Quote: PS3 Crunch
An anonymous member on PS3NEWS has recently posted up a CEX-to-DEX Conversion Guide so that everyone can now modify an ordinary retail PS3 for use with debug firmwares, which can allow you to run unsigned PKG files (and is ideal for those who use DEX PS3s for development-related reasons) and also allow any game to be played regardless of what firmware keys they are signed with (although Squarepusher stated on the PS3Hax thread that “you would need debug EBOOTs for newer games”).
Manual to get a dex (here is everything you needed) and you have a full working dex
EID0 Key Seed and EID0 Section Key Seed are hardcoded in the isoldr
EID0 Key Seed
AB CA AD 17 71 EF AB FC 2B 92 12 76 FA C2 13 0C
37 A6 BE 3F EF 82 C7 9F 3B A5 73 3F C3 5A 69 0B
08 B3 58 F9 70 FA 16 A3 D2 FF E2 29 9E 84 1E E4
D3 DB 0E 0C 9B AE B5 1B C7 DF F1 04 67 47 2F 85
EID0 Section Key Seed
2E D7 CE 8D 1D 55 45 45 85 BF 6A 32 81 CD 03 AF
If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0×00 to 0x1F the EID Root Key and from 0×20 to 0x2F the EID Root IV
use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV
the result contains from 0×10 to 0×20 the EID0IV and contains from 0×20 to 0×40 the EID0Key
Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV
the result will be the first 0×10 bytes of the EID0 First Section Key
the second 0×10 bytes of the EID0 First Section Key are only 0×00 bytes
EID0 is located in NAND at 0×80870 and in NOR at 0x2f070
the first 0×20 bytes of EID0 are not encrypted
at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0×82 (Debug Target ID)
use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV
Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0×00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.
At 0×5 of the decrypted EID0 Section is your target id again change it to 0×82 again
0xB8-0xC0 of the decrypted EID0 Section should be just 0×00 bytes
after you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section
use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).
Now install dex Firmware with the recovery menu.
HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu. However, you cant login to the PSN because IDPS is obviously not valid from now on.
THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.
有志者，事竟成 Where a will, there is way 一不做二不休 You start something, you have to finish it
Additionally, zecoxao from PS3Hax has confirmed this, and here’s what he had to say:
NEWS SOURCE #1: CEX-to-DEX Conversion Method (original source) – PS3NEWS
NEWS SOURCE #2: CEX-to-DEX Conversion (confirmed by zecoxao] – PS3Hax
NEWS SOURCE #3: CEX-to-DEX Conversion Guide (news posted by tthousand) – PSX-SCENE