Talk:Downgrading with NOR flasher
WARNING
this page is very old and archaic
only kept up for historic reference
NOR patches[edit source]
V1[edit source]
Tasks[edit source]
MFW Task::patch_lv1.tcl with the following patches selected:
- --patch-lv1-storage-skip-acl-check
- --patch-lv1-sysmgr-disable-integrity-check
Patches[edit source]
http://pastebin.com/aNehMfGi :
Downgrade patches DIFF: ------------- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 54 63 06 3E Tc.> PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 60 00 01 8`.. ----- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued) ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 E8 01 00 70 è..p PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 00 00 01 8... ----- patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 48 00 D7 15 H.×. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 38 60 00 00 8`.. ------------- Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
Combining patches[edit source]
There is a difference between the patches on the Talk:Downgrading with NOR flasher and Talk:Downgrading with NAND flasher
what if you combine those together? 1st try: selecting both patch tasks manually:
<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9 <keperfear> could you check if i patched everything correctly <keperfear> anyway i really need to sleep now <keperfear> good luck everyone * keperfear left <eussNL> oh dear, keperfear is already gone ... anyhow, this was my version : patched355coreos.rar (4.84 MB) (no "Patch In product mode erase standby bank skipped" selected)
<keperfear> Eussnl try with this one
# In product mode erase standby bank skipped log "Patch In product mode erase standby bank skipped" set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\x38 instead of \x41\x9E\x00\x0C\xE8\xA2\x8A\x30)
Combined TCL[edit source]
2nd try, Combined single TCL "patch-lv1checks.tcl" :
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) PsiColeO # Copyright (C) glevand ([email protected]) # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 300 # Description: Patch LV1 checks # Option --patch-lv1checks: Disables many checks in lv1 # Type --patch-lv1checks: boolean namespace eval ::patch_lv1checks { array set ::patch_lv1checks::options { --patch-lv1checks true } proc main { } { set self "lv1.self" ::modify_coreos_file $self ::patch_lv1checks::patch_self } proc patch_self {self} { if {!$::patch_lv1checks::options(--patch-lv1checks)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_lv1checks::patch_elf } } proc patch_elf {elf} { if {$::patch_lv1checks::options(--patch-lv1checks)} { log "Patching LV1 Checks" # ss_server1 # Patch core OS Hash check // product mode always on log "--------------- Patching ss_server1.fself ----------------------------" log "Patch core OS Hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patch check_revoke_list_hash check // product mode always on log "Patch check_revoke_list_hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # In product mode erase standby bank skipped log "Patch In product mode erase standby bank skipped" set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching System Manager to disable integrity check log "Patching System Manager to disable integrity check" set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00" set replace "\x38\x60\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching LV1 to enable skipping of ACL checks for all storage devices log "Patching LV1 to enable skipping of ACL checks for all storage devices" set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe" append search "\x2f\x80\x00\x00\x40\x9e\x00\x18" set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" } } }
download: patch_lv1checks.rar (1.29 KB) (2.88-3.42 / 3.50-3.55)
Note: if you get error "parent namespace doesn't exist" you didn't save the file as "patch_lv1checks.tcl".
PreAlpha v1 smoketest - offsets[edit source]
patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
No. | Description | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Patch core OS Hash check // product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
2 | Patch check_revoke_list_hash check // product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | 2911100 | 2911100 |
23 | Patching System Manager to disable integrity check | 2211164 | 2211424 | 2211424 | 2217608 | 2217608 | 2218192 | 2218120 | 2215760 | 2216052 | 2216052 | 2216052 | 2216052 | 2216096 | 2216096 |
24 | Patching LV1 to enable skipping of ACL checks for all storage devices | 498208 | 500212 | 500212 | 505304 | 505420 | 506032 | 506032 | 505112 | 504568 | 504568 | 504568 | 504568 | 504640 | 504640 |
<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: coreos355nandandnordowngradepatches.rosx (7 MB)
Status[edit source]
MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.
