PS3 C2D CEX to DEX Flash Patcher, LibEEID EID0 Library Arrives

44w ago - Following up on the PS3 CEX (Retail) to DEX (Debug) Conversion Method from earlier this week, today PlayStation 3 developer andbey0nd has released an easy C2D CEX to DEX Flash Patcher conversion tool for Windows (currently only works with the 16mb NOR) alongside PS3 LibEEID (library related to EID0) source code below.

Download: PS3 C2D CEX to DEX Flash Patcher (Windows) / LibEEID Source Code / GIT

To quote: andbey0nd has released (pastie.org/4243807) another tool to us this morning. c2d is a Cex 2 Dex Flash Patcher. Currently it only works with 16mb NOR. Slowly but surely the scene seems to be coming back to life. 1 hack at time... Thanks andbey0nd and keep up the awesome work!

[andbey0nd] works for 16MB flash dumps (NOR) only
[andbey0nd] also if for some reason a WRONG EID key is provided - the program will abort and will not generate invalid DEX flash.. so no chance for bricking
[andbey0nd] if an output DEX flash file is created - it means that it is valid

c2d.exe (win32 app)

Requires:

• OpenSSL 1.0.1 installed in c:\openssl or d:\openssl (http://slproweb.com/download/Win32OpenSSL_Light-1_0_1c.exe)
  
• EID root key (per_console_key) obtained with metldrpwn
  
• CEX (NOR) flash dump
  
• Extract c2d.rar in a local folder (c:\c2d or d:\c2d)
  

Usage:

• c2d.exe eid_key_file.bin in_cex_flash.bin out_dex_flash.bin
  

Output:
Enjoy!
andbey0nd

From naehrwert: oh look what a little bird has brought us: libeeid crypto library <3 also if someone want's to get a set of cprm device keys, he should look at eid3_decrypt_buffer

messing with eid4 on your box will destroy your bd-drive pairing, so I wouldn't do that.

PS3 LibEEID Source Code

A >>PS3D<< original: libeeid (C) 2011-2012 ps3dev.net

If you can't deliver the complete stuff, you should just keep your mouth shut and not spread the EID0 algo out. This lib was meant to stay private because we didn't like the idea of every 1337 kiddo having a DEX console and annoying developers with questions about running pirated games on it. Now we decided to release it all into public although we won't provide any support or do any further work on it.

A lot of dedication, knowledge and time has gone into reversing ALL of the SPU binaries to collect the informations in this library (that's the fun part). This is as far as you will get with firmware versions <= 3.56.

Btw.: have fun reversing the SPU modules to find the required keys...

Special thanks to the people there: gitorious.ps3dev.net/+ps3dev-net

How to W/R NOR from petitboot:

After getting the tip on howto build OMAC cex/dex hash with FileHash and passing me the "batch" files to AES EN/Decrypt, then you need to check/read it a couple time to fit the puzzle together.. i recommended if you perform this, do not to rely on the 1click tools at first, c2d works perfect and makes valid dexdump, you can use it to compare it with the one u did by hand, they MUST be identical, at least do it a couple times so you'll understand proccess.

I used run.sh like this without providing eid0 as it's commented out in the script and not required, only "metldr" from original cexdump

In terminal:

outputs correct root_key

To be on the save side, pwn metldr couple times to see if you get matched ones, some are having weird "dump" or must reboot to get correct "dump" need to use either debian/ubuntu install or live disc linux2.6.39_rnd.ISO / or new prebuild petitboot image/or rc5 red ribbon a little modified.. options enough.

From dlbogdan: I've dumped NOR (and eEID) from petitboot.. for linux n00bs. It doesn't work until you remount your usb drive as RW.

then you dump with:

as written above.

From badhabit: I can confirm the cex2dex patcher method works.

• used memdump to dump the Nor (thx an0n, you tha man !!)
  
• HW Flasher output is exactly the same.. tried it
  
• used Flowrebuilder to unpack the Nor Dump (btw. Flowrebuilder can also unpack 4.11 dumps where norunpack fails..)
  
• had to recompile the metldrpwn as the compiled one from glevant didnt work for me ..
  
