.self, defaut.spp
(You may want to rename the metldr file that is already in the exploit directory so it won't be overwritten.)

5. run the exploit at the commandline:

sudo ./run.sh

It will ask for your password (the one for your username, not the root password). Using sudo will give you the elevated privileges necessary to run the exploit, ./ insures the script in your directory will be the command that the shell runs (if it doesn't execute, then you might need to set the permission with: chmod u+x run.sh)

A bunch of messages scroll by, then copy the output file (dump) to your home directory:

cp /proc/metldrpwn/dump /home/username/ (there is a space between /dump and /home/username/) Since you just used sudo, you shouldn't have any problem with permissions. If you do, use sudo cp.

Note: If petitboot stalls going down (to load linux), unplug your usb items. Please no controller plugged into usb port. Most keyboards are ok plugged in, some aren't. Linux doesn't need the keyboard plugged in to boot. It's okay to unplug it after making your boot selection in petitboot. I select otheros. Plug it back in after linux boots. No you don't need to be on 3.50. This is not a tutorial! I don't know how to do the conversion to dex, just the linux step.

Finally, HERE is a brief guide by Sony PlayStation 3 hacker evilsperm which uses the PS3Tools GUI Edition v2.6 with PS3 CEX to DEX support, HERE is a Pawnmetldr Using Red Ribbon guide by technodon and HERE is another PS3 DEX (Test - Debug) Conversion Method Step by Step tutorial from ing_pereira for those interested.

Also below is a related guide (via pastie.org/4262855) by bleh as follows:

Part-1 Installing Petitboot

  • Prepared files you might/will need: [Register or Login to view links]
  • Extract the files and copy them into root of your USB drive. I did not include metldr but you can get it here: (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)
  • Every *pkg should beep if not repeat - only reboot.pkg will not beep.

1. Install CFW OTHEROS++ from here: gitbrew.org/~glevand/ps3/cfw/ (I picked eight size)
2. When installation is finished, reboot into Recovery Mode and choose "Restore PS3 System"
3. Run setup_flash_for_otheros.pkg
4. Reboot your PS3 (Manual reboot)
5. Store dtbImage.ps3.bin on USB drive, plug it in and run install_otheros.pkg
6. Run boot_otheros.pkg
7. Run reboot.pkg (use the package, not manual reboot!)
8. You should be in petitboot now.
9. Exit to shell
10. cd /tmp/petitboot/mnt/sda1/
./create_hdd_region.sh
11. Reboot your PS3 and run reboot.pkg again.

If you have any problems with any steps above contact me.

Part-2 Installing Debian (Auto) requires INTERNET CONNECTION.

1. boot into petitboot
2. exit to shell
3. cd /tmp/petitboot/mnt/sda1/
sh debian-installer.sh
4. select no at partition the installer will do it for you.
6. once install is done boot into petitboot and select the first option.
7. tasksel install standard
startx

If you have any problems with any steps above contact me.

Part-3 metldrpwn

1. dump your nor in GameOS using this tool: [Register or Login to view links] (use memdump_0.01-FINAL.gnpdrm.pkg)
2. now you will need to unpack your nor, use norunpack
3. open your unpacked nor folder, copy the "metldr" from "asecure_loader" folder into "metldrpwn" folder.
4. copy "metldrpwn" folder to /home/yourusername
5. start terminal
6 cd metldrpwn
make
sudo ./run.sh
cp /proc/metldrpwn/dump /home/yourusername/

7. open "dump" in hex editor
8. copy the bytes 0x00-0x0f
9. use your hex editors search function and paste the bytes (0x00-0x0f)
10. your keys will be at 0x0000C7xx (i had different offset in 2 dumps, so use search)
11. copy your keys into a new file and save as eid_root_key.bin & rename your nor dump to "CEXFLASH.bin"
12. open "PS3Tools v2.6" run cex to dex (it will error if the keys are wrong.. so nothing to worry about)
13. copy the DEXFLASH.bin to root of your USB drive.

