[CyberDuck]

Originally Posted by james28909 i got past my first problem, after trying to install debian 40 million times it finally installed. but now i am having problems here. copy "metldrpwn" folder to /home/yourusername 5. start terminal 6 cd metldrpwn make sudo ./run.sh cp /proc/metldrpwn/dump /home/yourusername/ the bits in red i am a little confused.... when you copy the metldrpwn folder to /home/yourusername... di i just mkdir "home" then cd home then mkdir "user" ??? and when i try to copy metldrpwn to /home/user/ it dont work and when i try to do: cd metldrpwn make <-------- it says bash: make: command not found any help would sure be appreciated, or atleast an explanation or kick in the right direction. im a good windows user, but linux has got me sort of confused :P

The "/home/yourusername" folder should be already created from the debian installer so yourusername is the name you put when the installer asked it.

[james28909]

ok so i navigate to /tmp/petitboot/mnt/sda1/metldrpwn

then i type:
"cp -s metldrpwn /home/user/........ or
"cp -l metldrpwn /home/user/

also... i had to do mkdir to have "home/user"

i did it by doing "mkdir home" then "cd home" then "mkdir user"
("user" is my user name)

and it tells me "too many levels of symbolic links"
:0

no matter if i change directories to home/user and try to copy from there, or if i am in /tmp/petitboot/mnt/sda1/metldrpwn... i cant copy the file to the hdd no matter what i try to do.

but i didnt think you had to copy it to the hdd... can you not just "make" and "run.sh" from the usb device?


i admit it, i am not a linux guru, i have been trying now for 3 days to get this going. i have an e3 flasher and have downgrade many ps3's, but i just cant wrap my head around linux.. it will take a while to learn. tho the more i use it the more i understand it. i can navigate directories now :D and make directories. i just need a little help to get this going.

i have a valid dump from my e3 flasher in the metldrpwn folder, i just need to dump the root key so i can run it through the converter program

[haz367]

@svenmullet
wow that sucks balls, wtf happend there
hopefully u'll get it fix'd!

[CyberDuck]

Originally Posted by james28909 ok so i navigate to /tmp/petitboot/mnt/sda1/metldrpwn then i type: "cp -s metldrpwn /home/user/........ or "cp -l metldrpwn /home/user/ also... i had to do mkdir to have "home/user" i did it by doing "mkdir home" then "cd home" then "mkdir user" ("user" is my user name) and it tells me "too many levels of symbolic links" :0 no matter if i change directories to home/user and try to copy from there, or if i am in /tmp/petitboot/mnt/sda1/metldrpwn... i cant copy the file to the hdd no matter what i try to do. but i didnt think you had to copy it to the hdd... can you not just "make" and "run.sh" from the usb device? i admit it, i am not a linux guru, i have been trying now for 3 days to get this going. i have an e3 flasher and have downgrade many ps3's, but i just cant wrap my head around linux.. it will take a while to learn. tho the more i use it the more i understand it. i can navigate directories now :D and make directories. i just need a little help to get this going. i have a valid dump from my e3 flasher in the metldrpwn folder, i just need to dump the root key so i can run it through the converter program

Try :
cp -r metldrpwn /home/user

Then type cd /home/user and type ls , you will see the files in the folder, if metldrpwn is there it worked.

Then cd metldrpwn and after that :
make
sudo sh /run.sh

[Nextis]

Yo CaptainCPS-X so what happen haven't heard anything from you in 16hrs are you done yet? cos.. Im not gonna flash my into I hear back from you svenmullet brick got me worry xD.

[svenmullet]

Originally Posted by Nextis Yo CaptainCPS-X so what happen haven't heard anything from you in 16hrs are you done yet? cos.. Im not gonna flash my into I hear back from you svenmullet brick got me worry xD.

I bricked trying to go back to CEX. Going to DEX gave me no problems, but it was a NOR PS3, so...

[CaptainCPS-X]

Sorry I haven't posted any updates but I'm still stuck at the following step...

(btw, I switched back to Red Ribbon RC5, the other Debian method consumed to much time and was very complex)

13) Boot up Linux on your PS3, plug your USB stick in 14) Copy the “metldrpwn” folder to your “Home” folder 15) Open up Terminal and type “cd metldrpwn” (without quotes) 16) Type “sudo ./run.sh” (without quotes) If it fails, type “sudo chmod +x ./run.sh” (without quotes) Then re-type “sudo ./run.sh” (without quotes)

When I write that command in the terminal, I get an error about 'metldrpwn.ko Cannot allocate memory" or something like that, so obviously the upcoming commands from the SH script fail as well, since the process did not execute well.

I found a guy who posted some steps to succesfully compile metldrpwn on Red Ribbon RC5 so maybe that will help with my problem.

If anyone know what is wrong with metldrpwn.ko and the memory allocation error, I will appreciate some information, thanks in advance

SeeYa!

