Sponsored Links

Sponsored Links

PS3 C2D CEX to DEX Flash Patcher v2, Changes Region / TargetID


Sponsored Links
110w ago - Following up on his initial release, today PlayStation 3 developer andbey0nd has updated his PS3 C2D.exe CEX to DEX Flash Patcher to version 2 which now includes Region / TargetID changing in the PS3 NOR Flash as outlined below.

Download: [Register or Login to view links] / [Register or Login to view links] (Mirror) / [Register or Login to view links] (Mirror #2) / [Register or Login to view links] (Mirror #3) / [Register or Login to view links] / [Register or Login to view links] / [Register or Login to view links] by deank

To quote from the ReadMe file (via pastie.org/4282714):

c2d.exe (win32 app)

Requires:

  • OpenSSL 1.0.1 installed in c:\openssl or d:\openssl ([Register or Login to view links])
  • EID root key (per_console_key) obtained with metldrpwn
  • PS3 (NOR) flash dump
  • Extract c2d.rar in a local folder (c:\c2d or d:\c2d)

Purpose:

  • Allows changing the Region / TargetID of your PS3 system
  • Allows "converting" any Retail PS3 into Debug unit (target_id 0x82)
  • Allows "converting" a Retail PS3 from one region to another (i.e. EUR PS3 -> JAP PS3, USA PS3 -> RUSSIAN PS3)
  • Changing a Retail PS3 region unlocks playback for region-locked DVD/Blu-ray movies and PS1/PS3 games

WARNING: For best results flash the output NOR file with a tool which rewrites *ONLY the EID0 sector* (one sector / 512 bytes @ sector #376 / 0x178; NOR file offset 0x2f000-0x2f1ff). Flashing the whole 16MB NOR is not needed and can easily brick the PS3.

TIPS:

  • Use your original NOR flash to create new files for different regions for your PS3 to have them handy later:

For example you can have (each file is 16MB):

  • my-slim-JAP.EID0.NORBIN
  • my-slim-EUR.EID0.NORBIN
  • my-slim-USA.EID0.NORBIN
  • my-slim-DEX.EID0.NORBIN

* Using a proper tool you can switch regions in one second when needed

PROTIPS:

  • The latest online debug update of multiMAN 04.04.03 handles writing to NOR in the right fashion (1 sector) from .EID0.NORBIN files.
  • To dump NOR: mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)
  • To write EID0 sector: mmOS->Double-click on a .EID0.NORBIN 16MB full NOR dump file->Follow the on-screen instructions->Reboot.

Usage:

c2d - Changes REGION/TARGET_ID in PS3 NOR flash

Usage: c2d.exe eid_key_file.bin in_flash.bin out_flash.bin [target_id]

Output:

Enjoy!
andbey0nd

Note: TargetID/RegionCode is one and the same. DEX target/region is 82. 0x84 is USA RETAIL PS3, 0x82 is Debug/DEX.

Below are a few additional guides from Sony PlayStation 3 hacker deank as follows:

DeanK's OtherOS with METLDRPWN PUP Installation / Usage Tutorial (via ps3crunch.net/forum/threads/4111-C2D?p=45668#post45668)

Ok, folks... I prepared a 218MB rar package to make things easier. It includes everything you need, except for RedRibbon (you'll have to download it yourself -> [Register or Login to view links]).

PS3_OTHEROS_LINUX_METLDRPWN.rar (218.21MB) [Register or Login to view links] (Original Version)

PS3_OTHEROS_LINUX_METLDRPWN.rar (217.49MB) [Register or Login to view links] (New Version - Recommended)

You can also use this smaller download if you already have OTHEROS-22GB.PUP downloaded:

PS3_OTHEROS_SETUP_METLDRPWN.rar (48.33MB) [Register or Login to view links] (Original Version)

PS3_OTHEROS_SETUP_METLDRPWN.rar (52.25MB) [Register or Login to view links] (Older Version)

PS3_OTHEROS_SETUP_METLDRPWN.rar (46.67MB) [Register or Login to view links] (Old Version)

PS3_OTHEROS_SETUP_METLDRPWN.rar (46.85MB) [Register or Login to view links] (New Version - Recommended)

You can download the OTHEROS PUP separately directly from glevand's repo and save it as \PS3\UPDATE\PS3UPDAT.PUP on your USB: [Register or Login to view links]

Download and follow the instructions. You need a USB hdd to extract this package to the root folder of the USB and also Red-Ribbon.iso extracted in the root folder of the same USB. The rar contains:

  • c2d tool / openssl installer
  • metldrpwn folder with precompiled metldrpwn.ko module for Red Ribbon
  • multiMAN (for CEX and DEX) (no backups on DEX)
  • norunpack (+cygwin1.dll)
  • PS3\UPDATE\PS3UPDAT.PUP (otheros-22GB.PUP)
  • create_hdd_region.sh
  • 4 packages needed to setup OtherOS from XMB/GameOS + flash image for NORs (dtbImage.ps3.bin)

Instructions

That's all you need.