Part-4 write dexnor

1. boot into petitboot

2. cd /tmp/petitboot/mnt/sda1/
dd if=DEXFLASH.bin of=/dev/ps3nflasha bs=1024
reboot

Go into recovery mode and install dex fw. If you have any problems with any steps above contact me. Have fun with your DEX.. bleh

Note: you have to use a different debian-installer.sh for nand, link: nand debian installer: [Register or Login to view links]




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 618 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Night Hawk's Avatar
#8 - Night Hawk - 107w ago
I love how many devs whine that it destroyed the ps3's hacking future. Please cut the bs, everybody knows that you kept it to yourself in order to enjoy the high fw privileges. If you were going to hack your way through the l0 and the keys you would have done it a long time ago... Higher versions only have more layers of protection.

djpelle's Avatar
#7 - djpelle - 107w ago
By releasing this method Sony now knows how to fix it for the upcoming DEX FW. That was not without a reason why devs not made public this method!!! For devs with converted consoles it will be a massive hit in the face in the future!!!

tiefputin1's Avatar
#6 - tiefputin1 - 107w ago
AnoRelease what was the ID on your console before you changed it to 0x82 (Debug Target ID) ?

PS3 News's Avatar
#5 - PS3 News - 107w ago
Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well.

I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks.

plangston's Avatar
#4 - plangston - 107w ago
technodon, have a look here mate from Rnd: wiki.gitbrew.org/wikibrew/Metldrpwn


Metldrpwn

Dear all,

Many of you may have heard about Metldrpwn which allows to obtain Perconsole Key set.

I bet some of you have not gone for it because of many things to install and do, like linux and etc.

Well, since now, you won't have to do all that, the only thing you will need to have/install is Otheros (Petitboot) and that's it, the image of the FULL LINUX distro with glevand's kernel patches and all is in this tutorial.

So, let me tell what you have to do in order to pwn your metldr and get you perconsole keys faster:

1. Install Petitboot

Only these steps from the orginial glevand's tutorial are needed:

1. Install my latest CFW (gitbrew.org/~glevand/ps3/cfw/)
2. When installation is finished, reboot in Recovery Mode (not the Backup/Restore in XMB) and choose "Restore PS3 System"
3. Now your GameOS should use only the half of your HDD (Currently working on a better approach)
4. Run setup_flash_for_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/setup_flash_for_otheros.pkg - for all PS3 models)
5. Reboot (It's important to shut down and turn on your PS3)
6. Store dtbImage.ps3.bin (gitbrew.org/~glevand/ps3/petitboot/dtbImage.ps3.bin) on USB drive, plug it in and run install_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/install_otheros.pkg - NAND owners should use dtbImage.ps3.bin.minimal, rename it to dtbImage.ps3.bin). Try different USB ports if you don't get any beeps.
7. Run boot_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/boot_otheros.pkg)
8. Run reboot.pkg (gitbrew.org/~glevand/ps3/pkgs/reboot.pkg - use the package, not manually reboot!)
9. You should be in petitboot now.

3.15 stock firmware (OFW) users:

Put petitboot on a memory stick


2. Boot Linux

1. Download my distro of Linux (gitbrew.org/~rnd/Linux-2.6.39-Rnd.iso)
2. Unpack in the root of your USB stick/or burn the image to a DVD
3. Plug in your USB/Insert the disc in your PS3 and you should see 2 different boot options, boot the first one

Login details (there are 2 of them, ps3 and root):

Username: root
Password: root

Username: ps3
Password: ps3

If you need to mount a usb stick, I made a dir for that /dev/usb

Here is the mount command:


So now you can access your USB by going here /dev/usb/

3. Metldrpwn part:

Step by Step instuctions

Precompiled metldrpwn : Here (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)

you can do this over ssh or on console.

Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out

1. ssh into the ps3
2. download the files:


3. untar the files:


4. enter the directory and compile:


5. run the following commands now:


6. there now you have a dump check it out:



7. now copy the dump somewhere or youll lose it:


now you have a copy in your home directory for safe keeping, congrats you've completed about < 10 mins of actual work.

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

example:


the first 2 lines are erk the 3rd is riv and together they are eid0 root key

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment theres also a nifty program on the dev tools page (ps3devwiki.com/wiki/Dev_Tools) to turn your hex into key its called hex2key:

hexkey2bin.c: [Register or Login to view links]
hex2key.c edit: [Register or Login to view links]

If you have any further questions don't hesitate to contact me,

Sincerely,

Rnd
btw, thank you AnoRelease!! a BIG thanks to all devs behind the scenes that have spent countless hours piecing together this puzzle!

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News