Editing User talk:Hellsing9

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
added it to http://www.ps3devwiki.com/wiki/Talk:ReDRM_/_Piracy_dongles#another_clone.3F_-.3E_FAKE.21 - thanks :) [[User:Euss|Euss]]
== another clone ==
http://www.jb-infinity.com/infinity_usb/


Note: Im not held responsable of any damage done to your PS3. So read WELL and if you don't understand something just ASK and someone if it's not me will reply to your question/s. This is NOT a GOOGLE translated GUIDE. I done it because can be useful to put as tutorial in tutorials section and for understand some lost in translation words from the Spanish guide.
[File:http://i.imgur.com/oioHO.jpg]


-----------------------------------------------------------------
This clone turned to be '''fake''' and Matrix team was not involved.
To quote:


Since they are many problems with the original tutorial (in english) even can be problems in the c2d that's why i've done this guide.
'''Matrix Team, producer of popular products suchs as Matrix Infinity, Matrix Glitcher Series, Matrix Freedom PCB etc. would like to clearly state we are not involved in any way in the announced ‘Infinity Dongle’ for Playstation 3.If this product is not a fake the people behind it are clearly trying to profit from Matrix Team excellent reputation in both production quality and product support to improve their sales.'''  


Some clarifications:
[http://www.ps3hax.net/2012/07/infinity-dongle-beta-packaging/]http://www.ps3hax.net/2012/07/infinity-dongle-beta-packaging/
 
In first place doing this you will NOT lose remmary of BD, this is false and not's only me the one saying it.
 
@naehrwert wrote:
messing with eid4 on your box will destroy your bd-drive pairing, so I wouldn’t do that
So play and modify something more than eEID0 can generate a unmarry BD, for example = eEID4 but here we not do any modifications only we use the first segment of eEID0.
 
Tricks to do in Linux and get the NOR dump and eEID(NOR)
--------------------------------------------
 
TUTORIAL (eEID0 DEX)
 
- In first place we need the dump of the metldr hence in the firsts 0x30 bytes you have all the EID root key (erk and riv)
 
http://www.elotrolado.net/hilo_dump-...theros_1725034
 
Using HeX or any hexadecimal editor from 0x00 to 0x1F you well get eEID root key and from 0x20 to 0x2F the eEID root IV, you can get all this with the dump of the metldr.
 
Once you have that, you have to install OpenSSL to deal with the crypto part.
 
http://slproweb.com/products/Win32OpenSSL.html
 
Plus you need to download the 2 files = EID0_Key_Seed and EID0_First_Section_Key_Seed.
 
Download:
http://www.mediafire.com/?azoliwucuez2dz0
 
Mirror Upload: http://mir.cr/1J5ZISSD
 
Well now i will explain the basic options that we will use with OpenSSL:
 
-in: Input the file that you will need to decipher.
-out: the output file name that will be used after we cypher first.
-k: It's to specify that we will use a key.
-iv: In this case it's useful to indicate that will put an specific riv or irv for our cypher.
 
Advice: Put all the files in the same work folder with those 2 files, so it not turn into a pain in the eye having an easy access to our EID Root key and EID root IV, now we will start with the first step:
 
openssl aes-256-cbc -e -in EID0_Key_Seed.txt -out EID0.txt -nosalt -K HERO GOES YOU EID ROOT KEY -iv HERE GOES YOUR EID ROOT IV -p -nopad
 
Using EID0_key_Seed.txt as entry we will cypher it with our PCK they key and the IV as we see in the commands.
 
Then open EID0.txt this text file will be generated with the command input above, now you open this in a HEXEDITOR and from 0x10 to 0x1F there you have your EID0 IV and from 0x20 to 03F yuo have the EID0KEY.
 
If you want you can save them to easy access with another name like eid0_iv.txt and eid0_key_txt.
 
