Thread: [UPDATE 2] CEX to DEX has been leaked
View Single Post
Old 07-15-2012   #944
Simonbuck
Senior Member
 
Simonbuck's Avatar
 
Join Date: Nov 2011
Posts: 1,840
Likes: 831
Liked 1,261 Times in 721 Posts
Mentioned: 218 Post(s)
Tagged: 0 Thread(s)
Originally Posted by furtsiv View Post
cool,and its nor and nand i hope somone from"learn spanish with helssing" will make it english

There you go @furtsiv im still confused?

[GUIDE] Conversion Method PS3 DEX (TEST - DEBUG) Step by Step ...
by ing_pereira Yesterday 18:02

Since there are several problems in the original tutorial (also in English) may even have failures in this guide c2d do about it. Clarifications. First says that by doing this you lose the BD married this is false not only say I.





@ Naehrwert wrote
on messing with your box eid4 will destroy your bd-drive pairing, so I would not do that


Naehrwert: Altering the eEID4 on your console you will destroy the married bd-drive, so I would not do that.

Touch and change something else that if you could let eEID0 without BD Married eg the eEID4 but here we do not change anything that only works with the first segment of eEID0. Trick to dump on linux and get the rules and eEID (NOR)

TUTORIAL (eEID0 DEX) - First we need the dump of metldr and in their first 0x30 bytes have all the Eid root key (erk and riv). http://www.elotrolado.net/hilo_dump-...theros_1725034 Using hex editor from 0x00 to 0x1F eEID will get the Root Key and from 0x20 to 0x2F the Root eEID IV all with the dump of metldr. Once you have that you only need to have OpenSSL installed to manage the cryptographic. http://slproweb.com/products/Win32OpenSSL.html You need to download 2 files and the EID0_Key_Seed and EID0_First_Section_Key_Seed. http://www.mediafire.com/?azoliwucuez2dz0 E n As for the OpenSSL options at least the most basic we will use are: -in : Specifies the input file to take to encrypt. -out : It is to specify the filename that will be the final output that cifremos after the first. -k : is to specify that we will use a specific key in place after this command. -iv : In this case to indicate that post a riv or iv specific to our encryption. G iven all ordered in the same working folder with those 2 files as well as be kind enough to hand around your EID EID Root Root Key and IV, we begin with the 1st step. openssl aes-256-cbc-e EID0_Key_Seed.txt-out-in-NoSalt EID0.txt HERE VA-K EID ROOT YOUR KEY HERE VA-iv IV ROOT YOUR EID-p-nopad EID0_Key_Seed.txt Using as input to our PCK cifraremos what the KEY and IV as seen in the command. Open EID0.txt generated by the previous step in hex ​​editor and from 0x10 to 0x1F have your EID0 IV and 0x20 to 0x3F have the EID0 KEY. For more comfortable you can save them respectively while for easy access other files aside something like eid0_iv.txt and eid0_key.txt. already here and generate the EID0 EID0 KEY and IV of our console. openssl aes-256-cbc-e-in-out EID0_First_Section_Key.bin EID0_Section_Key_Seed.txt NoSalt-K-TU EID0 KEY-iv 0-p-nopad Alli is normal to leave up to 0 IV and after that command in the file will EID0_First_Section_Key.bin the key or key to decrypt the first section which is the target id coded in eEID. In the next step using the same key to decipher the first section of which we have spoken of eEID0. openssl aes-128-cbc-d-in-out eid0_1st_Section_CEX.bin eid0_1st_CEX_decrypt.bin-NoSalt-K EID0 First Section Key-iv HERE your EID0 IV re-p-nopad



In NOR dump as you see in the image from 0x2F090 to 0x2F14F is the first section of the talk here is marked with the red square you can see the first section of which I speak.

In the part marked by colored blue I want that you see what I mean by PID those first 0x20 bytes are decrypted factory and is the beginning of eEID0 but the PID is in the first 0x10 bytes.

eid0_1st_Section_CEX.bin : The name you put for example to that section of eEID we draw directly from offset 0x20 to 0xDF eEID0 (In a dump Nor is being offset from 0x2f090 to 0x2F14F) 0xC0 their length bytes from the same hex editor, we put CEX at the end of his name to identify it as it is the original section CEX our console, this part is encrypted and contains the PID, we pass input to openssl. eid0_1st_CEX_decrypt.bin : This is the output name we put the 1st segment CEX input we gave him for us to decipher what his first line to know if it was decrypted properly. To upload hex if everything was correct and should be deciphered in the first line should be your PID as was in the first 0x10 bytes of eEID0 in (NOR = 0x2F070 | NAND = 0x80870) an example in my case something like this: 00 00 00 01 00 84 00 0B 14 January A6 AE C3 1A 80 28 (THIS IS MY CONSOLE , care with it These same bytes in my case are the same as those in the beginning of eEID0 and the photo to check first with the blue square that is what is necessary to compare to see if good or not decipher this first section.

