74w ago - Following up on the PS3 CEX (Retail) to DEX (Debug) Conversion Method from earlier this week, today PlayStation 3 developer andbey0nd has released an easy C2D CEX to DEX Flash Patcher conversion tool for Windows (currently only works with the 16mb NOR) alongside PS3 LibEEID (library related to EID0) source code below.
To quote: andbey0nd has released (pastie.org/4243807) another tool to us this morning. c2d is a Cex 2 Dex Flash Patcher. Currently it only works with 16mb NOR. Slowly but surely the scene seems to be coming back to life. 1 hack at time... Thanks andbey0nd and keep up the awesome work!
[andbey0nd] works for 16MB flash dumps (NOR) only
[andbey0nd] also if for some reason a WRONG EID key is provided - the program will abort and will not generate invalid DEX flash.. so no chance for bricking
[andbey0nd] if an output DEX flash file is created - it means that it is valid
c2d.exe (win32 app)
OpenSSL 1.0.1 installed in c:\openssl or d:\openssl (http://slproweb.com/download/Win32OpenSSL_Light-1_0_1c.exe)
EID root key (per_console_key) obtained with metldrpwn
CEX (NOR) flash dump
Extract c2d.rar in a local folder (c:\c2d or d:\c2d)
From naehrwert: oh look what a little bird has brought us: libeeid crypto library <3 also if someone want's to get a set of cprm device keys, he should look at eid3_decrypt_buffer
messing with eid4 on your box will destroy your bd-drive pairing, so I wouldn't do that.
PS3 LibEEID Source Code
A >>PS3D<< original: libeeid (C) 2011-2012 ps3dev.net
If you can't deliver the complete stuff, you should just keep your mouth shut and not spread the EID0 algo out. This lib was meant to stay private because we didn't like the idea of every 1337 kiddo having a DEX console and annoying developers with questions about running pirated games on it. Now we decided to release it all into public although we won't provide any support or do any further work on it.
A lot of dedication, knowledge and time has gone into reversing ALL of the SPU binaries to collect the informations in this library (that's the fun part). This is as far as you will get with firmware versions <= 3.56.
Btw.: have fun reversing the SPU modules to find the required keys...
Special thanks to the people there: gitorious.ps3dev.net/+ps3dev-net
After getting the tip on howto build OMAC cex/dex hash with FileHash and passing me the "batch" files to AES EN/Decrypt, then you need to check/read it a couple time to fit the puzzle together.. i recommended if you perform this, do not to rely on the 1click tools at first, c2d works perfect and makes valid dexdump, you can use it to compare it with the one u did by hand, they MUST be identical, at least do it a couple times so you'll understand proccess.
I used run.sh like this without providing eid0 as it's commented out in the script and not required, only "metldr" from original cexdump
cd into mtldrpwn folder
outputs correct root_key
To be on the save side, pwn metldr couple times to see if you get matched ones, some are having weird "dump" or must reboot to get correct "dump" need to use either debian/ubuntu install or live disc linux2.6.39_rnd.ISO / or new prebuild petitboot image/or rc5 red ribbon a little modified.. options enough.
From dlbogdan: I've dumped NOR (and eEID) from petitboot.. for linux n00bs. It doesn't work until you remount your usb drive as RW.
# mount -n -o remount,rw /dev/sda1 /tmp/petitboot/mnt/sda1
From badhabit: I can confirm the cex2dex patcher method works.
used memdump to dump the Nor (thx an0n, you tha man !!)
HW Flasher output is exactly the same.. tried it
used Flowrebuilder to unpack the Nor Dump (btw. Flowrebuilder can also unpack 4.11 dumps where norunpack fails..)
had to recompile the metldrpwn as the compiled one from glevant didnt work for me ..
used petitboot and red ribbon for the root key
used cex2dex patcher (thx andbey0nd, acab, zadow) for dex.bin
flashed back via hw flasher / also tried petitboot works good aswell
So now i am on 3.55 dex ; gonna try E3 cex/dex dualboot.. has anyone an idea if i need to patch the dex FW "no check" for downngraded consoles ?? kudos to zecoxao and the others for helping all the people out !! that's the spirit dudes !!