• used petitboot and red ribbon for the root key
  
• used cex2dex patcher (thx andbey0nd, acab, zadow) for dex.bin
  
• flashed back via hw flasher / also tried petitboot works good aswell
  

So now i am on 3.55 dex ; gonna try E3 cex/dex dualboot.. has anyone an idea if i need to patch the dex FW "no check" for downngraded consoles ?? kudos to zecoxao and the others for helping all the people out !! that's the spirit dudes !!

From butnut: I am on 3.74 debug and playing a backup of my FF XIII-2 from a sd card formatted as bd-emu. I can go into the casino and play the games and bet on chocobo's and what not. I used psdevs gui tools to unpack the 1.06 update and then when I was still on 3.55 debug I used multiman to transfer the update to my dev/hdd0/game. then I went into recovery mode and chose rebuild database, when the system rebooted I updated to 3.74. None of my homebrew works now but I can downgrade later.

Oh yeah here is how to get those keys you want... Major thanks to everybody who helped me, without you I would still be sitting here with my thumb up my butt.

• Dump your flash name it cexnor.bin
  
• Use flow rebuilder to get metldr file
  
• Use XMB EIDX Dumper to get EID0
  
• Install petitboot and red ribbon rc5
  

Note: Do not type any words with quotes around them.

Open a terminal and type:

when that is done type:
After it has downloaded type:
and then type:
"Just press exit, when you will see the grey and blue menu."
"open a file manager and go to /etc/ and copy the kboot.config to a usb drive"

"open the kboot with a text editor and add as the last line"
"save the kboot and put it back where you found it"

"go to /boot/ and rename vmlinux-2.6.39 to vmlinux"

"restart ps3 into petitboot and boot test=/boot/vmlinux root=/dev/ps3dd1"

"open a terminal and type"
unzip metldrpwn.zip
"open the file manager and transfer your metldr file to metldrpwn"

"I think you should put the EID0 file in there too, but some people say it is not needed."

"go back to terminal window and type"
"open a file manager and transfer the file called dump to usb"

"move it to your pc and use a hex editor to copy the first three lines(48 bytes) to a new hex file. Save this file as key.bin "

"install c2d"

"put key.bin and cexnor.bin in the same folder as c2d.exe"

"open a command prompt and type"
"If you did every thing right you will see a message saying done"

"if this message gives you an error then you must reboot your ps3"

"and try again from "
"if you did not get an error then flash dexnor.bin to your ps3 and install 3.55 debug from the xmb"

From JLM (via ps3crunch.net/forum/threads/4023-Method?p=45359#post45359):

You don't need to fiddle with kboot.

The red ribbon 5 headers are here (7.03mb): http://redribbon.t15.org/apt/dists/stable/main/binary-powerpc/linux-headers-2.6.38-powerpc64-otheros_2.6.38-powerpc64-otheros-10.00.Custom_powerpc.deb

1. unpack it in a subdirectory of your home directory: /home/username/headers

2. Create a link to it in the appropriate lib/modules directory
link command syntax: ln -s target linkname
(-s means it's a symbolic link/shortcut)

for mine it is:

/lib/modules/2.6.38-powerpc64-otheros

open a terminal (as root) in that folder and create the link:

ln -s /home/username/headers/usr/src/linux-headers-2.6.38-powerpc64-otheros /lib/modules/2.6.38-powerpc64-otheros/build

that command will create a symlink (shortcut) to the header files/module.symvers, the link will be called build. If you already have a build link (in /lib/modules/directory with kernel name/) then you prolly don't need those header files or to create the link.

3. Compile the exploit(not as root):

cd metldr838exploit && make

Depending on your compiler settings you may get these two warnings(it's ok): warning label 'bad5' defined but not used or warning '/*' within comment.

4. Copy the other files you will need for running the exploit to the exploit directory:

For example, someone on rebug 3.41.3 other os with ss patches:
metldr (extracted from a flash dump of the nor, use yours)

from ofw 3.41v2 (using fail tools or ps3tools gui):
isoldr, spp-verifier.self, defaut.spp
(You may want to rename the metldr file that is already in the exploit directory so it won't be overwritten.)