Well here we generated so far the EID0 key and EIDO IV of our PS3.
 
openssl aes-256-cbc -e -in EID0_Section_Key_Seed.txt -out EID0_First_Section_Key.bin -nosalt -K YOUR EID0 KEY -iv 0 -p -nopad
 
With the command above is normal to leave it in 0 the IV and once use that command we will have the EID0_First_Section.bin = the pass or key to decipher the first section where is target id cypher in the eEID.
 
Well the next step we will use that KEY to decipher the first section of the eEID0:
 
openssl aes-128-cbc -d -in eid0_1st_Section_CEX.bin -out eid0_1st_CEX_decrypt.bin -nosalt -K EID0 First Section Key -iv HERE GOES YOUR EID0 IV again -p -nopad
 
In NOR dump as you see in the image from 0x2F090 to 0x2F14F we will found the first section. It's highlighted in red.
 
 
 
On the section marked with blue color i want you to see what i mean with the IDPS of the first 0x20 bytes they are factory deciphered and it's the start of eEID0 but the IDPS can be found in the first 0x10 bytes.
 
eid0_1st_Section_CEX.bin: Is the name that i used to make an example to that section of eEID that we will extract directly from eEID0 offsets 0x20 to 0xDF (If it's a NOR dump it's from offsets 0x2f090 to 0x2F14F) as you see the length is = 0xC0 Bytes using the HEXEDITOR we put CEX in the end of the name to identify because the original section of our CEX console, this part will be ciphered and contains the IDPS. Now we paste the entry on openssl.
 
eid0_1st_CEX_decrypt.bin: It's the output name that we put to the FIRST CEX segment in order that be deciphered in the first line and to check if it was deciphered correctly.
 
When we load it in hex, if all the procedures went correct you will find a deciphered the FIRST line of our IDPS as was in the first 0x10 bytes of the eEID0 in (NOR = 0x2F070 | NAND = 0x80870) for example in my case something like this:
 
00 00 00 01 00 84 00 0B 14 01 A6 AE C3 1A 80 28 (THIS IS FROM MY CONSOLE, WARNING WITH THIS)
 
This bytes in my case are the same one that appears at the start of the eEID0 and in the image that i posted and marked the blue area, this is what you need to compare and check if the deciphered tasks went well, or if it's not in the first section.
 
In the first 5 bytes could be the same in your case hence the rest of the data is PCK or per console that 84 that appears in the 5th byte in my case is the target ID this represents or show that my console is a North American one but in your case, you have to find something similar along with our target ID.
 
If you notice that was REALLY deciphered (always double-triple check) you should find the target ID easy.
 
Note: From the FIRST 16 Bytes from the FIRST deciphered section of the EID0 MUST match with the first 16 BYTES of eEID0 as well the IDPS that can be found in your dumps = (NOR = 0x2F070 | NAND = 0x80870), if you notice something wrong o do not MATCH. DON'T KEEP ON GOING, HALT AND CHECK ALL THE STEPS AGAIN.
 
CMAC | TARGET ID:
 
Now will generate the CMAC (OMAC1) Hash from the first deciphered section from EID0 from 0x00 to 0xA8, that first section is the already deciphered one in the first steps with the name "eid0_1st_CEX_decrypt.bin"
this file as you can see in the HEX EDITOR has a length of 0xC0
 
We will use that pass (key) that we already generated, also the EID0 First section Key and to keep on going with this tutorial you need to download this application that i created myself using as a base the algorithm cmac from the filtered source one week ago.
 
Download:
http://www.mediafire.com/?kdetnwgb8s8fv9a
 
Mirror upload: http://mir.cr/0ZMKO3Q6
 
cmac file_in key_file
 
In our case we will see this: cmac eid0_1st_CEX_decrypt.bin EID0_First_Section_Key.bin
 
That eid0_1st_CEX_decrypt.bin as i said many times it's the FIRST section that we already deciphered and that key from EID0_First_Section_Key too that was generated in the last steps of this tutorial.
 