At least the first 5 bytes might be the same as if the rest are data PCK or 84 per console that comes out in the fifth byte in my case is the target id is an American console but you should find something similar with your target ID. If you have noticed that in fact if it was decrypted should find your target id to the naked eye as I said. It is noteworthy that the first 16 bytes of the first section of EID0 decrypted must match the first 16 bytes of eEID0 should also match with the PID found in their dumps (NOR = 0x2F070 | = 0x80870 NAND), IF IT IS NOT CONTINUE WITH THIS and review the steps again. CMAC | TARGET ID is now necessary to generate the CMAC (OMAC1) Hash first section EID0 unscrambled from 0x00 to 0xA8, that first section was the one that we have deciphered the first steps we call "eid0_1st_CEX_decrypt.bin" as you can see that file in Hex is 0xC0 long. We'll use the generated key and also of EID0 First Section Key and follow the tutorial you ought to download this utility to schedule algorithm based on CMAC's source leaked 1 month ago. http://www.mediafire.com/?kdetnwgb8s8fv9a file_in key_file CMAC would remain so in our case : CMAC eid0_1st_CEX_decrypt.bin EID0_First_Section_Key.bin That eid0_1st_CEX_decrypt.bin as I have said several times is the first section and the key to decipher the EID0_First_Section_Key also generated in the last steps. The purpose of doing this with the program is to obtain the original CMAC our section without changing the target id to Dex yet, the program's output should be something like: Hash CMAC (OMAC1): f1053cc3818dd6ce2775f0273dfc212e course the numbers will be different since they are PCK by the way we generate, copy the hash You ought I calculated that returns the program and compare it with the kind on the eid0_1st_CEX_decrypt.bin of 0xA8 to 0xb8 and should be the SAME exact (again in the first section we decoded input) 0xA8 to 0xb8, if not something is wrong again Look back steps, if so then all is well for the next step. Now the 0x5 byte of the first section of EID0 decipher is that our target ID and you must change it to 0x82. After you change the Target ID of the first section EID0 unscrambled, you must create a new hash CMAC valid for your new DEX and this new hash you write in the same section in the offsets where chekeamos before the previous value of the hash is 0xA8 to 0xb8 (Hosea for replace the old with the new hash) the hash as they once again generate the same with CMAC. CMAC eid0_1st_CEX_decrypt.bin (now DEX because we changed the target id) EID0_First_Section_Key.bin Hash resulting from this step as I write in the first decrypted with the target section id and changed (again with the same target eid0_1st_CEX_decrypt.bin and just modified it to use with CMAC to generate this new hash) of 0xA8 to 0xb8 replacing the previous one. Once you already have the modification list deciphered the first section (eid0_1st_CEX_decrypt.bin) finally proceed to encrypt it again. openssl aes-128-cbc-e-in Section and amended (eid0_1st_CEX_decrypt.bin)-out-NoSalt-K eid0_1st_DEX.bin EID0 First Section Key-IV again your EID0 IV-p-nopad Here we use with-in the eid0_1st_CEX_decrypt.bin input and generate output modified and the file will eid0_1st_DEX.bin that we will have to copy and paste to replace the previous dump CEX. repeat the offsets where is this section are the same as where extraimos NOR segment is in 0x2F090 and NAND'm not sure about but should be 0x80890 which have a NAND would claim me. Once ready with the dump and you only have to flash it modified for any of your media by soft or hard (obviously hard to be the safest). Repository DEX FW TEST: http://www.ps3devwiki.com/files/firmware/OFW-DEX/ Benefits DEBUG TEST console . - Running Homebrew and any eboot signed FSELF with the SDK in any debug until the last fw 4.11. . - Run last new original games disk 3.6 + including 4.11 (Bone homebrew games and new original disks but no backups because EBOOTs must be refirmados as FSELF). . - Ability to use absolutely all possibilities of the SDK (debugging, development, etc) . - Run backups maximum 3.55 PS3Gen through debug or using pkgs and EBOOTs FSELF 0x8000 (reaffirming with any pkg psn_package_npdrm and preparing the type EBOOTs geohot). . - direct downgrade to 3.6 + 3.55 with just a pup so fast. . - Features the latest fw available (Support for new devices, etc). Cons


. - Only for the moment nothing complicated to solve has not playback BD or DVD (Because in the DEX not play) but that in 3.55 dex is solved easily in any 3.6 + dex needs some check is made.

1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by copying and sprx Some xml editing. Just unpack to 3.55 dex for fw fw and to cex for 3.55 and note the Differences in sprx. Then just add the correct xml keys. For example for ps store seg_commerce_new add the # key to category_psn.xml.


. - Maybe some more burden on FAT consoles overheated.

. - No PSN that to get into the network of developers need at least an existing account last year when it could create accounts SP-INT or be in the database sony consoles and still your target Dex dex do not pass the check to enter retail PSN (alterable be changed to activate the icon of the store and enter the retail).

. - There is also the possibility that if you try to get a lot in the debug psn in the default environment of sp-int baneen you for trying to do as you send the PID via the network to your server is as well so check again be careful. As you can see the best links to have CFW and OFW and need original disks bought as OFW for games but also new 3.6 + Homebrew and also have many features of development and practice, plus you can download the fw when you want .. . Greetings.

Last edited by ing_pereira the July 15, 2012 16:36, edited 29 times
Last edited by Simonbuck; 07-15-2012 at 03:52 PM.
Simonbuck is online now   Reply With Quote
Likes: (2)