Notes: NAND should be also supported (Refer to the PS3 NAND CEX to DEX Guide by CaptainCPS-X). While I was converting my PS3 from CEX to DEX and then back from DEX to CEX I NEVER used the POWER BUTTON to turn-off/restart the PS3. The only time I had to do that is at the beginning when you have to enter the Recovery Menu after OTHEROS PUP is installed.

All other firmware updates are performed from XMB (not from recovery menu) and all restarts/turn-offs are performed with {PS}->Turn Off in GameOS, or reboot/shutdown/restart/boot-to-game-os while in petitboot or linux.

The PS3 I used for my tests is SLIM, which came with 2.70, never downgraded and no need for special firmwares with checks-disabled, etc. If you're console is downgraded from 3.56+ following this tutorial may brick it.

You only need linux once just to obtain your key. After you have the keys you can switch to CEX/DEX/change the ps3 region from GameOS. Yes, it may be possible to obtain the key without installing linux (either from livecd or using some other method), but not at the moment.

EASIEST WAY: When you boot your PS3 in PETITBOOT you can see the paths to the kernels. Two of these (first two lines) will show the correct path to your USB HDD (look for /......../petitboot/.....).

If you see ...../sda1.... or ...../sdb1.... <--- this is your USB HDD so use the path with cd and then launch create_hdd_region.sh

You can either use:

or

You can easily find your USB HDD by trying the folders:

try to type these:

here you can type

and find your usb (sda* / sdb* / sdc*) (sda1 means Storage Device "A", partition 1, sdb1 means Storage Device "B", partition 1, etc) and then you can

(change "cd sda1" appropriately - if you use USB HDD, 1st partition is sda1, second is sda2, etc... If you use USB STICK/FLASH then sdb1/sdb2..)

Below is a PS3 Real Debug (DEX) video from gt41 who used an E3 Flasher to dump the NOR, converted NORCEX to NORDEX and reflashed it back (without risk of bricking) to play PS3 game backups including Pro Evolution Soccer (PES) 2012.





Also below is a PS3 DEX 4.11 - Pro Evolution Soccer 2012 (Italian) M109 by PS3DEX:





Finally, from PS3 developer Rogero who recently released a Rogero 3.55 DEX Downgrader CFW Peek / Poke PS3UPDAT.PUP for Custom Firmware users:

For all owners of PS3 consoles downgraded from 3.55+ using hardware flashers and Rogero_CFW_v3.x:

Before attempting to convert to DEX and to avoid Bricking the PS3, please reset the PS3 syscon hashes to eliminate the need of using CEX/DEX firmwares with Patched LV1 checks.

To Reset the syscon and have the PS3 back to normal safer mode like any original (non Downgraded ) PS3, here are the steps:

1- After completing the downgrade process and having Rogero CFW 3.x up and running, make sure you have the Blu-Ray drive attached or the QA Toggle package won't work.
2- Download the Rebug QA_Toggle package from here (ps3devwiki.com/files/flash/Tools/toggle-qa/toggle_qa.pkg) ---> toggle_qa.pkg
3- Put the "toggle_qa.pkg" on USB and Install it on the PS3.
4- Run the "Rebug Toggle QA" from XMB, the screen will go Black and you will see HDD Led activity then if all went fine you will hear one Beep and the PS3 will Restart back to XMB.
5- If you want to make sure QA flag was set, go to "Network Settings" then apply the following key combo (all at the same time):

L1 + L2 + L3 (press left stick) + R1 + R2 + dpad_down

You should see Edy Viewer, Debug Settings, and Install Package Files if done correctly.

6- Now that you have QA flag set, Turn Off your PS3 and Turn it back on but into "Recovery Menu"

This Step is very important, it have to be from "Recovery Menu" and not a normal Update from XMB or the PS3 will Brick.

Here is how to access it:

a. Turn off PlayStation 3.
b. Hold The power button down; The system will turn on and turn off once again.
c. Once the System has been shutdown, re-press you finger until you hear 2 consecutive beeps
d. When you hear the 2 beeps take finger off power button.
e. You will be prompted to plug in your controller via usb and then hit the PS button
f. The Recovery menu will pop up.

Alternatively you can simply use CondorStrike's Updater package to enter Recovery Menu directly from XMB without going through the boot sequences. --> Condor Updater v2.0 (ps3devwiki.com/files/flash/Tools/Condor%20Updater/Condor%20Updater%20v2.0.pkg)

7- Now you must have any 3.55 OFW or CFW with original (non Patched) LV1, here's a link to 3.55-Kmeaw --> kmeaw355.PUP (ps3devwiki.com/files/firmware/MFW-CEX/Kmeaw/kmeaw355.PUP)

8- Select the last option of the Recovery Menu --> System Update, then when prompted press "Start+Select" to start the update.