The objective of doing this along with the program is to get the ORIGINAL CMAC from our section without changing the target ID to DEX yes, the output of the program should we something like this:
 
Hash CMAC (OMAC1):f1053cc3818dd6ce2775f0273dfc212e
 
It's crystal clear that the numbers will be different, they are PCK and the way we generate them:
 
You will have to copy the calculated HASH that will give us the program and compare it with the one that you get from eid0_1st_CEX_decrypt.bin= 0xA8 to 0xB8 has to be the SAME (i repeat it's the first deciphered section that we use as entry) from 0xA8 to 0xB8, if it's not the same something is wrong. Check again the steps, if not your case and MATCHES you can go to the next step.
 
Now in the byte 0x5 of the first section of the EID0 that we already deciphered we have our target ID and you have to change it to 0x82
 
Once you changed the Target ID from the first deciphered section from EID0, you have to create a new valid CMAC hash for your new DEX and this new HASH you have to write it in the same section with the offsets where we already checked before (the old value) is from 0xA8 to 0xB8 this is done to replace the old hash with the new one. The new hash (as earlier in this tutorial) you will generate it EXACTLY the same as the CMAC.
 
cmac eid0_1st_CEX_decrypt.bin(NOW DEX because we changed the target ID) EID0_First_Section_Key.bin
 
The Hash generate from this step we will write it as i said in the FIRST deciphered section with the target ID already changed (i repeat the same
eid0_1st_CEX_decrypt.bin with the target already modified that we just used with the CMAC to generate this new hash) from 0xA8 to 0xB8 replacing the *old one*.
 
Once we have the modification list from the first deciphered section (eid0_1st_CEX_decrypt.bin) finally we will go ahead to cypher it again.
 
openssl aes-128-cbc -e -in Section already modificated(eid0_1st_CEX_decrypt.bin) -out eid0_1st_DEX.bin -nosalt -K EID0 First Section Key -iv again your EID0 IV -p -nopad
 
Here we will use with -in input to the eid0_1st_CEX_decrypt.bin already modified and as output we will generate the file eid0_1st_DEX.bin this files will be the one we have to copy and insert in the DUMP replacing the *old* CEX.
 
The offsets where goes this section are the same ones where we extracted in NOR this segment is on 0x2F090 and im not sure about the NAND but should be on 0x80890 the ones who have NAND you can confirm this.
 
Once you have the modified dump the only thing you have to do is flash it with our own means, you can choose soft or hard (hard is more safer).
 
FW DEX TEST REPOSITORY:
https://web.archive.org/web/*/http://ps3devwiki.com/files/firmware/OFW-DEX/
 
Benefits of a DEBUG TEST console:
 
.- Run Homebrew and ANY eboot signed FSELF with the SDK in ANY debug fw until the last one 4.11.
 
.- Execute the last 3.6+ legit games in disk (even in 4.11) You can run homebrew and new games but with original disks NO BACKUPS because the eboots have to be signed again as FSELF.
 
.- You can use EVERY single option from SDK (Debug, Development, etc)
 
.- Execute backups max 3.55 using PS3gen or using debug pkgs and eboots FSELF 0x8000 (re-signed with the psn_package_npdrm, any package preparing them *geohot* type.
 
.- Direct downgrade from 3.6+ to 3.55 with ONE pup fast way to do it.
 
.- improves and many things from the latest FW (Support of new devices, etc).
 
Cons:
 
.- For the moment nothing complicated to fix, you have no BD or DVD playback because you can't do it on DEX but in 3.55 dex this is can be fixed (Easy way) in any 3.6+ you need certain check.
 
 
1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by some sprx copying and xml editing. Just unpack a dex fw for 3.55 and a cex fw for 3.55 and note the differences in sprx. Then just add the correct xml keys. For example for ps store add the #seg_commerce_new key to category_psn.xml.
 
.- Maybe a little bit more of charge (data) for PHAT with heat problems.
 
.- NO PSN hence you have to connect to devnet, you need at least one created account (From last year) the passphrase issue. So NO PSN in Dex.
 
.- There is a change that if you try to login too much times in PSN with the debug in environment default the sp-int you can be banned for trying it. Since when you are doing this you are sending your IDPS to a server and this is the way they check. So be careful.
 
