today Gunner54 have released a CEX2DEX application that will allow you to extract the METLDR from ANY (NOR / NAND) PlayStation 3 flash dump and create a valid DEX (Debug / Test) flash from the given CEX (Retail) flash.
Download: PS3 CEX2DEX Application / MSVCP100.DLL (Required) / Microsoft Visual C++ 2010 Redistributable Package (x86) / PS3 CEX2DEX Application r1 (Runtime Libraries are built in, shouldn't require MS VC++)
- Can be used to extract the METLDR from ANY (NOR/NAND) flash dump.
- Can be used to create a valid DEX flash from any given CEX flash (NOR/NAND).
I will explain the two main options the program has.
Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.
I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.
P.S : Controversy to what the main post says, I flashed my FAT 256MB NAND PS3 via Preloader Advance 3.1.
Also, make it clear that the Extract METLDR function only extracts the METLDR Binary from the flash and DOES NOT dump the root key, linux is required for this!
Also, some insight on how I dumped/flashed my NAND.
Using Preloader Advance 3.1 (JFW is NOT required) I put my PS3 into service mode, put Lv2diag.self and the advance.cfg on a memory stick and put it into USB000 (far right slot). Powered the PS3 on and let it do its work.
Dump NAND Flash
#Backup "rflash" to "/dev_usb000/Backuprflash.bin" # 0 = Disabled # 1 = 16MB Nor models and first 16MB from NAND models. # 2 = 16MB Nor models and 256MB from NAND models. ;2
Use my program to create a modified dump, put the dump on the memory stick and name it rflash.bin, make the previous setting (#Backup "rflash" to "/dev_usb000/Backuprflash.bin") to 0 and set this (look below) setting to 1 :
Write NAND Flash
#Restore "rflash" Fichero origen "/dev_usb000/rflash.bin" # 0 = Disabled # 1 = Delete and restore all sectors. # 2 = Check sectors and only delete/write the differents sectors.(SLOW) ;1
From aldostools on comparing CEX2DEX to the C2D application: If I understand it right, the major differences from this and andbey0nd's C2D.exe are that:
1- This tool supports NAND/NOR flash dumps of CEX, while C2D only supports NOR flash dump of CEX
2- This tool extracts the EID root key (per_console_key) directly from the metldrpwn. So it is not required to hex edit the metldr to extract the first 3 lines (48 bytes).
3- This tool does not require the Win32OpenSSL_Light installed
For the CEX dump, it is still necessary the glevand's dump_flash.pkg (aka USB Flash Dump.pkg I guess that 2 dumps are recommended to compare md5/sha-1 hashes and be sure that it's valid)
For the metldr dump, it is still necessary to have an OFW (<=3.15) or a CFW with dual boot support to boot linux (CFW355-OTHEROS++.PUP), then make and run metldrpwn to dump metldr and a flasher or a tool like JaiCrab's Preloader Advance v3.1 to flash the NOR DEX dump created by this tool. Am I right? or am I missing something ?