From butnut: I am on 3.74 debug and playing a backup of my FF XIII-2 from a sd card formatted as bd-emu. I can go into the casino and play the games and bet on chocobo's and what not. I used psdevs gui tools to unpack the 1.06 update and then when I was still on 3.55 debug I used multiman to transfer the update to my dev/hdd0/game. then I went into recovery mode and chose rebuild database, when the system rebooted I updated to 3.74. None of my homebrew works now but I can downgrade later.
Oh yeah here is how to get those keys you want... Major thanks to everybody who helped me, without you I would still be sitting here with my thumb up my butt.
Dump your flash name it cexnor.bin
Use flow rebuilder to get metldr file
Use XMB EIDX Dumper to get EID0
Install petitboot and red ribbon rc5
Note: Do not type any words with quotes around them.
that command will create a symlink (shortcut) to the header files/module.symvers, the link will be called build. If you already have a build link (in /lib/modules/directory with kernel name/) then you prolly don't need those header files or to create the link.
3. Compile the exploit(not as root):
cd metldr838exploit && make
Depending on your compiler settings you may get these two warnings(it's ok): warning label 'bad5' defined but not used or warning '/*' within comment.
4. Copy the other files you will need for running the exploit to the exploit directory:
For example, someone on rebug 3.41.3 other os with ss patches:
metldr (extracted from a flash dump of the nor, use yours)
from ofw 3.41v2 (using fail tools or ps3tools gui):
isoldr, spp-verifier.self, defaut.spp
(You may want to rename the metldr file that is already in the exploit directory so it won't be overwritten.)
5. run the exploit at the commandline:
It will ask for your password (the one for your username, not the root password). Using sudo will give you the elevated privileges necessary to run the exploit, ./ insures the script in your directory will be the command that the shell runs (if it doesn't execute, then you might need to set the permission with: chmod u+x run.sh)
A bunch of messages scroll by, then copy the output file (dump) to your home directory:
cp /proc/metldrpwn/dump /home/username/ (there is a space between /dump and /home/username/) Since you just used sudo, you shouldn't have any problem with permissions. If you do, use sudo cp.
Note: If petitboot stalls going down (to load linux), unplug your usb items. Please no controller plugged into usb port. Most keyboards are ok plugged in, some aren't. Linux doesn't need the keyboard plugged in to boot. It's okay to unplug it after making your boot selection in petitboot. I select otheros. Plug it back in after linux boots. No you don't need to be on 3.50. This is not a tutorial! I don't know how to do the conversion to dex, just the linux step.
Finally, HERE is a brief guide by Sony PlayStation 3 hacker evilsperm which uses the PS3Tools GUI Edition v2.6 with PS3 CEX to DEX support, HERE is a Pawnmetldr Using Red Ribbon guide by technodon and HERE is another PS3 DEX (Test - Debug) Conversion Method Step by Step tutorial from ing_pereira for those interested.
Also below is a related guide (via pastie.org/4262855) by bleh as follows:
Part-1 Installing Petitboot
Prepared files you might/will need: http://www.mediafire.com/?ny2tj269h1tjrf3
Extract the files and copy them into root of your USB drive. I did not include metldr but you can get it here: (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)
Every *pkg should beep if not repeat - only reboot.pkg will not beep.