[butnut]

@CaptainCPS-X
you could try closing any open windows (filemanager,terminal,etc)

and at the desktop press crtl+alt+F1

cd to metldrpwn and type “sudo ./run.sh” (without quotes)

Exploit should work now,if not then I don't know how else to help.

Either way press crtl+alt+F7 to get back to desktop.

[CaptainCPS-X]

Originally Posted by butnut @CaptainCPS-X you could try closing any open windows (filemanager,terminal,etc) and at the desktop press crtl+alt+F1 cd to metldrpwn and type “sudo ./run.sh” (without quotes) Exploit should work now,if not then I don't know how else to help. Either way press crtl+alt+F7 to get back to desktop.

At last I can continue LOL!, thanks for the information, it worked now! I will definitely include it in my guide!

Thanks man! I will continue now and report back how it goes asap

SeeYa!

************* [ - Post Merged - ] *************
I backed up all my files now:

- flash_stor_35500.bin (original NAND CEX flash dump by: memdump v0.01)
- metldr (metldr from original flash dump by: CEX2DEX / Gunner54 application)
- dump_eid0.bin (obtained from 'metldrpwn' using: Red Ribbon RC5 Live)
- flashDEX_NAND.bin (obtained from CEX2DEX / Gunner54 application)

Here is the log from CEX2DEX / Gunner54 application:

Note: I renamed 'dump_eid0.bin' to 'dump' so I could load it on CEX2DEX.

PHP Code:

- Loading Flash Dump...
- EID0 Address : 0x00080860
- ROOT-KEY : F4 A2 D6 45 E8 82 61 FA E5 AA 73 04 BB 8E 06 70 DE 85 56 B7 26 F8 16 CC BD 01 CA 46 83 84 FB 1D
- ROOT-IV : C7 C1 11 2A D6 53 7E 63 40 0C 62 82 7C 1E C4 AD
- EID0-KEY : 61 90 71 91 27 D6 02 43 E0 18 3A 2A A3 85 B9 51 3F 68 E7 B4 3A A2 0C 3B F0 52 C3 EE F0 D1 48 75
- EID0-IV : 59 21 6D 49 0B 63 86 82 EE 3B A3 93 5D E5 BA 76
- EID0-SECTION-KEY : FA FE C6 C4 AC E2 9C 05 E2 DA 3E 56 E3 FA 70 69
- EID0-DATA-DECRYPT [CEX] : 00 00 00 01 00 84 00 03 10 03 85 28 06 D5 E0 73 07 02 88 C7 F1 CC 9A D3 39 A3 35 60 44 88 14 32 CA 3B 30 CE 47 0F 58 FC 6C 92 33 7D CC 5B 27 C3 F7 49 68 1C 26 88 D4 AD 3E 13 C6 F1 0E A5 C7 40 6E EA BA 77 81 2B C4 93 7D 50 56 AE 55 04 EC 17 51 F1 52 3C D8 A2 46 4A 74 91 95 C6 1B 3A 20 85 94 D1 00 BE 6E 24 99 1D 65 D9 3F 3D A9 38 85 8C EC 2D 13 30 51 F4 7D B4 28 7A C8 66 31 71 9B 31 57 3E F7 CC E0 71 CA 8A 93 65 3B 7D E3 5A E7 C4 28 5A 04 AE 93 99 FC 05 40 C2 A5 42 2A A9 E6 BF DB 75 9E FA C7 86 13 38 61 A3 5A B1 68 19 A9 C4 CF 2D AC B6 71 26 A0 B2 00 00 00 00 00 00 00 00
- CMAC-EID0 [CEX] : 61 A3 5A B1 68 19 A9 C4 CF 2D AC B6 71 26 A0 B2
- CMAC : PASS!
- EID0-DATA-DECRYPT [DEX] : 00 00 00 01 00 82 00 03 10 03 85 28 06 D5 E0 73 07 02 88 C7 F1 CC 9A D3 39 A3 35 60 44 88 14 32 CA 3B 30 CE 47 0F 58 FC 6C 92 33 7D CC 5B 27 C3 F7 49 68 1C 26 88 D4 AD 3E 13 C6 F1 0E A5 C7 40 6E EA BA 77 81 2B C4 93 7D 50 56 AE 55 04 EC 17 51 F1 52 3C D8 A2 46 4A 74 91 95 C6 1B 3A 20 85 94 D1 00 BE 6E 24 99 1D 65 D9 3F 3D A9 38 85 8C EC 2D 13 30 51 F4 7D B4 28 7A C8 66 31 71 9B 31 57 3E F7 CC E0 71 CA 8A 93 65 3B 7D E3 5A E7 C4 28 5A 04 AE 93 99 FC 05 40 C2 A5 42 2A A9 E6 BF DB 75 9E FA C7 86 13 38 61 A3 5A B1 68 19 A9 C4 CF 2D AC B6 71 26 A0 B2 00 00 00 00 00 00 00 00
- CMAC-EID0 [DEX] : D9 67 FE 13 07 39 67 30 AE E8 25 9C FB 7B 24 A5
- CMAC [DEX] : PASS!
- EID0-DATA-ENCRYPT [DEX] : 43 68 33 E5 DB 8C 04 E8 A3 4E 8A 0A 5D 28 9A 0E 38 37 D1 73 13 49 09 FB A1 FE B9 0C 08 63 4B D8 BF 96 6E B1 7C A3 EF 27 9C 9C 42 BD E9 57 07 30 E6 96 FF 6C 64 8B 1C 41 DE 1A 60 25 87 22 8C 7D C0 4E A0 14 09 3B 95 91 4C 8C 16 4E E1 AB 90 06 62 D4 7F 6D D4 1E 22 9E 5A C4 69 6C 81 BD FA 64 F7 BF FF 3C 27 3D 2E 07 83 87 9E 23 45 A8 7E D8 35 C3 B9 16 52 78 09 9C F0 33 F9 EE C9 1F DF 22 F0 A0 A5 1A 2D 2F 77 1A 7E 32 76 C4 A2 3C 18 E9 47 88 9F 78 3B 14 6F B6 8F D2 B6 6B 8C 3E 67 B5 A1 5F 8A 16 06 80 03 63 FE 67 5A 90 48 5F 5D 2A 9E 56 A3 18 B8 A2 9E 6C FF 2E EB 57 54 51 F2 43