Source = Elotrolado
 
Translated by me.
 
Any typo let me know.
 
Regards
 
Hellsing9
 
Passphrase issue that i posted some days ago:
 
The NP communication passphrase and signature will be provided
within the Server Management Tools.
 
Details:
NP communication ID, passphrase, and signature, required for certain PSN
communication services, had been provided on the DevNet thread upon the
completion of the requested Playstation®Network service configurations.
From 2012/07/05 the NP Communication Passphrase and Signature will be provided
within the Server Management Tools.
 
This change affects all the communication IDs issued after 2012/07/05. It will
not be possible to access the NP communication passphrase or signature in the
support issued after that date.
 
Only those users who have initially requested the NP communication services and
was provided the files on DevNet thread will have access to the file on the
request threads.
 
Note that the NP communication passphrase and signature are required with NP
Matching 2 and Title Small Storage.
 
==  Retrieving your Console ID on OFW with sniffer: ==
 
Download and install wireshark and winPcap (included with the wireshark installer)
Download and install the .net runtimes
Download and install PS3 ProxyServer
Open a command prompt (start menu -> all programs -> accessories -> command prompt) and enter command “ipconfig”. Write down the IPv4 address (should look like 192.168.0.10 or something similar)
Open PS3 ProxyServer and copy the IPv4 address you wrote down into the IP Address field and check of PS3 mode, leave the other options alone. Hit the big start button. Keep you IPv4 number handy, you’ll need it again. Leave this program running.
Open Wireshark. On the left side there is an option to start capture. Left click with your mouse to select the appropriate network adapter listed below the start command. If you are not sure about which adapter to use, select them all using ctrl + left mouse click. Hit the start button once you’ve highlighted the appropriate adapters. Leave this program running.
Boot up your PS3 and navigate to Settings -> Network Settings -> Internet Connection Settings. on the first page select custom, on the second select whether you are connected wirelessly or wired. Skip all other options by hitting right on your controller until you get to the Proxy Server page, then select use for that option.
Input the IPv4 address you wrote down earlier into the top field. Make sure that the port number on this page matches the port number on PS3 ProxyServer (should both say 8080).
Skip to the last page on the configuration and hit x.
Test connection when prompted by hitting x again. As long as the top 3 fields say succeeded you can carry on to the next step. if not, review your settings in this step and steps 5 and 6 and retry.
Sign into the playstation network and login to the psn store.
Go back to your pc and check Wireshark. There should be a whole bunch of information displayed on the screen, don’t worry you don’t need to know what it means. Press [ctrl]+ e to stop capturing, then press [ctrl]+f to bring up your search dialogue.
Under “find” check of “string” and under “Search In” check off “Packet bytes”. Enter 0000000100 as your search criteria and hit enter. If the necessary packet was found, in the bottom frame it should show the number highlighted on the right side (plaintext view) to ensure you have the right packet, right before the highlighted text it should say “devideID”:” and then the numbers you searched for.
Take all the numbers and letters starting with your highlighted numbers and copy everything down until you find the next quotation mark in the plaintext. You should have a total of 32 digits written down. Should look something like 000000010084 followed by a bunch of letters and numbers.
 
 
This is your console id. add 32 more zeros to the end of it
 
ps. Saw this method used for doing something with saved data so tried it out an it worked actual tutorial for this was taken and modified from this by me [Tutorial] Using pfdtool without cfw (Borderlands 2 specific) | PS3Hax Network
 
p.s.s Use ur original psid an change the last number/letter to 1.
 
Note: Time to do some research on this one.
 
