PS3 New Hack, Change any console to Dev Console

Discussion in 'PS3 - Hacking & Homebrew' started by kingcolex, Jul 9, 2012.

Jul 9, 2012
  1. kingcolex
    OP

    Member kingcolex Joe "Coop" Cooper

    Joined:
    Dec 31, 2011
    Messages:
    194
    Location:
    Oklahoma
    Country:
    United States
    Heres the original Source before i put a wall of txt: http://psx-scene.com/forums/content/cex-dex-method-guide-leaked-confirmed-real-but-cautious-2404/

    This has been verified as real and working and this may be the big hack of the time, Rumors are that dev consoles can run the newest games (with the newest dev FW) and dont need signed code.

    Hi Scene Sorry for my bad English. I want to give you info you pls make public. I want be anonymous. I only can say I’m from Hong Kong. I have way to get a dex, it works and is complete nothing missing​


    Manual to get a dex (here is everything you needed) and you have a full working dex​


    EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr ​


    EID0 Key Seed​

    AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C​

    37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B​

    08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4​

    D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85​


    EID0 Section Key Seed ​

    2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF​


    If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV​


    use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV​


    the result contains from 0x10 to 0x20 the EID0IV​


    and contains from 0x20 to 0x40 the EID0Key​


    use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV​


    the result will be the first 0x10 bytes of the EID0 First Section Key​


    the second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes​


    EID0 is located in NAND at 0x80870 and in NOR at 0x2f070 ​


    the first 0x20 bytes of EID0 are not encrypted​


    at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)​


    use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV​


    Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.​


    At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again​


    0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes​


    after you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section​


    use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).​


    Now install dex Firmware with the recovery menu.​


    HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu. ​


    You can’t login to the PSN because IDPS is obviously not valid from now on.​


    THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.​


    有志者,事竟成 “Where a will, there is way”​

    一不做二不休 „You start something, you have to finish it”​
     
    1 person likes this.


  2. Clarky

    Member Clarky Don't you know who I think I am?

    Joined:
    Oct 4, 2007
    Messages:
    1,960
    Country:
    United States
    suddenly the PS3 scene become very interesting again, thanks for pointing out the news
     
    2 people like this.
  3. Qtis

    Member Qtis Grey Knight Inquisitor

    Joined:
    Feb 28, 2010
    Messages:
    3,762
    Location:
    The Forge
    Country:
    Antarctica
    Also:

    It still needs a flasher or other method.
     
    1 person likes this.
  4. daxtsu

    Member daxtsu -

    Joined:
    Jun 9, 2007
    Messages:
    5,289
    Country:
    Antarctica
    From what I understand this will enable you to have homebrew on newer firmware, but not lv1/lv2 peek/poke backups(PKG backups probably still work?). But you'll be able to run original disks with homebrew, so it's a win-win either way.
     
  5. riyaz

    Member riyaz Black Ace/Red Joker

    Joined:
    Jun 21, 2011
    Messages:
    1,128
    Location:
    everywhere
    Country:
    Netherlands
    awesome but there is still a brick risk and i dont have a flasher
     
  6. Qtis

    Member Qtis Grey Knight Inquisitor

    Joined:
    Feb 28, 2010
    Messages:
    3,762
    Location:
    The Forge
    Country:
    Antarctica
    A few more clarifications:

    Also:


    Better source is the original post location http://www.ps3news.com/forums/ps3-hacks-jailbreak/how-cex2dex-work-123592.html
     
  7. BrightNeko

    Member BrightNeko Popcorn ball

    Joined:
    Dec 11, 2010
    Messages:
    911
    Location:
    Texas
    Country:
    United States
    so just what does this mean, what is a flasher, and all the other noob questions
     
  8. Magsor

    Member Magsor I am watching you

    Joined:
    Dec 1, 2010
    Messages:
    959
    Location:
    Amos
    Country:
    Canada
    It just mean its not for noobs
     
    3 people like this.
  9. mehrab2603

    Member mehrab2603 GBAtemp Fan

    Joined:
    Sep 29, 2008
    Messages:
    335
    Location:
    Dhaka
    Country:
    Bangladesh
    Converted my CEX to DEX. Can freely upgrade and downgrade firmwares now just using the normal update procedure, so I can play new games plus enjoy all the homebrew :D
    Also wanted to mention that, automated tools have been released to make the conversion much easier than the op method. Still needs a bit of work though.
    Surprised this hasn't been frontpaged as this is a huge breakthrough in the PS3 scene, possibly as big as the original jailbreak.
     