Update:
[01:43:10] <Ryd3R> RSOD x_x [01:44:41] <Ryd3R> i hate when it show up [01:45:20] <Ryd3R> @eussNL: are you there ? [01:46:41] <eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden and what did you do to make it bitch like that? [01:47:36] <Ryd3R> i did the 3.70 downgrade using a teensy++ [01:48:42] <Ryd3R> it works well when i revert back to 3.70 [01:49:23] <Ryd3R> i think it have something to do whith the fuckin syscon [01:49:37] <eussNL> ok, did you patch lv1 ? [01:49:43] <Ryd3R> yeah [01:50:09] <Ryd3R> the No hash check patch right ? [01:51:50] <Ryd3R> for some fuckin reason any version perior 3.70 gave me an rsod [01:52:41] <Ryd3R> i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod [01:53:15] <eussNL> yes and then some... Ryd3R> the No hash check patch right ? [01:53:46] <eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL [01:55:47] <Ryd3R> i'll give it a try [02:16:19] <Ryd3R> thanks eussNL you'r the man, the patch works like charm [02:22:53] <eussNL> good to hear, hope it stays flawless now :)
V2[edit source]
http://darkconsoles.com/foro/viewtopic.php?f=7&t=16
NOR offsets used[edit source]
target area | patch no. | NOR Offset | Paste length | Remarks |
---|---|---|---|---|
ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | version string not changed? |
ROS1 | patch2 (7 MB) | 0x7C0010 | 0x6FFFE0 | same as patch1? |
trvk_pkg0 | patch3 (128 KB) | 0x80000 | 0x20000 | |
trvk_pkg1 | patch4 (128 KB) | 0xA0000 | 0x20000 | |
trvk_prg0 | patch5 (128 KB) | 0x40000 | 0x20000 | |
trvk_prg1 | patch6 (128 KB) | 0x60000 | 0x20000 |
LV1 patches used[edit source]
Downgrade patches v2 http://www.multiupload.com/DVFD9AZGO5 DIFF: ------------- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 54 63 06 3E Tc.> PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 60 00 01 8`.. ----- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued) ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 E8 01 00 70 è..p PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 00 00 01 8... ----- ???? Patch sys_mgr integrity lv1 and lv0 integrity check ???? ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 48 00 D7 15 H.×. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 38 60 00 00 8`.. -----
PPU ASM:: last ???? marked patch[edit source]
44d0ac: 2f 80 00 00 cmpwi cr7,r0,0 # Compare r0 with word immediate value 0 and place result in cr7 44d0b0: 40 9e 00 48 bne- cr7,0x44d0f8 # Branch if cr7 not equals 0x44d0f8 44d0b4: 48 00 d7 15 bl 0x45a7c8 # Branch and link to target address 0x45a7c8 44d0b8: 2f 83 00 00 cmpwi cr7,r3,0 # Compare r3 with word immediate value 0 and place result in cr7 44d0bc: 38 60 00 01 li r3,1 # Load Immediate r3 with value 1
Combined TCL V2[edit source]
Combined single TCL "patch-lv1checks.tcl" with added new patch :
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) PsiColeO # Copyright (C) glevand ([email protected]) # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 300 # Description: Patch LV1 checks # Option --patch-lv1checks: Disables many checks in lv1 # Type --patch-lv1checks: boolean namespace eval ::patch_lv1checks { array set ::patch_lv1checks::options { --patch-lv1checks true } proc main { } { set self "lv1.self" ::modify_coreos_file $self ::patch_lv1checks::patch_self } proc patch_self {self} { if {!$::patch_lv1checks::options(--patch-lv1checks)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_lv1checks::patch_elf } } proc patch_elf {elf} { if {$::patch_lv1checks::options(--patch-lv1checks)} { log "Patching LV1 Checks" # ss_server1 # Patch core OS Hash check // product mode always on log "--------------- Patching ss_server1.fself ----------------------------" log "Patch core OS Hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patch check_revoke_list_hash check // product mode always on log "Patch check_revoke_list_hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # In product mode erase standby bank skipped log "Patch In product mode erase standby bank skipped" set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching System Manager to disable integrity check log "Patching System Manager to disable integrity check" set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00" set replace "\x38\x60\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching LV1 to enable skipping of ACL checks for all storage devices log "Patching LV1 to enable skipping of ACL checks for all storage devices" set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe" append search "\x2f\x80\x00\x00\x40\x9e\x00\x18" set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?) log "?Patch sys_mgr integrity lv1 and lv0 integrity check?" set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\x01" set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" } } }
download: patch_lv1checks.rar (1.53 KB) (3.40-3.42 / 3.50-3.55)
PreAlpha v2 smoketest - offsets[edit source]
patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
No. | Description | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Patch core OS Hash check // product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
2 | Patch check_revoke_list_hash check // product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | 2911100 | 2911100 |
23 | Patching System Manager to disable integrity check | 2211164 | 2211424 | 2211424 | 2217608 | 2217608 | 2218192 | 2218120 | 2215760 | 2216052 | 2216052 | 2216052 | 2216052 | 2216096 | 2216096 |
24 | Patching LV1 to enable skipping of ACL checks for all storage devices | 498208 | 500212 | 500212 | 505304 | 505420 | 506032 | 506032 | 505112 | 504568 | 504568 | 504568 | 504568 | 504640 | 504640 |
25 | ?Patch sys_mgr integrity lv1 and lv0 integrity check? | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern 2215780? |
2216072 | 2216072 | 2216072 | 2216072 | 2216088 | 2216116 |
Status[edit source]
MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.