- FLASH CREATED SUCCESSFULLY! 


I will now do it all over again but obtaining the Flash dump using mmCM (multiMAN in debug mode) so I can compare all files and make sure I get a proper flash dump, so I don't brick my PS3 xD

More information soon, my guide is progressing as I do everything myself

PS: Here you have a few pictures from my 'dump_eid0.bin' and a separate file I made for the keys only 'ps3_keys.bin'...





SeeYa!

************* [ - Post Merged - ] *************
Finished doing the flash dump using mmCM (multiMAN in debug mode) and I got:

- 20120720-182639-FLASH-NAND-FW3.55.NANDBIN

I compared it to the dump made by "memdump v0.01" and it is "different", doesn't have same hashes and after looking it via HxD (hex editor) I noticed that from what it seems multiMAN dumps a cleaner flash.

Now here comes the good part, after opening "20120720-182639-FLASH-NAND-FW3.55.NANDBIN" with CEX2DEX / Gunner54 application (had to rename extension as '.BIN' to open it) and extracting the "metldr", I compared it to the "metldr" obtained from the flash dump made by "memdump v0.01", and it is 'identical' (verified via hash + hex editor).

So I guess that CEX2DEX / Gunner54 application can handle both dump types and extract the 'metldr' as needed.

More info soon!

SeeYa!

[CaptainCPS-X]

New important information regarding NAND flash dump! Please read!

I have done the NAND dump by these 3 methods:

1) Using "Linux terminal" (CEX2DEX says its NOT VALID)
2) Using "memdump v0.01"
3) Using "mmCM" in Debug Mode

All of these dumps are 239MB , they have missing data on them, they should be 256MB !

The final method to obtain the NAND flash dump was:

4) Using "Jaicrab Preloader Advance v3.1"

This dump is 256MB (as it should be!) and the "metldr" obtained from it is exactly as the "metldr" obtained from my previous flash dumps (except the Linux dump, that one is not good).

To use "Jaicrab Preloader Advance v3.1" the PS3 should be in "Factory Service Mode" (not to be confused with PS3 Recovery Mode).

Usually the only method to put your PS3 on FSM was using a dongle, BUT!, there is this nice application called "Factory Service Mode Tool v2" here:

http://www.ps3hax.net/2012/02/releas...ode-tool-v0-2/

That will make things easier, I just installed the proper PKG file and launched the application on my PS3 and voila! I was on Factory Service Mode .

I will explain all this in my upcoming NAND guide, and I will provide an All-In-One package with everything you will need to go from CEX-to-DEX.

More information soon! xD Im almost at the point of no return! LOL lets hope I dont brick!! haha!

EDIT: Used "Jaicrab Preloader Advance v3.1" to restore the final DEX NAND flash, here are the results:

******************************* * JaiCraB 2012 * * http://jaicrab.blogspot.com * * jaicrab @gmail.com * ******************************* Main: Version 3.1 Main: Running main base! Main: Opening config file...OK Main: Analyzing configuration... Restore rflash: Opening device for backup... Nand model. OK! Restore rflash: Opening /dev_usb000/rflash.bin file backup...OK Restore rflash: Dump size 256MB Restore rflash: Starting full rflash restore ...COMPLETED! Main: Shutdowning!

Now, I still haven't turned back on my PS3 , LMAO! xD...Lets hope I did not brick! (fingers crossed)

Be back with my result in a moment xD

EPIC EDIT!!: RE-FLASHING WAS A SUCCESS!, PREPARING TO INSTALL DEX FW 3.55 NOW!

SeeYa!