== OFW 4.40: Info and download ==
 
# US
Dest=84;CompatibleSystemSoftwareVersion=4.4000-;
Dest=84;IncrementalUpdateVersion=0000e771-0000e771;ImageVersion=0000eafc;SystemSoftwareVersion=4.4000;CDN=http://dus01.ps3.update.playstation.net/update/ps3/image/us/2013_0321_1b6a1cb5a909325a7f5ed949e8cc57cb/PS3PATCH.PUP;CDN_Timeout=30;
Dest=84;ImageVersion=0000eafc;SystemSoftwareVersion=4.4000;CDN=http://dus01.ps3.update.playstation.net/update/ps3/image/us/2013_0321_1b6a1cb5a909325a7f5ed949e8cc57cb/PS3UPDAT.PUP;CDN_Timeout=30;
 
==============================================
 
C:\Root>readself ps3swu.self
SELF header
  elf #1 offset:  00000000_00000090
  header len:    00000000_00000880
  meta offset:    00000000_000003a0
  phdr offset:    00000000_00000040
  shdr offset:    00000000_00567a30
  file size:      00000000_00b82960
  auth id:        10700003_fd000001 (Unknown)
  vendor id:      01000002
  info offset:    00000000_00000070
  sinfo offset:  00000000_00000260
  version offset: 00000000_00000340
  control info:  00000000_00000350 (00000000_00000070 bytes)
  app version:    4.64.0
  SDK type:      Retail
  app type:      application
 
Control info
  control flags:
    40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  file digest:
    72 f9 cb 71 61 57 cb 24 11 59 9c 0b c2 07 9c ad 28 fd 18 7d
 
Section header
    offset            size              compressed unk1    unk2
    00000000_00000880  00000000_001fc2c0 [YES]      00000000 00000000
    00000000_00208d10  00000000_0001511e [YES]      00000000 00000000
    00000000_0022dc70  00000000_00268d55 [YES]      00000000 00000000
    00000000_004a2150  00000000_000ba152 [YES]      00000000 00000000
    00000000_0055c2b0  00000000_00000000 [NO ]      00000000 00000000
    00000000_00000000  00000000_00000004 [NO ]      00000000 00000000
    00000000_00000000  00000000_00000020 [NO ]      00000000 00000000
 
Encrypted Metadata
  unable to decrypt metadata
 
ELF header
  type:                                Executable file
  machine:                              PowerPC64
  version:                              1
  phdr offset:                          00000000_00000040
  shdr offset:                          00000000_00b82160
  entry:                                00000000_004e8810
  flags:                                00000000
  header size:                          00000040
  program header size:                  00000038
  program headers:                      7
  section header size:                  00000040
  section headers:                      32
  section header string table index:    31
 
Program headers
    type  offset            vaddr            paddr
          memsize          filesize          PPU  SPE  RSX  align
    LOAD 00000000_00000000 00000000_00010000 00000000_00010000
          00000000_004c3e30 00000000_004c3e30 r-x  ---  ---  00000000_
    LOAD 00000000_004d0000 00000000_004e0000 00000000_004e0000
          00000000_000301c4 00000000_000301c4 rw-  ---  ---  00000000_
    LOAD 00000000_00510000 00000000_10000000 00000000_10000000
          00000000_00514880 00000000_00514880 r--  r--  ---  00000000_
    LOAD 00000000_00a30000 00000000_10520000 00000000_10520000
          00000000_00172fc8 00000000_00146950 rw-  rw-  ---  00000000_
    LOAD 00000000_00b76950 00000000_00000000 00000000_00000000
          00000000_00000000 00000000_00000000 rw-  rw-  rw-  00000000_
    ????? 00000000_005001c0 00000000_005101c0 00000000_005101c0
          00000000_000001b8 00000000_00000004 r--  ---  ---  00000000_
    ????? 00000000_004c3e10 00000000_004d3e10 00000000_004d3e10
          00000000_00000020 00000000_00000020 ---  ---  ---  00000000_
 
