PS3 PS2CLASSICs on DEX

Evilnat

Evilnat

Developer
After some time of research and making some patches, it seems that PS2CLASSICs games are now functional on DEX, with or without DEX kernel

I will try to explain in a simple and quick way what I have done

PSCLASSICs games use the ps2_netemu.self emulator, I researched the emulator with IDA and made several patches but nothing seemed to work, but @Joonie (gracias amigo ;)) gave me the clue

With the information from Joonie, flatz and juannadie (thank you about all the research you have done) about the PS2CLASSIC algorithm I have been able to find out where I have to look to patch

It's all about the CoreOS file sb_iso_spu_module.self, which is responsible for managing the meta, data and VMC keys for both CEX and DEX (they are different). For DEX, the keys are final keys, it means that they are used directly, but for CEX the keys are used to create the final keys except for VMC

meta and data keys are used to create the final key with cellCryptoSpuAesCbcCfb128Encrypt, in IDA looks like this:

1.png
2.png

These functions are used when the console is CEX, but when it is DEX things change. Instead of encrypting it directly uses the final DEX key, in IDA it looks like this

3.png
4.png

Usually PS2CLASSICs are created with CEX keys, and when using the final DEX keys while on DEX the PS3 cannot decrypt the game and gives a black screen

What we need to do is force the PS3 to use the keys for CEX, and this requires some patches

The first patch is to force the use of ps2_key_cex_meta and ps2_key_cex_data, to do this we will need to patch the following in sb_iso_spu_module.self from 4.91

Code: 
Patch to force the use of ps2_key_cex_meta
- Offset: 0x3B8
- Original value: 0x32000F00
- Patched value: 0x32000380

Patch to force the use of ps2_key_cex_data
- Offset: 0x3C8
- Original value: 0x32001A80
- Patched value: 0x32000F00

This is how it looks patched in IDA, the ps2_key_dex_meta and ps2_key_dex_data keys are still loaded but with the patches we overwrite them with the final CEX keys later on:

7.png

With these patches the game now loads in DEX, but it gives an error when decrypting the VMC (0x80028F24). This happens because it is using the ps2_key_dex_vmc, and since our VMCs are encrypted with ps2_key_cex_vmc we must force it to use this key. The original function looks like this:

5.png

ila r71, ps2_key_dex_vmc​

The patch is the following:
Code: 
Patch to force the use of ps2_key_cex_vmc
- Offset: 0x4F4
- Original value: 0x422D6047
- Patched value: 0x422D6847


Now it will look like this:
6.png

ila r71, ps2_key_cex_vmc
Now if we load the game again the PS3 can decrypt the VMC, avoiding the error and being able to play the game, everything is complete :biggrin:. The only important data is the following, for all this to work in DEX, the PS2CLASSIC game must be encrypted with the CEX keys for meta, data and vmc, if the DEX keys are used it will give a black screen

Again, many thanks to @Joonie, flatz, juannadie and everyone who was involved in the PS2CLASSICs algorithm, without your help this would have been much more difficult to do

Here I leave the PUP with the patches in case anyone wants to test the PS2CLASSICs games in DEX, I did the tests in PEX, so the PS3 must be in CEX to be able to install it

If anyone tries it and reports if it worked for them I would be very grateful, I have tested it myself and everything works perfectly.

 
Evilnat said:
After some time of research and making some patches, it seems that PS2CLASSICs games are now functional on DEX, with or without DEX kernel

I will try to explain in a simple and quick way what I have done

PSCLASSICs games use the ps2_netemu.self emulator, I researched the emulator with IDA and made several patches but nothing seemed to work, but @Joonie (gracias amigo ;)) gave me the clue

With the information from Joonie, flatz and juannadie (thank you about all the research you have done) about the PS2CLASSIC algorithm I have been able to find out where I have to look to patch

It's all about the CoreOS file sb_iso_spu_module.self, which is responsible for managing the meta, data and VMC keys for both CEX and DEX (they are different). For DEX, the keys are final keys, it means that they are used directly, but for CEX the keys are used to create the final keys except for VMC

meta and data keys are used to create the final key with cellCryptoSpuAesCbcCfb128Encrypt, in IDA looks like this:


These functions are used when the console is CEX, but when it is DEX things change. Instead of encrypting it directly uses the final DEX key, in IDA it looks like this


Usually PS2CLASSICs are created with CEX keys, and when using the final DEX keys while on DEX the PS3 cannot decrypt the game and gives a black screen

What we need to do is force the PS3 to use the keys for CEX, and this requires some patches

The first patch is to force the use of ps2_key_cex_meta and ps2_key_cex_data, to do this we will need to patch the following in sb_iso_spu_module.self from 4.91

Code: 
Patch to force the use of ps2_key_cex_meta
- Offset: 0x3B8
- Original value: 0x32000F00
- Patched value: 0x32000380

Patch to force the use of ps2_key_cex_data
- Offset: 0x3C8
- Original value: 0x32001A80
- Patched value: 0x32000F00

This is how it looks patched in IDA, the ps2_key_dex_meta and ps2_key_dex_data keys are still loaded but with the patches we overwrite them with the final CEX keys later on:


With these patches the game now loads in DEX, but it gives an error when decrypting the VMC (0x80028F24). This happens because it is using the ps2_key_dex_vmc, and since our VMCs are encrypted with ps2_key_cex_vmc we must force it to use this key. The original function looks like this:

View attachment 45103
ila r71, ps2_key_dex_vmc​

The patch is the following:
Code: 
Patch to force the use of ps2_key_cex_vmc
- Offset: 0x4F4
- Original value: 0x422D6047
- Patched value: 0x422D6847


Now it will look like this:
View attachment 45104
ila r71, ps2_key_cex_vmc
Now if we load the game again the PS3 can decrypt the VMC, avoiding the error and being able to play the game, everything is complete :biggrin:. The only important data is the following, for all this to work in DEX, the PS2CLASSIC game must be encrypted with the CEX keys for meta, data and vmc, if the DEX keys are used it will give a black screen

Again, many thanks to @Joonie, flatz, juannadie and everyone who was involved in the PS2CLASSICs algorithm, without your help this would have been much more difficult to do

Here I leave the PUP with the patches in case anyone wants to test the PS2CLASSICs games in DEX, I did the tests in PEX, so the PS3 must be in CEX to be able to install it

If anyone tries it and reports if it worked for them I would be very grateful, I have tested it myself and everything works perfectly.

Click to expand...
Interesting, great job, my friend. I hope someone tests. I don't have a cfw system or I would let you know, for if anything to expand my knowledge. That's always been my main goal.
 
Evilnat said:
After some time of research and making some patches, it seems that PS2CLASSICs games are now functional on DEX, with or without DEX kernel

I will try to explain in a simple and quick way what I have done

PSCLASSICs games use the ps2_netemu.self emulator, I researched the emulator with IDA and made several patches but nothing seemed to work, but @Joonie (gracias amigo ;)) gave me the clue

With the information from Joonie, flatz and juannadie (thank you about all the research you have done) about the PS2CLASSIC algorithm I have been able to find out where I have to look to patch

It's all about the CoreOS file sb_iso_spu_module.self, which is responsible for managing the meta, data and VMC keys for both CEX and DEX (they are different). For DEX, the keys are final keys, it means that they are used directly, but for CEX the keys are used to create the final keys except for VMC

meta and data keys are used to create the final key with cellCryptoSpuAesCbcCfb128Encrypt, in IDA looks like this:


These functions are used when the console is CEX, but when it is DEX things change. Instead of encrypting it directly uses the final DEX key, in IDA it looks like this


Usually PS2CLASSICs are created with CEX keys, and when using the final DEX keys while on DEX the PS3 cannot decrypt the game and gives a black screen

What we need to do is force the PS3 to use the keys for CEX, and this requires some patches

The first patch is to force the use of ps2_key_cex_meta and ps2_key_cex_data, to do this we will need to patch the following in sb_iso_spu_module.self from 4.91

Code: 
Patch to force the use of ps2_key_cex_meta
- Offset: 0x3B8
- Original value: 0x32000F00
- Patched value: 0x32000380

Patch to force the use of ps2_key_cex_data
- Offset: 0x3C8
- Original value: 0x32001A80
- Patched value: 0x32000F00

This is how it looks patched in IDA, the ps2_key_dex_meta and ps2_key_dex_data keys are still loaded but with the patches we overwrite them with the final CEX keys later on:


