73w ago - Following up on the PS3 CEX (Retail) to DEX (Debug) Conversion Method from earlier this week, today PlayStation 3 developer andbey0nd has released an easy C2D CEX to DEX Flash Patcher conversion tool for Windows (currently only works with the 16mb NOR) alongside PS3 LibEEID (library related to EID0) source code below.
To quote: andbey0nd has released (pastie.org/4243807) another tool to us this morning. c2d is a Cex 2 Dex Flash Patcher. Currently it only works with 16mb NOR. Slowly but surely the scene seems to be coming back to life. 1 hack at time... Thanks andbey0nd and keep up the awesome work!
[andbey0nd] works for 16MB flash dumps (NOR) only
[andbey0nd] also if for some reason a WRONG EID key is provided - the program will abort and will not generate invalid DEX flash.. so no chance for bricking
[andbey0nd] if an output DEX flash file is created - it means that it is valid
c2d.exe (win32 app)
OpenSSL 1.0.1 installed in c:\openssl or d:\openssl (http://slproweb.com/download/Win32OpenSSL_Light-1_0_1c.exe)
EID root key (per_console_key) obtained with metldrpwn
CEX (NOR) flash dump
Extract c2d.rar in a local folder (c:\c2d or d:\c2d)
From naehrwert: oh look what a little bird has brought us: libeeid crypto library <3 also if someone want's to get a set of cprm device keys, he should look at eid3_decrypt_buffer
messing with eid4 on your box will destroy your bd-drive pairing, so I wouldn't do that.
PS3 LibEEID Source Code
A >>PS3D<< original: libeeid (C) 2011-2012 ps3dev.net
If you can't deliver the complete stuff, you should just keep your mouth shut and not spread the EID0 algo out. This lib was meant to stay private because we didn't like the idea of every 1337 kiddo having a DEX console and annoying developers with questions about running pirated games on it. Now we decided to release it all into public although we won't provide any support or do any further work on it.
A lot of dedication, knowledge and time has gone into reversing ALL of the SPU binaries to collect the informations in this library (that's the fun part). This is as far as you will get with firmware versions <= 3.56.
Btw.: have fun reversing the SPU modules to find the required keys...
Special thanks to the people there: gitorious.ps3dev.net/+ps3dev-net
After getting the tip on howto build OMAC cex/dex hash with FileHash and passing me the "batch" files to AES EN/Decrypt, then you need to check/read it a couple time to fit the puzzle together.. i recommended if you perform this, do not to rely on the 1click tools at first, c2d works perfect and makes valid dexdump, you can use it to compare it with the one u did by hand, they MUST be identical, at least do it a couple times so you'll understand proccess.
I used run.sh like this without providing eid0 as it's commented out in the script and not required, only "metldr" from original cexdump
cd into mtldrpwn folder
outputs correct root_key
To be on the save side, pwn metldr couple times to see if you get matched ones, some are having weird "dump" or must reboot to get correct "dump" need to use either debian/ubuntu install or live disc linux2.6.39_rnd.ISO / or new prebuild petitboot image/or rc5 red ribbon a little modified.. options enough.
From dlbogdan: I've dumped NOR (and eEID) from petitboot.. for linux n00bs. It doesn't work until you remount your usb drive as RW.
# mount -n -o remount,rw /dev/sda1 /tmp/petitboot/mnt/sda1
From badhabit: I can confirm the cex2dex patcher method works.
used memdump to dump the Nor (thx an0n, you tha man !!)
HW Flasher output is exactly the same.. tried it
used Flowrebuilder to unpack the Nor Dump (btw. Flowrebuilder can also unpack 4.11 dumps where norunpack fails..)
had to recompile the metldrpwn as the compiled one from glevant didnt work for me ..
used petitboot and red ribbon for the root key
used cex2dex patcher (thx andbey0nd, acab, zadow) for dex.bin
flashed back via hw flasher / also tried petitboot works good aswell
So now i am on 3.55 dex ; gonna try E3 cex/dex dualboot.. has anyone an idea if i need to patch the dex FW "no check" for downngraded consoles ?? kudos to zecoxao and the others for helping all the people out !! that's the spirit dudes !!
From butnut: I am on 3.74 debug and playing a backup of my FF XIII-2 from a sd card formatted as bd-emu. I can go into the casino and play the games and bet on chocobo's and what not. I used psdevs gui tools to unpack the 1.06 update and then when I was still on 3.55 debug I used multiman to transfer the update to my dev/hdd0/game. then I went into recovery mode and chose rebuild database, when the system rebooted I updated to 3.74. None of my homebrew works now but I can downgrade later.
Oh yeah here is how to get those keys you want... Major thanks to everybody who helped me, without you I would still be sitting here with my thumb up my butt.
Dump your flash name it cexnor.bin
Use flow rebuilder to get metldr file
Use XMB EIDX Dumper to get EID0
Install petitboot and red ribbon rc5
Note: Do not type any words with quotes around them.
that command will create a symlink (shortcut) to the header files/module.symvers, the link will be called build. If you already have a build link (in /lib/modules/directory with kernel name/) then you prolly don't need those header files or to create the link.
3. Compile the exploit(not as root):
cd metldr838exploit && make
Depending on your compiler settings you may get these two warnings(it's ok): warning label 'bad5' defined but not used or warning '/*' within comment.