Section headers
  [Nr] Name            Type      Addr              ES Flg Lk Inf Al
      Off                      Size
  [00] <no-name>      NULL      00000000_00000000 00    00 000 00
      00000000_00000000        00000000_00000000
  [01] <no-name>      PROGBITS  00000000_000101c8 00 wa  00 000 04
      00000000_000001c8        00000000_0000002c
  [02] <no-name>      PROGBITS  00000000_000101f8 00 wa  00 000 08
      00000000_000001f8        00000000_004c2314
  [03] <no-name>      PROGBITS  00000000_004d250c 00 wa  00 000 04
      00000000_004c250c        00000000_00000040
  [04] <no-name>      PROGBITS  00000000_004d254c 00 wa  00 000 04
      00000000_004c254c        00000000_00000024
  [05] <no-name>      PROGBITS  00000000_004d2570 00  a  00 000 04
      00000000_004c2570        00000000_0000189c
  [06] <no-name>      PROGBITS  00000000_004d3e10 00  ae 00 000 08
      00000000_004c3e10        00000000_00000020
  [07] <no-name>      PROGBITS  00000000_004e0000 00  ae 00 000 04
      00000000_004d0000        00000000_00000178
  [08] <no-name>      PROGBITS  00000000_004e0178 00  ae 00 000 04
      00000000_004d0178        00000000_00000104
  [09] <no-name>      PROGBITS  00000000_004e027c 00  ae 00 000 04
      00000000_004d027c        00000000_00000004
  [10] <no-name>      PROGBITS  00000000_004e0280 00  ae 00 000 04
      00000000_004d0280        00000000_00004cb4
  [11] <no-name>      PROGBITS  00000000_004e4f38 00  ae 00 000 08
      00000000_004d4f38        00000000_000038c4
  [12] <no-name>      PROGBITS  00000000_004e8800 00  ae 00 000 04
      00000000_004d8800        00000000_0001d768
  [13] <no-name>      PROGBITS  00000000_00505f68 04  ae 00 000 08
      00000000_004f5f68        00000000_0000a258
  [14] <no-name>      PROGBITS  00000000_005101c0 00  ae 00 000 08
      00000000_005001c0        00000000_00000004
  [15] <no-name>      NOBITS    00000000_005101c8 00  ae 00 000 08
      00000000_005001c4        00000000_000001b0
  [16] <no-name>      PROGBITS  00000000_10000000 00  a  00 000 128
      00000000_00510000        00000000_000b6468
  [17] <no-name>      PROGBITS  00000000_100b6468 00  a  00 000 04
      00000000_005c6468        00000000_00000028
  [18] <no-name>      PROGBITS  00000000_100b6490 00  a  00 000 04
      00000000_005c6490        00000000_00000004
  [19] <no-name>      PROGBITS  00000000_100b6494 00  a  00 000 04
      00000000_005c6494        00000000_00000004
  [20] <no-name>      PROGBITS  00000000_100b6498 00  a  00 000 04
      00000000_005c6498        00000000_00000004
  [21] <no-name>      PROGBITS  00000000_100b649c 00  a  00 000 04
      00000000_005c649c        00000000_00000004
  [22] <no-name>      PROGBITS  00000000_100b64a0 00  a  00 000 04
      00000000_005c64a0        00000000_0000002c
  [23] <no-name>      PROGBITS  00000000_100b64cc 00  a  00 000 04
      00000000_005c64cc        00000000_0000001c
  [24] <no-name>      PROGBITS  00000000_100b6500 00  ae 00 000 128
      00000000_005c6500        00000000_0045e380
  [25] <no-name>      PROGBITS  00000000_10520000 00  ae 00 000 128
      00000000_00a30000        00000000_0014694c
  [26] <no-name>      PROGBITS  00000000_10666950 00  ae 00 000 08
      00000000_00b76950        00000000_00000000
  [27] <no-name>      NOBITS    00000000_10666950 00  ae 00 000 01
      00000000_00000000        00000000_00000000
  [28] <no-name>      NOBITS    00000000_10666950 00  ae 00 000 16
      00000000_00b76950        00000000_0002c678
  [29] <no-name>      PROGBITS  00000000_00000000 00    00 000 01
      00000000_00b76950        00000000_0000b6c0
  [30] <no-name>      PROGBITS  00000000_00000000 00    00 000 04
      00000000_00b82010        00000000_00000028
  [31] <no-name>      STRTAB    00000000_00000000 00    00 000 01
      00000000_00b82038        00000000_00000126
 
===========================================================
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)