  10. TehSkull

    Member TehSkull Living the life

    Joined:
    Nov 29, 2009
    Messages:
    2,700
    Location:
    Louisiana
    Country:
    United States
    Even if Sony patches this with the next firmware, I would be happy to be able to play backups of the last year or more of game releases.
     
  11. rehevkor

    Member rehevkor GBAtemp Fan

    Joined:
    Feb 21, 2011
    Messages:
    420
    Country:
    United Kingdom
    Sounds interesting.. but I think I'll stick with my 3.55 CFW for the forseeable. I managed to brick this thing once already.
     
  12. Joe88

    Member Joe88 [λ]

    Joined:
    Jan 6, 2008
    Messages:
    11,188
    Location:
    NYC
    Country:
    United States
    backups wont work on it, its just for homebrew and no psn access on top of that
     
  13. mehrab2603

    Member mehrab2603 GBAtemp Fan

    Joined:
    Sep 29, 2008
    Messages:
    335
    Location:
    Dhaka
    Country:
    Bangladesh
    Backups work on it. Do a bit of research before you post. Not with multiman, but there is a way. You're right about PSN though. But then again, CFWs don't have PSN atm either.
     
  14. Joe88

    Member Joe88 [λ]

    Joined:
    Jan 6, 2008
    Messages:
    11,188
    Location:
    NYC
    Country:
    United States
    I dont see any proof of backups running since its missing all the stuff backup loaders need to run
    supposedly someone got a heavily modified game backup running on it
     
  15. mehrab2603

    Member mehrab2603 GBAtemp Fan

    Joined:
    Sep 29, 2008
    Messages:
    335
    Location:
    Dhaka
    Country:
    Bangladesh
    lol I myself am running backup of Mass Effect 2. Don't need to mod anything either.
    And there have been people confirming other games like FF13-2, BF3 etc working.
     
    1 person likes this.
  16. matt382

    Member matt382 GBAtemp Regular

    Joined:
    Jan 30, 2008
    Messages:
    132
    Location:
    United Kingdom
    Country:
    United Kingdom
    I hope this leads to more homebrew development. I probably won't hack my PS3 till there's full PS2 emulation and risk free online, although I doubt that would be anytime soon
     
  17. ichidansan

    Member ichidansan GBAtemp Regular

    Joined:
    Feb 10, 2010
    Messages:
    215
    Country:
    United States
    So, couldnt we with this convert to the dev console type, then just install the CFW for 3.41/3.55? and then just use all the homebrew with that, and just wait for the psn hacks that allow older CFW to get access?
     
  18. Magsor

    Member Magsor I am watching you

    Joined:
    Dec 1, 2010
    Messages:
    959
    Location:
    Amos
    Country:
    Canada
    Do your homeworks. CFW can have PSN.
     
  19. mehrab2603

    Member mehrab2603 GBAtemp Fan

    Joined:
    Sep 29, 2008
    Messages:
    335
    Location:
    Dhaka
    Country:
    Bangladesh
    Which CFW has PSN?
    afaik Sony changed the latest passphrase and made 4.21 update mandatory so the recent PSN access methods work no longer.
     
  20. BrightNeko

    Member BrightNeko Popcorn ball

    Joined:
    Dec 11, 2010
    Messages:
    911
    Location:
    Texas
    Country:
    United States
    someone should make a guide for this thing. >> including downgrading.
     

Share This Page