Rogero and VAL_ tested, no problems with games/trophy's and bluray movies
Premade MFW Rogero V1[edit source]
Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB) (archaic, use V2 or 3.1 instead)
(contains also the V2 TCL'ed patches - first install 355nocheck.pup in Factory Service Mode then after getting back in normal mode install Rogero MFW V1 in Recovery)
Premade CFW Rogero V2[edit source]
Rogero_CFW_V2_Kmeaw_LV1_Patched_4.00_spoof_Privacy_Patch.PUP (170 MB / 178,827,264 bytes)
MD5: 61b1592cc3a5c008ffbeb151fc77653a
CRC32: B7A039FC
For some Refurbished PS3s the PUP installation failed on the BD firmware update, also in case of downgrading with the Blu-Ray drive not attached,use this version:
Rogero_CFW_V2_Kmeaw_LV1_Patched_4.00_spoof_Privacy_Patch_NoBD_Update.PUP
MD5: 7be79e1d314869e5031a1de78f8e8b7c
CRC32: 30E25A76
Usage / Compatibility[edit source]
- Can be used for Downgrade directly as a replacement of the no_check.PUP to avoid the "Trophies error".
- Can be used for normal system update like any other CFW/MFW from XMB or from Recovery Menu.
Internal Structure /changes[edit source]
- Kmeaw patched Lv2 with necessary patches to allow Peek/Poke support (same games compatibility as Kmeaw CFW)
- Dospiedra's LV1 patches necessary to bypass the Syscon checks for downgraded consoles. (same as no_check.PUP)
- Built-in system version spoof to 3.70 to prevent accidental system updates (won't allow going online in any way)
- Privacy Patch was not applied like previous version to allow Game updates (can be added easily using MFW builder)
- Custom Boot Logo.
- built-in "Heavy Rain" dynamic theme.
Extracting pup and comparing[edit source]
to see the actual patches/changes done:
- EULA.xml (custom licence text)
- Update_Files.tar
- CORE_OS_PACKAGE.pkg
- lv1.self
- lv2_kernel.self
- dev_flash_005.tar.aa.2010_11_27_051337
- dev_flash\vsh\etc\version.txt (spoof 03.7000:51968,20110805)
- dev_flash\vsh\etc\index.dat (spoof 03.7000:51968,20110805)
- dev_flash_010.tar.aa.2010_11_27_051337
- dev_flash\vsh\module\nas_plugin.sprx
- dev_flash_011.tar.aa.2010_11_27_051337
- dev_flash\vsh\module\vsh.self
- dev_flash_013.tar.aa.2010_11_27_051337
- dev_flash\vsh\resource\coldboot.raf (custom bootlogo)
- dev_flash_014.tar.aa.2010_11_27_051337
- dev_flash\vsh\resource\theme\01.p3t (heavy rain dynamic theme)
- dev_flash_016.tar.aa.2010_11_27_051337
- dev_flash\vsh\resource\explore\xmb\category_game.xml (add "Install Package Files" & "/app_home" icons to the XMB Game Category)
- CORE_OS_PACKAGE.pkg
- Version.txt (suffix -Rogero_V2 added)
first glance/impressions: looks alot cleaner than 355checkoff.PUP (Euss)
lv1.elf[edit source]
OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 54 63 06 3E 2F 83 00 00 41 9E 00 14 E8 01 00 70 Tc.>/ƒ..Až..è..p ROGv2 (patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 60 00 01 2F 83 00 00 41 9E 00 14 38 00 00 01 8`../ƒ..Až..8... OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5A40 39 08 05 48 39 20 00 00 38 60 00 00 4B FF FC 45 9..H9 ..8`..KÿüE ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5A40 39 08 05 48 39 20 00 01 38 60 00 00 4B FF FC 45 9..H9 ..8`..KÿüE OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00136BC0 00 72 73 78 20 64 72 .rsx dr ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00136BC0 00 72 73 73 20 64 72 .rss dr OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00136BE0 6F 72 65 2F 63 6F 6E ore/con ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00136BE0 6F 72 65 20 63 6F 6E ore con OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0A0 38 60 00 01 F8 01 00 90 88 1F 00 00 2F 80 00 00 8`..ø...ˆ.../€.. 0021D0B0 40 9E 00 48 48 00 D7 15 2F 83 00 @ž.HH.×./ƒ. ROGv2 (??Patch sys_mgr integrity lv1 and lv0 integrity check??): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0A0 38 60 00 00 F8 01 00 90 88 1F 00 00 2F 80 00 00 8`..ø...ˆ.../€.. 0021D0B0 40 9E 00 48 38 60 00 00 2F 83 00 @ž.H8`../ƒ. OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1FA0 80 00 FF 41 9E 00 1C 7F 63 DB €.ÿAž...cÛ ROGv2: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1FA0 80 00 FF 60 00 00 00 7F 63 DB €.ÿ`....cÛ OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2BF0 80 00 FF 41 9E 00 1C 7F A3 EB €.ÿAž...£ë ROGv2: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2BF0 80 00 FF 60 00 00 00 7F A3 EB €.ÿ`....£ë OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6B70 38 80 00 01 41 9E 00 0C 8€..Až.. 002C6B80 E8 A2 8A 袊 ROGv2: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6B70 38 80 00 01 60 00 00 00 8€..`... 002C6B80 E8 A2 8A 袊
lv2_kernel.elf[edit source]
OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00029330 80 00 20 3C 60 80 01 €. <`€. 00029340 60 63 00 03 4E 80 00 20 3C 60 80 01 60 63 00 03 `c..N€. <`€.`c.. 00029350 4E 80 00 N€. ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00029330 80 00 20 E8 63 00 00 €. èc.. 00029340 60 00 00 00 4E 80 00 20 F8 83 00 00 60 00 00 00 `...N€. øƒ..`... 00029350 4E 80 00 N€. OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002D6E00 6E 6F 74 20 67 65 74 20 50 50 50 not get PPP 002D6E10 6F 45 20 68 65 61 64 65 72 0A 00 00 00 00 00 00 oE header....... ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002D6E00 6E 6F 74 20 6E 6F 74 20 6E 6F 74 not not not 002D6E10 20 6E 6F 74 20 6E 6F 74 20 6E 6F 74 20 6E 00 00 not not not n.. OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00359380 A0 40 36 6B 2D 8A 50 99 1E B3 0C 53 E5 9B 5D 6E @6k-ŠP™.³.Så›]n 00359390 61 2C AC B8 a,¬¸ ROGv2 (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00359380 5E B8 A5 00 8C F3 BC 24 08 91 19 61 E6 DB 19 CB ^¸¥.Œó¼$.‘.aæÛ.Ë 00359390 0D CA FD 2F .Êý/
nas_plugin.prx[edit source]
OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00003250 7C 60 1B 78 |`.x ROGv2 (geohot): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00003250 38 00 00 00 8... OFW355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00037350 41 9E 00 4C 38 00 00 00 Až.L8... ROGv2 (waninkoko): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00037350 41 9E 00 04 38 00 00 00 Až..8...