5. run the exploit at the commandline:

sudo ./run.sh

It will ask for your password (the one for your username, not the root password). Using sudo will give you the elevated privileges necessary to run the exploit, ./ insures the script in your directory will be the command that the shell runs (if it doesn't execute, then you might need to set the permission with: chmod u+x run.sh)

A bunch of messages scroll by, then copy the output file (dump) to your home directory:

cp /proc/metldrpwn/dump /home/username/ (there is a space between /dump and /home/username/) Since you just used sudo, you shouldn't have any problem with permissions. If you do, use sudo cp.

Note: If petitboot stalls going down (to load linux), unplug your usb items. Please no controller plugged into usb port. Most keyboards are ok plugged in, some aren't. Linux doesn't need the keyboard plugged in to boot. It's okay to unplug it after making your boot selection in petitboot. I select otheros. Plug it back in after linux boots. No you don't need to be on 3.50. This is not a tutorial! I don't know how to do the conversion to dex, just the linux step.

Finally, HERE is a brief guide by Sony PlayStation 3 hacker evilsperm which uses the PS3Tools GUI Edition v2.6 with PS3 CEX to DEX support, HERE is a Pawnmetldr Using Red Ribbon guide by technodon and HERE is another PS3 DEX (Test - Debug) Conversion Method Step by Step tutorial from ing_pereira for those interested.

Also below is a related guide (via pastie.org/4262855) by bleh as follows:

Part-1 Installing Petitboot

• Prepared files you might/will need: http://www.mediafire.com/?ny2tj269h1tjrf3
  
• Extract the files and copy them into root of your USB drive. I did not include metldr but you can get it here: (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)
  
• Every *pkg should beep if not repeat - only reboot.pkg will not beep.
  

1. Install CFW OTHEROS++ from here: gitbrew.org/~glevand/ps3/cfw/ (I picked eight size)
2. When installation is finished, reboot into Recovery Mode and choose "Restore PS3 System"
3. Run setup_flash_for_otheros.pkg
4. Reboot your PS3 (Manual reboot)
5. Store dtbImage.ps3.bin on USB drive, plug it in and run install_otheros.pkg
6. Run boot_otheros.pkg
7. Run reboot.pkg (use the package, not manual reboot!)
8. You should be in petitboot now.
9. Exit to shell
10. cd /tmp/petitboot/mnt/sda1/
./create_hdd_region.sh
11. Reboot your PS3 and run reboot.pkg again.

If you have any problems with any steps above contact me.

Part-2 Installing Debian (Auto) requires INTERNET CONNECTION.

1. boot into petitboot
2. exit to shell
3. cd /tmp/petitboot/mnt/sda1/
sh debian-installer.sh
4. select no at partition the installer will do it for you.
6. once install is done boot into petitboot and select the first option.
7. tasksel install standard
startx

If you have any problems with any steps above contact me.

Part-3 metldrpwn

1. dump your nor in GameOS using this tool: http://www.mediafire.com/?vwe5oi7em54dwk9 (use memdump_0.01-FINAL.gnpdrm.pkg)
2. now you will need to unpack your nor, use norunpack
3. open your unpacked nor folder, copy the "metldr" from "asecure_loader" folder into "metldrpwn" folder.
4. copy "metldrpwn" folder to /home/yourusername
5. start terminal
6 cd metldrpwn
make
sudo ./run.sh
cp /proc/metldrpwn/dump /home/yourusername/

7. open "dump" in hex editor
8. copy the bytes 0x00-0x0f
9. use your hex editors search function and paste the bytes (0x00-0x0f)
10. your keys will be at 0x0000C7xx (i had different offset in 2 dumps, so use search)
11. copy your keys into a new file and save as eid_root_key.bin & rename your nor dump to "CEXFLASH.bin"
12. open "PS3Tools v2.6" run cex to dex (it will error if the keys are wrong.. so nothing to worry about)
13. copy the DEXFLASH.bin to root of your USB drive.

Part-4 write dexnor

1. boot into petitboot

2. cd /tmp/petitboot/mnt/sda1/
dd if=DEXFLASH.bin of=/dev/ps3nflasha bs=1024
reboot

Go into recovery mode and install dex fw. If you have any problems with any steps above contact me. Have fun with your DEX.. bleh

Note: you have to use a different debian-installer.sh for nand, link: nand debian installer: http://dl.dropbox.com/u/56336/PS3Linux/nikitis-PS3-Debian-Installer.zip