Talk:Cex2Dex

From PS3 Developer wiki
Revision as of 18:13, 17 January 2020 by CelesteBlue (talk | contribs)
Jump to navigation Jump to search

External references

CEX2DEX - pro versus con

Pro

Function 3.55 3.56 3.60+ Remarks
Using the features of a debug console Yes Yes Yes To effectively use features, need to use SDK related files, e.g. TargetManager etc
Using FSELFs Yes Yes Yes To create fselfs, you must have the decrypted binary first
Downgrading Yes Yes Yes Restricted to minver of that SKU/type (either metldr minver locked, or because of drivers - same limitations as Retail/CEX, but without hardware flasher)

Con

Function 3.55 3.56 3.60+ Remarks
Retail Functionality : Packages No
(patchable)
No
(see 3.55)
No
(Disabled for that Target ID)
Retail Functionality : BD-Movies No
(patchable)
No
(see 3.55)
No
(Disabled for that Target ID)
Retail Functionality : DVD-Movies No
(patchable)
No
(see 3.55)
No
(Disabled for that Target ID)
Retail Functionality : PS Store No
(patchable)
No
(see 3.55)
No
(Disabled for that Target ID)
PSN/SEN No
(only when patched/spoofed to Retail AND passphrase is available)
No
(see 3.55)
No
(Server Whitelisting and nondebug IDPS fail)
More Stress to the console Yes Yes Yes Using TargetManager/Debugger increases memoryload, also heats up RSX more (there are known CECHA/CECHC that gotten YLOD after few weeks of usage, and behaved normally when converted back to Retail/CEX)
Backups (via Manager) : <=3.56 keyed Yes
(same as Retail, would need lv1.self : mmap114 and lv2.self : peek/poke patches + Manager with DEX detection/payload)
Yes
(see 3.55)
No
Backups (via Manager) : >=3.60 keyed No
(same as Retail)
No
(see 3.55)
No
Backups (using ps3gen/bdemu) : <=3.56 keyed Yes Yes
(see 3.55)
Yes
Backups (using ps3gen/bdemu) : >=3.60 keyed No No Yes
OtherOS++ : Linux/BSD Yes
(same as Retail, need patches)
No
(No one ported OtherOS++ MFW tasks to 3.56 yet, if someone does, see 3.55)
No
Firmware availability Yes Yes No
(leaks always will lag behind)
Getting firmwares will always be a handicap, as they are not openly distributed/announced like Retail, only on SCEDevnet
Easily detectable and banned Yes Yes Yes
HDCP off No No No Hardware limitations in the HDMI out chip (OTP ?) prevent from switching hdcp off even by forcing the setting (see note below), HDCP would then appear off in the system settings but would actually still be on

Note:
Can use QA_Flagging#Debug_Menu_settings_not_in_Retail.2FCEX_QA QA debug (<=3.56) or setmonitor.self (ProDG Target Manager - Monitor Settings Utility). See also XRegistry.sys XRegistry.sys /setting/display/0/hdcp to enforce it to "off" setting.

Burned Master Discs No No No Hardware limitations in the Drive Id's (OTP not set to 0xFFFFFFFFFFFFFFFF) prevent from using burned ps3 and ps2 masterdiscs (they are recognized as data discs), this is a check performed by the drive's firmware.

Note about 3.56 : would need to use custom generated keys for signing, as the random fail is fixed since that version, thus no private keys can be acquired with Scekrit).

Alternative method of writing back flash (jaicrab / bad idea)

Put these, including your target NOR file, named rflash.bin on a stick

https://dl.dropbox.com/u/35197530/Lv2diag.self
https://dl.dropbox.com/u/35197530/advance.cfg

Either use PSgrade/JIG and let the lv2diag.self be executed by lv1.self automaticly, or use MultiMAN self loader
Will take a LONG time (35 minutes) until console stops blinking and shutdown with red led.