1. Install CFW OTHEROS++ from here: gitbrew.org/~glevand/ps3/cfw/ (I picked eight size)
2. When installation is finished, reboot into Recovery Mode and choose "Restore PS3 System"
3. Run setup_flash_for_otheros.pkg
4. Reboot your PS3 (Manual reboot)
5. Store dtbImage.ps3.bin on USB drive, plug it in and run install_otheros.pkg
6. Run boot_otheros.pkg
7. Run reboot.pkg (use the package, not manual reboot!)
8. You should be in petitboot now.
9. Exit to shell
10. cd /tmp/petitboot/mnt/sda1/
11. Reboot your PS3 and run reboot.pkg again.
If you have any problems with any steps above contact me.
Part-2 Installing Debian (Auto) requires INTERNET CONNECTION.
1. boot into petitboot
2. exit to shell
3. cd /tmp/petitboot/mnt/sda1/
4. select no at partition the installer will do it for you.
6. once install is done boot into petitboot and select the first option.
7. tasksel install standard
If you have any problems with any steps above contact me.
1. dump your nor in GameOS using this tool: http://www.mediafire.com/?vwe5oi7em54dwk9 (use memdump_0.01-FINAL.gnpdrm.pkg)
2. now you will need to unpack your nor, use norunpack
3. open your unpacked nor folder, copy the "metldr" from "asecure_loader" folder into "metldrpwn" folder.
4. copy "metldrpwn" folder to /home/yourusername
5. start terminal
6 cd metldrpwn
cp /proc/metldrpwn/dump /home/yourusername/
7. open "dump" in hex editor
8. copy the bytes 0x00-0x0f
9. use your hex editors search function and paste the bytes (0x00-0x0f)
10. your keys will be at 0x0000C7xx (i had different offset in 2 dumps, so use search)
11. copy your keys into a new file and save as eid_root_key.bin & rename your nor dump to "CEXFLASH.bin"
12. open "PS3Tools v2.6" run cex to dex (it will error if the keys are wrong.. so nothing to worry about)
13. copy the DEXFLASH.bin to root of your USB drive.
Part-4 write dexnor
1. boot into petitboot
2. cd /tmp/petitboot/mnt/sda1/
dd if=DEXFLASH.bin of=/dev/ps3nflasha bs=1024
Go into recovery mode and install dex fw. If you have any problems with any steps above contact me. Have fun with your DEX.. bleh
Note: you have to use a different debian-installer.sh for nand, link: nand debian installer: http://dl.dropbox.com/u/56336/PS3Linux/nikitis-PS3-Debian-Installer.zip
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well.
I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks.
Following up on the PS3 CEX (Retail) to DEX (Debug) console IDPS updates, DexL0ve release and MultiMAN DEX Mod comes the long-awaited "holy grail" for PlayStation 3 developers, my complete PS3 CEX to DEX conversion method!
Hi Scene, Sorry for my bad English. I want to give you info you please make public. I want be anonymous. I only can say I'm from Hong Kong. I have way to get a DEX, it works and is complete nothing missing.
Manual to get a DEX (here is everything you needed) and you have a full working DEX:
EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr
EID0 Key Seed
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C
37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B
08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4
D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
EID0 Section Key Seed
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV
Use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV. The result contains from 0x10 to 0x20 the EID0IV and contains from 0x20 to 0x40 the EID0Key
Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV. The result will be the first 0x10 bytes of the EID0 First Section Key
The second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes
EID0 is located in NAND at 0x80870 and in NOR at 0x2f070, the first 0x20 bytes of EID0 are not encrypted, at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)
Use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV
Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.
At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again, 0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes
After you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section
Use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).
Now install DEX Firmware with the recovery menu.
HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu.
You can't login to the PSN because IDPS is obviously not valid from now on.
THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.
有志者，事竟成 “Where a will, there is way”
一不做二不休 “You start something, you have to finish it”
Note: You don't need the second 0x00 eid0 first section key of all zeros. Also from an anonymous source (via bit.ly/M2Oz4Q and lnx.lu/5yD and multiupload.co.uk/TAG2B6G8ZL and multiupload.nl/TAG2B6G8ZL) comes CEX-DEX(2).7z and from the included ReadMe file, to quote:
PS: key is not static, use your own
input is not static, use your own
From deank: It just generates the EID section that you have to overwrite in your flash - that was the whole point of all this. You have to use your data and get the region to rewrite on your own console to convert your retail PS3 (CEX) to debug/test unit (DEX). This modification to the EID allows you to install the Debug firmware and get a DEX.
