PS3 New Hack, Change any console to Dev Console

Discussion in 'PS3 - Hacking & Homebrew' started by kingcolex, Jul 9, 2012.

  1. kingcolex
    OP

    kingcolex Joe "Coop" Cooper

    Member
    194
    38
    Dec 31, 2011
    United States
    Oklahoma
    Heres the original Source before i put a wall of txt: http://psx-scene.com/forums/content/cex-dex-method-guide-leaked-confirmed-real-but-cautious-2404/

    This has been verified as real and working and this may be the big hack of the time, Rumors are that dev consoles can run the newest games (with the newest dev FW) and dont need signed code.

    Hi Scene Sorry for my bad English. I want to give you info you pls make public. I want be anonymous. I only can say I’m from Hong Kong. I have way to get a dex, it works and is complete nothing missing​


    Manual to get a dex (here is everything you needed) and you have a full working dex​


    EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr ​


    EID0 Key Seed​

    AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C​

    37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B​

    08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4​

    D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85​


    EID0 Section Key Seed ​

    2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF​


    If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV​


    use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV​


    the result contains from 0x10 to 0x20 the EID0IV​


    and contains from 0x20 to 0x40 the EID0Key​


    use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV​


    the result will be the first 0x10 bytes of the EID0 First Section Key​


    the second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes​


    EID0 is located in NAND at 0x80870 and in NOR at 0x2f070 ​


    the first 0x20 bytes of EID0 are not encrypted​


    at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)​


    use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV​


    Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.​


    At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again​


    0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes​


    after you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section​


    use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).​


    Now install dex Firmware with the recovery menu.​


    HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu. ​


    You can’t login to the PSN because IDPS is obviously not valid from now on.​


    THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.​


    有志者,事竟成 “Where a will, there is way”​

    一不做二不休 „You start something, you have to finish it”​
     
    1 person likes this.
  2. Clarky

    Clarky Don't you know who I think I am?

    Member
    1,960
    676
    Oct 4, 2007
    United States
    suddenly the PS3 scene become very interesting again, thanks for pointing out the news
     
    2 people like this.
  3. Qtis

    Qtis Grey Knight Inquisitor

    Member
    3,797
    1,296
    Feb 28, 2010
    The Forge
    Also:

    It still needs a flasher or other method.
     
    1 person likes this.
  4. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,546
    3,955
    Jun 9, 2007
    Antarctica
    From what I understand this will enable you to have homebrew on newer firmware, but not lv1/lv2 peek/poke backups(PKG backups probably still work?). But you'll be able to run original disks with homebrew, so it's a win-win either way.
     
  5. Riyaz

    Riyaz Black Ace/Red Joker

    Member
    1,277
    724
    Jun 21, 2011
    Netherlands
    everywhere
    awesome but there is still a brick risk and i dont have a flasher
     
  6. Qtis

    Qtis Grey Knight Inquisitor

    Member
    3,797
    1,296
    Feb 28, 2010
    The Forge
    A few more clarifications:

    Also:


    Better source is the original post location http://www.ps3news.com/forums/ps3-hacks-jailbreak/how-cex2dex-work-123592.html
     
  7. BrightNeko

    BrightNeko Popcorn ball

    Member
    915
    687
    Dec 11, 2010
    United States
    Texas
    so just what does this mean, what is a flasher, and all the other noob questions
     
  8. Magsor

    Magsor I am watching you

    Member
    962
    65
    Dec 1, 2010
    Canada
    Amos
    It just mean its not for noobs
     
    3 people like this.
  9. mehrab2603

    mehrab2603 GBAtemp Fan

    Member
    344
    26
    Sep 29, 2008
    Bulgaria
    Dhaka
    Converted my CEX to DEX. Can freely upgrade and downgrade firmwares now just using the normal update procedure, so I can play new games plus enjoy all the homebrew :D
    Also wanted to mention that, automated tools have been released to make the conversion much easier than the op method. Still needs a bit of work though.
    Surprised this hasn't been frontpaged as this is a huge breakthrough in the PS3 scene, possibly as big as the original jailbreak.
     
  10. TehSkull

    TehSkull Living the life

    Member
    2,700
    388
    Nov 29, 2009
    United States
    Louisiana
    Even if Sony patches this with the next firmware, I would be happy to be able to play backups of the last year or more of game releases.
     
  11. rehevkor

    rehevkor GBAtemp Fan

    Member
    453
    125
    Feb 21, 2011
    Sounds interesting.. but I think I'll stick with my 3.55 CFW for the forseeable. I managed to brick this thing once already.
     
  12. Joe88

    Joe88 [λ]

    Member
    11,646
    2,927
    Jan 6, 2008
    United States
    NYC
    backups wont work on it, its just for homebrew and no psn access on top of that
     
  13. mehrab2603

    mehrab2603 GBAtemp Fan

    Member
    344
    26
    Sep 29, 2008
    Bulgaria
    Dhaka
    Backups work on it. Do a bit of research before you post. Not with multiman, but there is a way. You're right about PSN though. But then again, CFWs don't have PSN atm either.
     
  14. Joe88

    Joe88 [λ]

    Member
    11,646
    2,927
    Jan 6, 2008
    United States
    NYC
    I dont see any proof of backups running since its missing all the stuff backup loaders need to run
    supposedly someone got a heavily modified game backup running on it
     
  15. mehrab2603

    mehrab2603 GBAtemp Fan

    Member
    344
    26
    Sep 29, 2008
    Bulgaria
    Dhaka
    lol I myself am running backup of Mass Effect 2. Don't need to mod anything either.
    And there have been people confirming other games like FF13-2, BF3 etc working.
     
    1 person likes this.
  16. matt382

    matt382 GBAtemp Regular

    Member
    132
    52
    Jan 30, 2008
    United Kingdom
    I hope this leads to more homebrew development. I probably won't hack my PS3 till there's full PS2 emulation and risk free online, although I doubt that would be anytime soon
     
  17. ichidansan

    ichidansan GBAtemp Regular

    Member
    221
    40
    Feb 10, 2010
    United States
    So, couldnt we with this convert to the dev console type, then just install the CFW for 3.41/3.55? and then just use all the homebrew with that, and just wait for the psn hacks that allow older CFW to get access?
     
  18. Magsor

    Magsor I am watching you

    Member
    962
    65
    Dec 1, 2010
    Canada
    Amos
    Do your homeworks. CFW can have PSN.
     
  19. mehrab2603

    mehrab2603 GBAtemp Fan

    Member
    344
    26
    Sep 29, 2008
    Bulgaria
    Dhaka
    Which CFW has PSN?
    afaik Sony changed the latest passphrase and made 4.21 update mandatory so the recent PSN access methods work no longer.
     
  20. BrightNeko

    BrightNeko Popcorn ball

    Member
    915
    687
    Dec 11, 2010
    United States
    Texas
    someone should make a guide for this thing. >> including downgrading.