Cex2Dex
Jump to navigation
Jump to search
Files
http://www.ps3devwiki.com/files/devtools/Cex2Dex/
LibeEID
c2d
cex2dex
GUI for the console handicapped
http://www.ps3hax.net/2012/07/ps3tools-gui-edition-v2-6-released-cex-2-dex-added/
dump_rootkey
alternative for the 'acquire PCK1' step, without need for OtherOS/Linux.
(needs 3.41, the 341-downgrader.pup works fine).
gameos method
#include <ppu-types.h>
#include <ppu-lv2.h>
/*! IIM interface syscall. */
#define SYSCALL_IIM_IF 868
/*! IIM interface. */
#define IIM_IF(cmd, a1, a2, a3, a4) \
do{ lv2syscall5(SYSCALL_IIM_IF, (u64)(cmd), (u64)(a1), (u64)(a2), (u64)(a3), (u64)(a4)); }while(0)
/*! IIM_GET_DATA. */
#define IIM_GET_DATA 0x17002
/*! EID0 index. */
#define EID0_IDX 0
int main(int argc, const char **argv)
{
u8 eid0[0x1000];
u64 size;
FILE *fp;
//Get EID0.
IIM_IF(IIM_GET_DATA, EID0_IDX, eid0, sizeof(eid0), &size);
//Dump to usb or wherever you like...
return 0;
}
Source: http://pastie.org/4365689 by naehrwert
Guide(s)
In short: changing Target ID of console inside decrypted eEID0
Semi Guide / Shortlist
- dump metldr -> Dumping Metldr
- acquire PCK1 -> EID root key
- dump flash -> Dev_Tools#Memdump Memdump 0.1 or (NOR only) on linux : dd if=/dev/ps3nflasha of=nor.bin
- Check flashdump -> Validating flash dumps
- extract EID0 section -> eidsplitter, manual extract or on linux : ps3dm_iim /dev/ps3dmproxy get_data 0x0 > EID0.bin
- decrypt EID0 using proper LibeEID (or any other proper eEID crypto tool)
- edit Target ID
- encrypt/rehash EID0 using proper LibeEID (or any other proper eEID crypto tool)
- paste inside flash dump -> [HxD] or any Hexeditor / binairy copy method
- If needed, because console is now on 3.56+, don't forget to patch CoreOS and Revoke too -> Downgrading patches
- write back to flash -> Hardware flashing or on linux : dd if=nor.bin of=/dev/ps3nflasha bs=1024
- PSgrade/JIG toggle -> [files/PSGrade]
- service mode reinstall Firmware belonging to that Target ID -> Downgrading with PSgrade Dongle
- remarry BDdrive -> [files/lv2diag/remarry]
- QA-toggle + combo button -> QA Flagging
- leave service mode -> [lv2diag.self FILE2]
- either enjoy XMB or a new brick