From zecoxao: The problem with this is it's easily patchable... Sony will probably patch it on the next OFW... Original retail dump, flash back retail firmware, and that's it. This is basically switching back and forth from CEX to DEX by flashing DEX dump and DEX firmware and from DEX to CEX by flashing CEX dump and CEX firmware.
You can use flasher, linux or jaicrab's preloader (basically anything that flashes the dump)
Jaicrab's Preloader only works correctly on NOR's, you'll have problems with NAND's, or so I've tested (thanks to a friend of mine ) in case you need to compare:
Put these two files on the root of a fat32 formatted stick.
Rename your DEX dump to rflash.bin
Execute the self with a self loader such as MultiMAN (use mmOS to go to the stick and load the self there)
Wait 35 minutes for the console to stop blinking and shutdown with steady red light (THIS ONLY WORKS ON NORS. YOU HAVE BEEN WARNED!)
Confirm if it boots (alternatively, if you have QA, DEX doesn't have QA when you do the button combo, so you can test it)
flash 3.55 DEX firmware by recovery
PS: If I'm not dead by the next 24 hours, you know where to find me
Note: Don't flash this, this belongs to my console, so I advise you not to flash, this is just for verifying only.
From Squarepusher2: You'll have to go digging for debug eboots though if you intend on playing anything that is not a retail game on your debug PS3. And those are not easily found. I don't think end-users will get much use out of it - for devs it's a totally different story though.
Below is also a video from lordv demonstrating Battlefield 3 running on the DEX BD Emulator via USB, who states that games work fine from the BD EMU or BD-R disc (using PS3Gen) without a decrypted/Debug EBOOT. However, PS3 games won't run from DVDs in the newer DEX Firmware.
A COD: MW3 on DEX PS3 (3.55 CEX to 4.11 DEX - BD Emulator HDD) video by sguerrini97 is below as well:
It also appears as though the newer PS3 SDKs will contain the necessary development tools and login information to access Sony's developer network (NP / SP-INT) as well:
The NP communication passphrase and signature will be provided within the Server Management Tools.
Details: NP communication ID, passphrase, and signature, required for certain PSN communication services, had been provided on the DevNet thread upon the completion of the requested PlayStation Network service configurations.
From 2012/07/05 the NP Communication Passphrase and Signature will be provided within the Server Management Tools.
This change affects all the communication IDs issued after 2012/07/05. It will not be possible to access the NP communication passphrase or signature in the support issued after that date.
Only those users who have initially requested the NP communication services and was provided the files on DevNet thread will have access to the file on the request threads.
Note that the NP communication passphrase and signature are required with NP Matching 2 and Title Small Storage.
From PlayStation 3: I have found a way to access SP-INT (or developer) PSN. Those who remember, this also worked a year ago until Sony had fixed it. It is now working again for existing users. Making a new account will not work, but existing users who have made SP-INT accounts last year when it had worked can sign in (for now).
Here is how to do it:
1) Install Rebug 3.55.2 CFW. Also install the latest update package (0.7)
2) Set it to Rebug mode in Rebug Selector. Set the Rebug Menu to #2.
3) Install SEN Enabler 4.21 to spoof the firmware to 4.21.
4) Go to Debug Settings and change NP environment to 'SP-INT'.
5) Reboot PS3.
6) The PS3 will attempt to sign in to your NP (retail) PSN account and it will give an error because your NP PSN will not work on developers PSN. Now you must sign in to your SP-INT account that you made last year. Making an new account will not work.
If anyone can somehow find a way to make an new account on SP-INT, please let us know. Thank you!