Once finished the PS3 will restart into XMB with the Syscon hashes reset back to 3.55 in both "ros0" and "ros1" and your PS3 is back like any original/non Downgraded PS3 that can use any CEX/DEX Fw without having to worry about disabling LV1 checks.

You can proceed now with converting from CEX to DEX by following Deank's tutorial normally.




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 618 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

Night Hawk's Avatar
#8 - Night Hawk - 111w ago
I love how many devs whine that it destroyed the ps3's hacking future. Please cut the bs, everybody knows that you kept it to yourself in order to enjoy the high fw privileges. If you were going to hack your way through the l0 and the keys you would have done it a long time ago... Higher versions only have more layers of protection.

djpelle's Avatar
#7 - djpelle - 111w ago
By releasing this method Sony now knows how to fix it for the upcoming DEX FW. That was not without a reason why devs not made public this method!!! For devs with converted consoles it will be a massive hit in the face in the future!!!

tiefputin1's Avatar
#6 - tiefputin1 - 111w ago
AnoRelease what was the ID on your console before you changed it to 0x82 (Debug Target ID) ?

PS3 News's Avatar
#5 - PS3 News - 111w ago
Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well.

I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks.

plangston's Avatar
#4 - plangston - 111w ago
technodon, have a look here mate from Rnd: wiki.gitbrew.org/wikibrew/Metldrpwn


Metldrpwn

Dear all,

Many of you may have heard about Metldrpwn which allows to obtain Perconsole Key set.

I bet some of you have not gone for it because of many things to install and do, like linux and etc.

Well, since now, you won't have to do all that, the only thing you will need to have/install is Otheros (Petitboot) and that's it, the image of the FULL LINUX distro with glevand's kernel patches and all is in this tutorial.

So, let me tell what you have to do in order to pwn your metldr and get you perconsole keys faster:

1. Install Petitboot

Only these steps from the orginial glevand's tutorial are needed:

1. Install my latest CFW (gitbrew.org/~glevand/ps3/cfw/)
2. When installation is finished, reboot in Recovery Mode (not the Backup/Restore in XMB) and choose "Restore PS3 System"
3. Now your GameOS should use only the half of your HDD (Currently working on a better approach)
4. Run setup_flash_for_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/setup_flash_for_otheros.pkg - for all PS3 models)
5. Reboot (It's important to shut down and turn on your PS3)
6. Store dtbImage.ps3.bin (gitbrew.org/~glevand/ps3/petitboot/dtbImage.ps3.bin) on USB drive, plug it in and run install_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/install_otheros.pkg - NAND owners should use dtbImage.ps3.bin.minimal, rename it to dtbImage.ps3.bin). Try different USB ports if you don't get any beeps.
7. Run boot_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/boot_otheros.pkg)
8. Run reboot.pkg (gitbrew.org/~glevand/ps3/pkgs/reboot.pkg - use the package, not manually reboot!)
9. You should be in petitboot now.

3.15 stock firmware (OFW) users:

Put petitboot on a memory stick


2. Boot Linux

1. Download my distro of Linux (gitbrew.org/~rnd/Linux-2.6.39-Rnd.iso)
2. Unpack in the root of your USB stick/or burn the image to a DVD
3. Plug in your USB/Insert the disc in your PS3 and you should see 2 different boot options, boot the first one

Login details (there are 2 of them, ps3 and root):

Username: root
Password: root

Username: ps3
Password: ps3

If you need to mount a usb stick, I made a dir for that /dev/usb

Here is the mount command:


So now you can access your USB by going here /dev/usb/

3. Metldrpwn part:

Step by Step instuctions

Precompiled metldrpwn : Here (ps3devwiki.com/files/devtools/dump-metldr/metldrpwn.zip)

you can do this over ssh or on console.

Note: don't forget to provide EID0 and RL_FOR_PROGRAM.img if you do manually, instead of the run.sh file where they are commented out

1. ssh into the ps3
2. download the files:


3. untar the files:


4. enter the directory and compile:


5. run the following commands now:


6. there now you have a dump check it out:



7. now copy the dump somewhere or youll lose it:


now you have a copy in your home directory for safe keeping, congrats you've completed about < 10 mins of actual work.

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

example:


the first 2 lines are erk the 3rd is riv and together they are eid0 root key

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment theres also a nifty program on the dev tools page (ps3devwiki.com/wiki/Dev_Tools) to turn your hex into key its called hex2key:

hexkey2bin.c: [Register or Login to view links]
hex2key.c edit: [Register or Login to view links]

If you have any further questions don't hesitate to contact me,

Sincerely,

Rnd
btw, thank you AnoRelease!! a BIG thanks to all devs behind the scenes that have spent countless hours piecing together this puzzle!

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News