With these patches the game now loads in DEX, but it gives an error when decrypting the VMC (0x80028F24). This happens because it is using the ps2_key_dex_vmc, and since our VMCs are encrypted with ps2_key_cex_vmc we must force it to use this key. The original function looks like this:

View attachment 45103
ila r71, ps2_key_dex_vmc​

The patch is the following:
Code: 
Patch to force the use of ps2_key_cex_vmc
- Offset: 0x4F4
- Original value: 0x422D6047
- Patched value: 0x422D6847


Now it will look like this:
View attachment 45104
ila r71, ps2_key_cex_vmc
Now if we load the game again the PS3 can decrypt the VMC, avoiding the error and being able to play the game, everything is complete :biggrin:. The only important data is the following, for all this to work in DEX, the PS2CLASSIC game must be encrypted with the CEX keys for meta, data and vmc, if the DEX keys are used it will give a black screen

Again, many thanks to @Joonie, flatz, juannadie and everyone who was involved in the PS2CLASSICs algorithm, without your help this would have been much more difficult to do

Here I leave the PUP with the patches in case anyone wants to test the PS2CLASSICs games in DEX, I did the tests in PEX, so the PS3 must be in CEX to be able to install it

If anyone tries it and reports if it worked for them I would be very grateful, I have tested it myself and everything works perfectly.

Click to expand...
Good friend, I'm in the DEX version, soon you will release the D-PEX and DEX version for testing?
 
Great work, thanks!
I hope test soon on Rebug dex.
I would love to ask something :
a month ago I installed a ps2 game on it and the system became crazy.
After rebooting it the controller began to behave weird and it still does it:

1) it can't connect bt
2) if it is connected using USB it stays constantly with the rumble on.

Do you know how why?

It is a ds3 clone.

Gracias!

cualquiercosa327 said:
Great work, thanks!
I hope test soon on Rebug dex.
I would love to ask something :
a month ago I installed a ps2 game on it and the system became crazy.
After rebooting it the controller began to behave weird and it still does it:

1) it can't connect bt
2) if it is connected using USB it stays constantly with the rumble on.

Do you know how why?

It is a ds3 clone.

Gracias!
Click to expand...


He encontrado una web que parece que arregla el problema, al menos en Linux : voy a probar.

I found a website that seems to fix the problem, at least on Linux: I'm going to try it.

https://www.fororaspberry.es/viewtopic.php?t=3261

Mod edit: Please provide an English translation along with your post.
 
Last edited by a moderator:
I made a small video testing a PS2 game called freekstyle, I converted everything to DEX (I don't know why the Firmware part was in CEX but I'll look at it later), I entered the game and it worked correctly, but I really liked that evilnat managed to find a solution to make the correction in the DEX version!.
 
Chrooma said:
I made a small video testing a PS2 game called freekstyle, I converted everything to DEX (I don't know why the Firmware part was in CEX but I'll look at it later), I entered the game and it worked correctly, but I really liked that evilnat managed to find a solution to make the correction in the DEX version!.
Click to expand...
Thank you so much for testing it! ❤️

About CEX label in Firmware, it means that your kernel is CEX
 
glad you got it working right. I'm surprised anyone was willing to invest any time. I've tried getting people to test my stuff, albeit on a much smaller scale, and nothing. it kinda makes me feel like I'm wasting my time tbh.
 
upload_2025-1-2_18-29-1.jpeg
upload_2025-1-2_18-29-8.jpeg
upload_2025-1-2_18-29-14.jpeg
upload_2025-1-2_18-29-19.jpeg
upload_2025-1-2_18-29-38.jpeg
upload_2025-1-2_18-29-44.jpeg
upload_2025-1-2_18-29-50.jpeg


@Evilnat I fully converted my CECH-E01 to DEX and applied the DEX debug settings, DEX VSH, and DEX LV2. I also installed an official PS2 Classics game (Capcom vs. SNK 2), and it booted the ps2_netemu.self without any issues. The VMC was created successfully too.

Good job :)
 

Attachments

  • upload_2025-1-2_18-29-23.jpeg
    upload_2025-1-2_18-29-23.jpeg
    83.9 KB · Views: 47
You must log in or register to reply here.

Similar threads

Back
Top