PS3 Validating your EID0 leaf (will be used for true CEX-DEX conversion)

[zecoxao]

Tools required:
Python2 (ecdsa and AES cmac dependencies)
A dump of your eeid (named eid, no extension!)
A dump of your root key (named eid_root_key, no extension)
The script attached below, which will validate your eid0 leaf0 before conversion to true DEX (this will allow you to install DEX OFW on your convert console)

Usage:
python2 verify_eid.py

make sure the folder of the script also contains eid and eid_root_key!
tool kindly provided by Zer0Tolerance

More to come soon...

 

[psydefx]

nice. shame last true dex cfw was 4.84. we behind abit lol

 

[zecoxao]

Uploaded a new version which should now verify the idps

 

[SKEPTiCK]

What does this mean though?

Are you trying to make a new DEX CFW?

What about everything between 4.84.2 and now?

What ever happened to the OG leaker anyways?

Plus what if we are already on D-REX 4.84.2?

 

[zecoxao]

New version, successfully transfers a donor leaf into your own eid.

 

[zecoxao]

What does this mean though?

Are you trying to make a new DEX CFW?

What about everything between 4.84.2 and now?

What ever happened to the OG leaker anyways?

Plus what if we are already on D-REX 4.84.2?

It just means that if you have a DEX console and it happens to be a hackable one, you can extract the leaf from it and put it on another hackable console, making it possible to install DEX 4.xx OFW and use the native features without any resort to ugly patches.

 

[zecoxao]

You need to take into consideration just three things:
The donor leaf must be valid ONLY in the ECDSA part (if the IDPS is wrong and the CMAC is invalid they'll be fixed)
The donor leaf MUST be from a DEX console
The donor leaf MUST be called 'donor' with no extension

Meet all 3 of these requirements and your console will be a fully fledged DEX system, which you can then use to down/upgrade to any DEX OFW you own.

I'll put the minimal fw to chassis table here in the next post

 

[zecoxao]

https://www.psdevwiki.com/ps3/Motherboard_Revisions#Product_Sub_Code

This will tell you how low your new true DEX will be able to go based on the chassis ID

Contrary to popular belief it is possible to obtain an eid0 leaf on unhackable consoles, but i won't mention how since it's extremely dangerous and it could lead to users having their systems permanently locked should they lose the root key

Ideally you'll want a console with the same chassis as your own console, that way, you can neither go too low or have a minfw too high

 

[zecoxao]

So it seems that i already had made a tutorial like this before. Thanks to Thibobo for kindly reminding me
I'll post it here.
The tutorials does the exact same thing the automated python script does but instead it uses ps3-decrypt-tools for that. you can use Sorvigolova's repo (mine is permanently gone) found at https://github.com/Sorvigolova/ps3_decrypt_tools instead of the one i usually hosted. the donor leaf is also there, but please be cautious when using it and especially when flashing the eeid. you can brick your ps3 by doing this!

 

[zecoxao]

Same tutorial as playstationhax, just leaving it here:


Required Tools:
python2
ecdsa python module
pycryptodome module
verify_eid.py file (provided in the zip)
donor file (provided in the zip) (WARNING, contains DECH-A idps minver! do NOT push your luck by by going below the previous idps minver!)
advanced tools (provided in the zip)
eid_root_key (get this either with flatz's dumper or rebug toolbox's embedded dumper)
eid file (you can get this by running advanced tools->dump_eeid and renaming eeid.bin to eid)

Steps:

1- Place ALL of the files required in the same folder
The structure MUST BE:
folder:
--------eid
--------eid_root_key
--------donor
--------verify_eid.py

2- Run the script:

python2 verify_eid.py

3- Make sure that the ECDSA values are VALID (if the idps is INVALID and the CMAC is INVALID, they'll be VALID later)
4- rerun the script
5- Make sure that ALL 3 values are VALID
6- Install Advanced Tools
7- Place your newly modified eid in the root of usb stick. rename it to eeid.bin
8- Run Advanced Tools->Flash EEID
9- Congratulations! You're now on full DEX system! You can now go to any DEX OFW without siren beep (validation brick)

 

[pinky]

@zecoxao , amazing! I probably won't do this, but great tutorial. very easy to follow for anyone who might want to try it out.