Tested working on CECHG fat(256mb nand), I suspect the reason for people bricking was they were flashing dumps of different lenghts and offsets(such as from memdump) and not the one provided by dumping with this -sk1080



Cex2Dex NOR Guide

Prerequisites

NOR guide

  1. Put above mentioned 3 packages in root of USB stick and install them on the PS3 using *Install Packages*
  2. With the USB stick still inserted, run Memdump v 0.01 and select the option "Dump Flash Storage"
  3. Run eEID_RKDumper. It should give 5-10 seconds black screen, beep and shutdown the console.
  4. Reboot the console, start MultiMan and use the filemanager to navigate to /dev_hdd0/tmp/eid_root_key and copy this file to the root of your USB stick.
  5. Now you should have the PCK1 (eid_root_key) and complete flash dump (flash_stor_35500.bin) of that console. Backup these 2 files for safe keeping/debricking. If you have multiple consoles, mark them as needed (e.g. serial from white sticker) to avoid confusion.


conversion diff

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
0002F070  00 00 00 XX 00 XX 00 XX XX XX XX XX XX XX XX XX
0002F080  00 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F090  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0A0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0B0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0C0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0D0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0E0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F0F0  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F100  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F110  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F120  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F130  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
0002F140  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX




Trophy errors

If you are getting trophy errors preventing you to play backups then make sure you perform the following steps:

  1. Go to recovery menu and restore default settings.
  2. Rebuild ps3 database from recovery menu.
  3. If you had a playstation id then add the playstation id/password in the playstation network settings. Try to connect once, it will ask you to upgrade your console. DONOT upgrade! Keep the playstation id/password saved in the psn settings.

Trivia

Neither the SC_EEPROM#EEPROM_Offset_Table_-_Flags_and_Tokens FSELF Control Flag nor the SC_EEPROM#EEPROM_Offset_Table_-_Flags_and_Tokens Debug Support Flag is changed, nevertheless, no functions of the DEX firmware are restricted, it behaves like a original one. Sony could just add checks in the upcoming DEX firmwares and patch this CEX -> DEX conversion method. Also this isn't a full cex-dex conversion, seeing as only the IDPS is changed only in EID0 and not also in EID5.

DEX2CEX safe way / debricking

  1. take that console DEX dump and convert it to the Target ID of that CEX console region (with targetID changer and that console eidrootkey)
      or
    take that console CEX dump.

the next steps are same as Downgrading_with_Hardware_flasher#Patch_the_dump_.26_Reflash_it_to_the_console Downgrading with Hardware flasher, see there for more in depth information.

  1. make sure byteorder is correct, if needed use Flowrebuilder to bytereverse
  2. take Rogero NOR patcher or Flowrebuilder+downgraderpatches and prepatch that CEX converted dump with downgrader. Flash it.
  3. use Recover or Factory Service Mode to install Rogero 3.55 V7 PUP (the basic downgrader that is always used to downgrade consoles)
  4. on install success, activate QA and do buttoncombo to check QA-debug menu comes up. then goto Recovery and install OFW 3.55 CEX /twice/ in a row, to make sure both banks are dehashed


An Italian indepth guide : http://www.nextrl.it/forum/topic/86174-guida-downgrade-e-%E2%80%9Cdex-to-cex%E2%80%9D

Debrick DEX back to DEX

Flash must already contain valid DEX Target ID in EID!

Use NOR patches only on NOR consoles, not on NAND!

Target area Patchfile NOR Offset Paste length Remarks
ROS0 coreos_355_dex_checkoff (7 MB) 0x0C0010 0x6FFFE0 CoreOS (prepatched DEX 3.55)
ROS1 coreos_355_dex_checkoff (7 MB) 0x7C0010 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 trvk_prg0 (128 KB) 0x040000 0x2000 trvk_prg0
trvk_prg1 trvk_prg0 (128 KB) 0x060000 0x2000 trvk_prg1 (same as trvk_prg0)
trvk_pkg0 trvk_pkg0 (128 KB) 0x080000 0x2000 trvk_pkg0
trvk_pkg1 trvk_pkg0 (128 KB) 0x0A0000 0x2000 trvk_pkg1 (same as trvk_pkg0)

(above patches in a single package + autopatcher file: 3.55_DEX_checkoff.rar)