[NEWS]CEX vers DEX (retail vers debug) enfin disponible ! : News - PS3-Infos

[NEWS]CEX vers DEX (retail vers debug) enfin disponible !   

Les news du Hack PS3 postées sur PS3 Infos

[NEWS]CEX vers DEX (retail vers debug) enfin disponible !

Messagepar Attila » Lun 9 Juil 2012 17:43

imageUne personne anonyme nommée AnoRelease provenant de Hong Kong possède les clés permettant de passer votre console retail (normale, du commerce) en console débug.
Il livre même un tutoriel pour le faire. Attention, c'est pas facile, risqué et pas forcément utile pour le commun des mortels.

ATTENTION : Malgré que ce tutoriel marche, il est très risqué et peut bricker votre console !
Vous ne pourrez vous en prendre qu'a vous même si vous endommagez votre console.

Le seed de clé de l'EID0 ainsi que la clé de section de l'EID0 sont codés en brut dans l'isoldr :
EID0 Key Seed
Code: Tout sélectionner
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C
37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B
08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4
D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85

EID0 Section Key Seed
Code: Tout sélectionner
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF

Je vous laisse le reste en anglais, surtout que c'est très technique et compliqué :

  • If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV
  • Use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV. The result contains from 0x10 to 0x20 the EID0IV and contains from 0x20 to 0x40 the EID0Key
  • Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV. The result will be the first 0x10 bytes of the EID0 First Section Key
  • The second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes
  • EID0 is located in NAND at 0x80870 and in NOR at 0x2f070, the first 0x20 bytes of EID0 are not encrypted, at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)
  • Use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV
  • Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.
  • At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again, 0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes
  • After you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section
  • Use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).
  • Now install DEX Firmware with the recovery menu.

HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu.

You can't login to the PSN because IDPS is obviously not valid from now on.


From zecoxao: The problem with this is it's easily patchable... Sony will probably patch it on the next OFW... Original retail dump, flash back retail firmware, and that's it. This is basically switching back and forth from CEX to DEX by flashing DEX dump and DEX firmware and from DEX to CEX by flashing CEX dump and CEX firmware.

You can use flasher, linux or jaicrab's preloader (basically anything that flashes the dump)

Jaicrab's Preloader only works correctly on NOR's, you'll have problems with NAND's, or so I've tested (thanks to a friend of mine ) in case you need to compare:

PS: If I'm not dead by the next 24 hours, you know where to find me

Note: Don't flash this, this belongs to my console, so I advise you not to flash, this is just for verifying only.

From Squarepusher2: You'll have to go digging for debug eboots though if you intend on playing anything that is not a retail game on your debug PS3. And those are not easily found. I don't think end-users will get much use out of it - for devs it's a totally different story though.

Finally, it also appears as though the newer PS3 SDKs will contain the necessary development tools and login information to access Sony's developer network (NP / SP-INT) as well:

The NP communication passphrase and signature will be provided within the Server Management Tools.

Details: NP communication ID, passphrase, and signature, required for certain PSN communication services, had been provided on the DevNet thread upon the completion of the requested PlayStation Network service configurations.

From 2012/07/05 the NP Communication Passphrase and Signature will be provided within the Server Management Tools.

This change affects all the communication IDs issued after 2012/07/05. It will not be possible to access the NP communication passphrase or signature in the support issued after that date.

Only those users who have initially requested the NP communication services and was provided the files on DevNet thread will have access to the file on the request threads.

Note that the NP communication passphrase and signature are required with NP Matching 2 and Title Small Storage.

MAJ: Séance de questions/réponses pour comprendre l'intérêt :
One thing we have to agree, the timing for the leak is not good, not at all, this would be better suited after the E3 release, like this it gives them leverage to think, seeing their plans were potentially messed.

The truth is that this might ruin converts, and not allow to update past 4.21, but seeing that some of the people that developed this method already have an idea of what to do next, i wouldn’t worry to much, also seeing how sony is caring to patch their *things* lately i don’t see them doing anything.

Can we play homebrew with this on every firmware?:
Yes as long as the hombrew is fake signed, use the tools from the SDK to do it.

Can we play game (backups) with this?
Yes, you can play all 3.55 backups and prior.

Can we play 3.60+ game (backups) with this?
Yes IF you are to decrypt 3.60+ selfs, so NO, only if you get your hands on the decrypted eboots (thats how tb works).

Can we play 3.60+ (originals)?
YES, just update and play.

Can we get into debugger mode, and use the debug options?

Can you connect to psn (or any other network prod-q etc)?

Can you downgrade without a flasher?
Yes to the limit of the factory firmware. :
Avatar de l’utilisateur
Administrateur du site
Messages: 7572
Inscription: Ven 3 Sep 2010 11:53

Retourner vers News


  • Articles en relation
    Dernier message

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 4 invités