From PlayStation 3 developer naehrwert (via nwert.wordpress.com/2012/07/11/eeid-cryptography/) to quote:
When metldr is encrypted at factory, a special keyset is set in the binary before encryption. Later when an isolated loader is loaded by metldr, it will copy the keyset to LS offset 0x00000. It consists of eid_root_key and eid_root_iv. To not having to use the same key for all eEID parts, several subkeys are generated from special data called individual information seed.
These seeds are stored in the metadata header of isolated modules loaded by isoldr. When isoldr will load a module, it will call a subroutine that encrypts each seed chunk (0x40 bytes) using eid_root_key and eid_root_iv. Then the so-called individual infos are passed in registers r7 to r22 (= 0x100 bytes in total) to the loaded module where they are used further.
Usually isolated modules have a seed section of 0x100 bytes but all of them (except sb_iso_spu_module) have all zeroes but the first 0x40 bytes chunk. You can, for example, find the recently published EID0 seed in the metadata section of aim_spu_module. Appliance info manager is used to get e.g. the target ID or the PSID from EID0. This explains why the seed can also be found in isoldr directly, since that one is checking EID0 too.
As you can probably think, a fair amount of reversing time and knowledge has gone into finding this, so stop calling us *swearwords* for not releasing information that could potentially lead to more piracy, because we think that this would do more harm to the “scene” than just keeping some information in private (for now).
Also I can only encourage everyone that thinks about us this way or is greedy demanding for developers/reverse engineers to release their stuff, to fire up isoldr in IDA or disassemble it with objdump and try to reverse all this from start to end. We’ll see, who is able to pull this through on his own...
From evilsperm (via ps3crunch.net/forum/threads/4023-Method?p=45195#post45195): Here is some code if you all want to flash from petitboot: This is to R/W entire NOR or just the eEID section. Make sure to take a valid dump from gameOS as well so you can match both dumps also if you have a hardware flasher I highly advise you do, check that dump against the soft dumps to make 100% sure
How to W/R NOR from petiteboot:
READ NOR : dd if=/dev/ps3nflasha of=/tmp/petitboot/mnt/sda1/cexnor.bin bs=1024
I'm not going to bother with the NAND because its a pain in the balls (and thats if you can even get it to work)
/tmp/petitboot/mnt/sda1/ is a flash dive formatted to ext4 in petitboot to make life easy when moving dumps around. you can always scp your files across also
From badhabit: For the BD playback recovery on DEX you can also use the "drivefix" lv2diag.. it can be found in the original CEX-DEX leak by youknow..
I uploaded it here if needed: http://www.share-online.biz/dl/NWHS097MF2ZA
Manual CEXDEX converted summary - what a thrill ride hehe... massive settings there... looking good haha:
What worked for me, thx everyone!!
put flashdex.bin on USB stick
chmod 777 /dev/sda
mount /dev/sda /tmp/petitboot/mnt/sda
type cd tmp/petitboot/mnt/sda
dd if=flashdex.bin of=/dev/ps3nflasha bs=1024
ENTER, blinking - for awhile... fck it broke... finally some output (in-out) and back to the prompt patience is a must
type ps3-flash-util -g to set/boot GameOS ( = emer init? not sure)
Boot GameOS option in Petitboot
Boots normal into XMB feew lol...
QA combo not working as it should
Used Service Mode for final install using cex2dexkit files
replaced the 3.30 PUP with 355DEX alongside "lv2diag.self" from "setup" folder and put on USB stick
Put PS3 into FSM using dongle (pull cable out-dongle in-cable in)
Shutdown - Replaced dongle with USB stick ( setup Lv2Diag.self/PS3UPDAT.PUP
Boot Ps3 - Ps3 shutsdown
Replaced files with step3 "drivefix" (linked above) files on USB stick
Put USB into right slot
On screen: Drive Init / Drive Init Fail - It needs a Original Blu-Ray movie like Remarry? and/or the 3.30 PUP to work? Please confirm anyone?