 

[haxxxen]

I've misunderstood your post it seems. I thought this was an automated tool to somehow fully calculate and convert retails to valid DEX token

btw, I was using the DECHJ leaf, which you have posted on playstationhax, on my now broken CECHL @zecoxao. it has worked pretty good and I have also noticed the advantage of installing OFW DEX. only thing you have to keep in mind, to recalculate qa token if set, which gets broken of course

 

[zecoxao]

I've misunderstood your post it seems. I thought this was an automated tool to somehow fully calculate and convert retails to valid DEX token

btw, I was using the DECHJ leaf, which you have posted on playstationhax, on my now broken CECHL @zecoxao. it has worked pretty good and I have also noticed the advantage of installing OFW DEX. only thing you have to keep in mind, to recalculate qa token if set, which gets broken of course

i wish that was a possibility in the future, but unfortunately, besides rifs and npdrm pkgs, we are not able to calculate the private key from the idstorage on ps3, as there seems to be no flaw there

 

[FoxHound47]

Besides installing Dex OFW given thier isn't a Newer Dex what's the benefit then Rex or going Cex to dex using rebug..

Thanks

 

[Berion]

If this allow us to use OFW DEX past 4.21 without brick, then does it possible to:

1. get ERK,
2. then convert CEX to DEX by this method,
3. retrieve DEX update from network update,
4. turn off console by force during updating while unpacking PUP, but before updating flash,
   
5. retrieve latest OFW DEX PUP from dev_hdd1 on PC by connecting HDD with update package before PS3 will delete it.

If yes, then we could have again Rebug Rex/D-Rex past 4.84.

 

[zecoxao]

You can't obtain the DEX firmware with a network update @Berion
That would be a huge security mistake on Sony's part

 

[Berion]

Well, I don't remember how it works. I have only contact with DEX versions in work ages ago and not from IT side. I was thinking that Sony before pulling fw package, validating it somehow (like i.e by written SN on scedevnet account or something like that, or some link obfuscation to not be a direct one). If fw are retrieving not by console, then that complicating our situation. ^^"

 

[zecoxao]

Besides installing Dex OFW given thier isn't a Newer Dex what's the benefit then Rex or going Cex to dex using rebug..

Thanks

To start, the sdk tools work a lot better with these kind of leafs.
You can also upgrade and downgrade at will with no restrictions (with the exception of minver)
But the thing that pushes me more is the ability to test exploits on a complete DEX environment but also on OFW. It is possible that, in the future, someone develops an lv1 exploit or a ldr exploit from what we have on lv2 already thanks to this, because testing bugs is a lot easier if you can:

a)Run apps
b)Trace them
c) Run them on a native oficial firmware environment with NO modifications except our own on idstorage
d) Run them on 4.XX OFW DEX (latest = more shit patched by sony)

This is gold for interacting with a system and developing something that can be used to obtain an exploit. One day that lv1 or ldr exploit could be used to obtain e.g. root key on CECH-3000 (which is something that i'd like to see one day) or maybe even what many Linux fans want, an unhackable system with Linux (HEN is fun and all but we are humans, we want more )

Anyway, these are my thoughts about this method

 

[pinky]

correct me if I'm wrong, but I think dex has a white list, which is the reason you need the "leaf"? I think this is after we gained access to dex back on 3.55, sony did something to prevent official firmware from being installed again. if you don't have the "leaf," the system will brick?

 

[zecoxao]

correct me if I'm wrong, but I think dex has a white list, which is the reason you need the "leaf"? I think this is after we gained access to dex back on 3.55, sony did something to prevent official firmware from being installed again. if you don't have the "leaf," the system will brick?

The section 0 leaf exists on what on psp is known as idstorage, but on ps3 we simply call it eid. it's located at 0x90 of eid, and has size 0xC0 bytes (it is encrypted with root key of course).

Inside it you can find the idps (the console knows which pup to install because of this idps and this idps alone)

What rebug toolbox does is change the target id from the IDPS to 0x82, effectively turning it into a testkit. However, since the data is changed, this means that the ecdsa validation fails, so if you try to get out of cfw to ofw dex, you brick. To counter this, you need a donor leaf from a true DECH system. This keeps the ECDSA check in place but also maintains the target id to 0x82. So you get the best of both worlds. You can then downgrade to 3.55 DEX then upgrade to 4.84 DEX Rebug or you can go to 4.81 DEX OFW and use it as a normal debug machine (minus HW functionalities like HDCP)