[Pockets69]

^ still you would be changing an encrypted IDPS, what good would it do?

[playerkp420]

So has anyone tried this yet? I have read through this whole thread and am still not sure if this works.

I have a flasher and a extra nor ps3. I was thinking about trying this, but then I seen the warning about steps being missing.

I would still be willing to try. But not sure what steps are missing and how I would go about finding out. Or should I start with trying what the tutorial says and report back to you guys. And then go from there?

I'm a noob to this more technical stuff, but really want to learn. I guess I'll start by downgrading this cechl01 I have and get on otheros. Then ill check back and see what the smarter people think.

[PsDev]

Originally Posted by deroad sorry, for that, but sometimes i'm ignorant as other people.

Don't know if you read it, but there is one thing that I KNOW is part of the CEX to DEX conversion, it was failed to be mention. I would label this as most likely fake(may be wrong, not perfect.)

[pereb27]

Originally Posted by Pockets69 ^ still you would be changing an encrypted IDPS, what good would it do?

There should be a way to dump your decrypted IDPS. Multiman can even show your console's IDPS.

Now that I think about it, you can just get the second part of the IDPS from MM, the first part being easy to figure out (00 00 00 01 00 xx 00 yy, xx being your console's targetid which you change to 82, and yy being the motherboard revision whose values are on the wiki).

That said, it's very possible that you also have to change the second part of the IDPS when changing the targetid.
************* [ - Post Merged - ] *************

Originally Posted by PsDev Don't know if you read it, but there is one thing that I KNOW is part of the CEX to DEX conversion, it was failed to be mention. I would label this as most likely fake(may be wrong, not perfect.)

And of course, you won't tell us what this part that you know is, right?
************* [ - Post Merged - ] *************
Okay, I'm now pretty sure my theory is correct.
While looking things up, I found this post from rms' blog :
http://rmscrypt.wordpress.com/2011/0...is-that-thing/

Look at the IDPS from that. Now, look at the IDPS from the request_idps.txt sample I found on google : http://pastebin.com/XAUv0nFM

The IDPS shown here are the exact same, except for the targetid that has been changed from 89 to 82.
Since we all know rms and math are friends, this looks very plausible that you only need to change the targetid to 82, all we need is a good way to dump the decrypted IDPS, and a way to remarry drive on CECH-25xx after conversion.

It's funny how Google really does know everything
Although, I have mixed feelings, it really does seem nobody is interested in opening the PS3 further than it currently is. I feel this should have been figured out soon after the method with objectivesuite was leaked, since the info about IDPS/TargetID was there for months. But oh well, progress is progress :D

[kiwitothemax]

With IDPS dumped it requires an edit of two values before being re-encrypted and flashed back. If this process is successful you would have a full debug console?

Why the need for a BD remarry? could the recent PS3Devwiki fix hypothetically work?

Still trying to wrap my head around the possibility of this. Feels like the exclusive debug console party hosted by some of our very infamous developers might finally be crashed...... One can hope.

[zadow28]

any one knows why the objectsuites support r232 cable ?.
does the debug console have r232 input, or do the console uses one of the usb for simulating r232.

if thats the case, you could use putty or hyperterminalm to connect to the console via r232 cable and dump all you need.then you would need any flasher when you brick.

Edit
there have to be this option, for sony repair shop to flash peoples consoles.
Because think if worst case, they sent out bad update and bricked peoples consoles,thats why almost all electronics have the r232 option.
and normally when i use the r232 option on other devices, i connect with local network cable and also r232.
connect r232 then power on device, then use putty to type commands/dump, and i only uses the network cable to upload new firmware.

[deroad]

Originally Posted by PsDev Don't know if you read it, but there is one thing that I KNOW is part of the CEX to DEX conversion, it was failed to be mention. I would label this as most likely fake(may be wrong, not perfect.)

i never really cared about cex to dex. what i know is just the syscon related part (obviously not mentioned there).

[pereb27]

Originally Posted by kiwitothemax With IDPS dumped it requires an edit of two values before being re-encrypted and flashed back. If this process is successful you would have a full debug console? Why the need for a BD remarry? could the recent PS3Devwiki fix hypothetically work? Still trying to wrap my head around the possibility of this. Feels like the exclusive debug console party hosted by some of our very infamous developers might finally be crashed...... One can hope.

Well actually I might have confused myself. It says IDPS is stored in EID0 and EID5, and I thought EID5 is where the BD P-block and S-block are stored, so if you touch it, the console wouldn't be able to use the drive anymore without remarrying. But now that I think about it, wasn't it EID2?

I tried to look at EID on the PS3DevWiki and found something interesting :
http://www.ps3devwiki.com/wiki/Flash#EID0_-_Section_0

EID0 is supposed to be encrypted, and this doesn't look like a decrypted dump to me. Why does the IDPS appear not encrypted? Is it even actually encrypted? LOL
If it isn't, then there's nothing wrong with the nor flashing method, although I'd rather use ObjSuites myself.

That would be kind of stupid if it wasn't encrypted. Couldn't that mean you could make any console (including CECH-3000) into a DEX via a hardware flasher? Unless you can only flash a DEX firmware from a CEX firmware if you're in service mode.

Anyway, the ObjSuites tutorial says you need to remarry the drive after the conversion. Perhaps it's to activate the debug functions for the drive?
************* [ - Post Merged - ] *************

Originally Posted by deroad i never really cared about cex to dex. what i know is just the syscon related part (obviously not mentioned there).

Debug support flag is tied to EID which is supposed to be hashed and saves in SC EEPROM

Is this what you mean?
My bet is ObjSuites does it.

[just_idle]

i have changed those 6th bytes on idps and flashed it, but it is nothing useful. the only thing thats useful is qa flag, which lets you install debug firmware in fsm without this 3times beep brick.

i was even able to flash debug fw from xmb (after this fsm flash) without errors, but now i don't know if because of qa flag or edited idps.

on irc channel people told me, this 6th byte is only plaintext in idps. at least this is how i have understood it and you have to decrypt EID0/EID5 and change it values in there and not only those 6th bytes.

but on the other hand, maybe i should have done this remarry and new tests afterwards?

some other thing is, those 3.55 dech downgrade pups flash fine in fsm after downgrade, but if you have no qa, the console bricks after leaving fsm.

and btw, those linux NOR backups are the same as if made with flasher. i have compared them.

[pereb27]

Originally Posted by just_idle i have changed those 6th bytes on idps and flashed it, but it is nothing useful. the only thing thats useful is qa flag, which lets you install debug firmware in fsm without this 3times beep brick. i was even able to flash debug fw from xmb without errors, but now i don't know if because of qa flag or edited idps.

QA flag doesn't allow you to install a debug firmware. If you're going to make such claims at least show proof, unless you're just trying to make people brick consoles. I guess we don't know everything about QA flag but still that sounds hard to believe and I wouldn't recommend trying this before it's confirmed.