Pull power cable
Replaced USB files with "finalize" folder Lv2Diag.self file
Put into right slot and boot - Ps3 shuts down
PS3 boots a normal into DEX
All working except for blu-ray/dvd's = not working obvious... GAMES works fine, shame on me for not having one, need to rent one.. can someone verify it needs blu-ray and/or .30 pup thx
From svenmullet: Use mathieulh's leaked tools to get the required info, then use the new leaked algos to change it to DEX, flash back using Objsuites/FSM. You don't need a flasher or linux to do this. And don't let anyone tell you different!
Remember CrashSeriousreleased a tool to decrypt/encrypt SIG files? Reverse what those SIG files in the math leak are doing.
Also, I recall theorizing that the serial number (yes, that sticker on the console) has something to do with PCK. All we need now is some brainiac to figure it all out (and release the info).
Actually to play PS3 3.60+ backups all you need to do is install an update for the game. Since DEX can't install retail PKG you have to downgrade to 3.55 DEX with peek and poke install the update and re upgrade.
Also ps3gen.exe will happily create image with the retail EBOOT, it just won't run because retail EBOOTs have the "run only from authenticated bd" capability flag; having installed an update for the game bypasses it.
From Lordv (via ps3devwiki.com/wiki/User_talk:Lordv) to quote:
Instead of having an edit war could we discuss it on irc? I can prove that what you write here are (un?)intentional lies.
1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by some sprx copying and xml editing. Just unpack a dex fw for 3.55 and a cex fw for 3.55 and note the differences in sprx. Then just add the correct xml keys. For example for ps store add the #seg_commerce_new key to category_psn.xml.
Answer from Mathieulh: You can't play blurays/dvds on 3.60+ DEX because you do not have the keys to craft a custom DEX firmware and the bd/dvd player app will check your console's idps target and see 0x82 and will fail one (of too many) check(s) and will issue an error code and not proceed. (not to mention 0x82 leads to an invalid region) I don't know/care about ps store but as far as I know, the DEX vsh.self will not display it
2) I did, however i can't prove it. Should you cex2dex and have latest dex fw you too will be able to sign in to PSN.
Answer from Mathieulh: You can't because your idps is NOT in sony's database, as such it will not pass PSN authentication, there is nothing you can do to fake this, you would need to use a real debug idps, end of story.
3) Can't comment on that one but would very much like a statement from whoever wrote it.
Answer from Mathieulh: This is obviously not true, however you CAN brick/ylod if you rebuild your EID wrong (the likeliness is high)
4) Do you want a video of it? Use ps3 generator tools to create a master disc or a usb image. Ever wondered what that item labeled Blu-ray Disc Access in Debug Settings did? Now you can find out.
Answer from Mathieulh: The retail selfs are signed with special capabilities that make them only able to run from original discs (Masterdiscs != Original discs, lv2 can tell the difference) That's why you need decrypted selfs/fself to run games from masterdiscs or bdemu images, forget about running your "backups" (or should I say ,warez) Because ps3gen creates masterdiscs does not mean you can magically warez on the box. You can however play originals ! (I strongly advise you to start BUYING your games, (just saying))
5) Can't comment on that one.
Answer from Mathieulh: I can comment that most of your so called affirmations are a bunch of BS. (in fact I just debunked most of them, feel free to try though and see for yourself.)
There's really no way to know if AnoRelease is really the source or a leaker, as other devs in the circle may not know of or agree with his wishes to finally release it which may be why it was done anonymously.
If he is a leaker though, it would be the same as anything that gets leaked from the Rebug PSN passphrase for CFW users to the old R:FoM exploits, it benefits some for a period of time until Sony takes action and the next hole surfaces... although those cashing in on dongles may never admit it, it's called progress and is great for real PS3 scene developers not on the Max Louarn / Paul Owen payroll.