4. Copy the other files you will need for running the exploit to the exploit directory:
For example, someone on rebug 3.41.3 other os with ss patches:
metldr (extracted from a flash dump of the nor, use yours)
from ofw 3.41v2 (using fail tools or ps3tools gui):
isoldr, spp-verifier.self, defaut.spp
(You may want to rename the metldr file that is already in the exploit directory so it won't be overwritten.)
5. run the exploit at the commandline:
It will ask for your password (the one for your username, not the root password). Using sudo will give you the elevated privileges necessary to run the exploit, ./ insures the script in your directory will be the command that the shell runs (if it doesn't execute, then you might need to set the permission with: chmod u+x run.sh)
A bunch of messages scroll by, then copy the output file (dump) to your home directory:
cp /proc/metldrpwn/dump /home/username/ (there is a space between /dump and /home/username/) Since you just used sudo, you shouldn't have any problem with permissions. If you do, use sudo cp.
Note: If petitboot stalls going down (to load linux), unplug your usb items. Please no controller plugged into usb port. Most keyboards are ok plugged in, some aren't. Linux doesn't need the keyboard plugged in to boot. It's okay to unplug it after making your boot selection in petitboot. I select otheros. Plug it back in after linux boots. No you don't need to be on 3.50. This is not a tutorial! I don't know how to do the conversion to dex, just the linux step.
Finally, HERE is a brief guide by Sony PlayStation 3 hacker evilsperm which uses the PS3Tools GUI Edition v2.6 with PS3 CEX to DEX support, HERE is a Pawnmetldr Using Red Ribbon guide by technodon and HERE is another PS3 DEX (Test - Debug) Conversion Method Step by Step tutorial from ing_pereira for those interested.
Also below is a related guide (via pastie.org/4262855) by bleh as follows:
Part-1 Installing Petitboot
Prepared files you might/will need: http://www.mediafire.com/?ny2tj269h1tjrf3
Extract the files and copy them into root of your USB drive. I did not include metldr but you can get it here: (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)
Every *pkg should beep if not repeat - only reboot.pkg will not beep.
1. Install CFW OTHEROS++ from here: gitbrew.org/~glevand/ps3/cfw/ (I picked eight size)
2. When installation is finished, reboot into Recovery Mode and choose "Restore PS3 System"
3. Run setup_flash_for_otheros.pkg
4. Reboot your PS3 (Manual reboot)
5. Store dtbImage.ps3.bin on USB drive, plug it in and run install_otheros.pkg
6. Run boot_otheros.pkg
7. Run reboot.pkg (use the package, not manual reboot!)
8. You should be in petitboot now.
9. Exit to shell
10. cd /tmp/petitboot/mnt/sda1/
11. Reboot your PS3 and run reboot.pkg again.
If you have any problems with any steps above contact me.
Part-2 Installing Debian (Auto) requires INTERNET CONNECTION.
1. boot into petitboot
2. exit to shell
3. cd /tmp/petitboot/mnt/sda1/
4. select no at partition the installer will do it for you.
6. once install is done boot into petitboot and select the first option.
7. tasksel install standard
If you have any problems with any steps above contact me.
1. dump your nor in GameOS using this tool: http://www.mediafire.com/?vwe5oi7em54dwk9 (use memdump_0.01-FINAL.gnpdrm.pkg)
2. now you will need to unpack your nor, use norunpack
3. open your unpacked nor folder, copy the "metldr" from "asecure_loader" folder into "metldrpwn" folder.
4. copy "metldrpwn" folder to /home/yourusername
5. start terminal
6 cd metldrpwn
cp /proc/metldrpwn/dump /home/yourusername/
7. open "dump" in hex editor
8. copy the bytes 0x00-0x0f
9. use your hex editors search function and paste the bytes (0x00-0x0f)
10. your keys will be at 0x0000C7xx (i had different offset in 2 dumps, so use search)
11. copy your keys into a new file and save as eid_root_key.bin & rename your nor dump to "CEXFLASH.bin"
12. open "PS3Tools v2.6" run cex to dex (it will error if the keys are wrong.. so nothing to worry about)
13. copy the DEXFLASH.bin to root of your USB drive.
Part-4 write dexnor
1. boot into petitboot
2. cd /tmp/petitboot/mnt/sda1/
dd if=DEXFLASH.bin of=/dev/ps3nflasha bs=1024
Go into recovery mode and install dex fw. If you have any problems with any steps above contact me. Have fun with your DEX.. bleh
Note: you have to use a different debian-installer.sh for nand, link: nand debian installer: http://dl.dropbox.com/u/56336/PS3Linux/nikitis-PS3-Debian-Installer.zip
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
I have a question regarding my PS3 CEX to DEX console.
The console's Blu Ray drive died, so, many months ago, I converted to DEX. I believe I have xaxaxaaxa patched DEX FW (I'm sure I installed this). I converted from a CEX CFW as running games discless was a bit hit and miss. The DEX firmware has served me well, that is until games requiring 4.40 FW started to appear.
Would I be correct in thinking that games patched to run on firmware < 4.40 would not run on DEX, as any update PKG for the game would (potentially) necessitate 4.40 FW? Of course this would only be the case for the very latest games.
Is there any way I can run these new games on my console as it is now? Or should I try to convert back to CEX and keep my fingers crossed that discless compatibility is a bit better now? Or should I lay out 20 quid on a new Blu Ray drive (and then convert back to CEX anyway)? Or... something else?
Thanks in advance
Er... I meant MiralaTijera 4.30 patched DEX FW - no idea how I screwed that bit up!