355checkoff.PUP[edit source]
PS3 CFW Kmeaw by dospiedra - 355checkoff.PUP
('kmeaw' + lv1 nocheck (see V1/V2 etc)
Patches which should be included when it is a 'kmeaw'based pup (using PS3MFW Builder and Patches naming) :
- Patch LV1 hypervisor (lv1_function_114 mmap) lv1.self
- Allow mapping of any memory area (Needed for LV2 Poke)
- Patch LV2 kernel (lv2 peek/lv2 poke) lv2_kernel.self
- Patch to add Peek&Poke system calls to LV2
- Patch package installer (debug pkg/pseudo-retail pkg) nas_plugin.sprx
- Patch to allow installation of pseudo-retail package
- Patch to allow installation of debug packages
- Patch Application Launcher (unsigned app) vsh.self
- Patch to allow running of unsigned applications
- Add new icons to the XMB Game category (install pkgs/app_home) category_game.xml
- Add "Install Package Files" icon to the XMB Game Category
- Add "/app_home" icon to the XMB Game Category
Extracting pup and comparing[edit source]
to see the actual patches/changes done reveals that there is actually alot more going on/patched and it isnt 'kmeaw' (0x00136bc0 & 0x00136be0 flukes1 lv1.self patch missing):
CORE_OS_PACKAGE.pkg[edit source]
default.spp emer_init.self lv1.self lv2_kernel.self
default.spp[edit source]
Patch type: OtherOS++ --patch-profile-gameos-bootmem-size
Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000003F0 18 . Patched 355checkoff (OtherOS++ --patch-profile-gameos-bootmem-size): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000003F0 1B .
emer_init.elf[edit source]
Patch type: OtherOS++ --patch-emer-init-gameos-hdd-region-size-quarter
Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0005B5A0 38 E9 FF F8 8éÿø Patched 355checkoff (OtherOS++ --patch-emer-init-gameos-hdd-region-size-quarter): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0005B5A0 79 27 F0 82 y'ð‚
lv1.elf[edit source]
Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093490 39 20 00 4F 7C 00 F8 9 .O|.ø Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093490 39 20 00 5F 7C 00 F8 9 ._|.ø Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5A40 39 20 00 00 38 60 00 9 ..8`. Patched 355checkoff (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5A40 39 20 00 01 38 60 00 9 ..8`. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5EB0 41 DA 00 54 AÚ.T Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000F5EB0 60 00 00 00 `... Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FD5C0 E8 1E 00 18 è... 000FD5D0 E9 5E 00 20 E9 1E 00 28 E8 FE 00 30 EB EB 00 50 é^. é..(èþ.0ëë.P 000FD5E0 F8 01 00 ø.. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FD5C0 E8 1E 00 20 è.. 000FD5D0 E9 5E 00 28 E9 1E 00 30 E8 FE 00 38 EB FE 00 18 é^.(é..0èþ.8ëþ.. 000FD5E0 F8 01 00 ø.. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FD850 E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 E9 1E 00 30 è...é>. é^.(é..0 000FD860 E8 FE 00 38 E8 DE 00 40 EB EB 00 50 90 A1 00 70 èþ.8èÞ.@ëë.P.¡.p Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FD850 E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 E9 1E 00 38 è.. é>.(é^.0é..8 000FD860 E8 FE 00 40 E8 DE 00 48 EB FE 00 18 90 A1 00 70 èþ.@èÞ.Hëþ...¡.p Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FDCF0 E8 1E 00 18 E9 3E 00 è...é>. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FDCF0 E8 1E 00 20 E9 3E 00 è.. é>. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FDCF0 E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 è...é>. é^.( 000FDD00 E9 1E 00 30 E8 FE 00 38 E8 DE 00 40 EB EB 00 50 é..0èþ.8èÞ.@ëë.P 000FDD10 90 A1 00 .¡. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000FDCF0 E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 è.. é>.(é^.0 000FDD00 E9 1E 00 38 E8 FE 00 40 E8 DE 00 48 EB FE 00 18 é..8èþ.@èÞ.Hëþ.. 000FDD10 90 A1 00 .¡. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00103CF0 38 00 00 0B 7F E9 00 8....é. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00103CF0 38 00 00 0F 7F E9 00 8....é. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00112670 10 39 20 00 09 E9 43 00 .9 ..éC. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00112670 10 39 20 FF FF E9 43 00 .9 ÿÿéC. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001225E0 38 00 00 00 64 00 FF FF 8...d.ÿÿ 001225F0 60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00 `.ÿìø..ÀN€. 8... 00122600 64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00 d.ÿÿ`.ÿìø..ÀN€. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 001225E0 38 00 00 00 E8 83 00 18 8...èƒ.. 001225F0 E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00 è„..øƒ.ÈN€. 8... 00122600 E8 A3 00 20 E8 83 00 18 F8 A4 00 00 4E 80 00 è£. èƒ..ø¤..N€. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 9E 00 48 48 00 D7 15 2F 83 00 ž.HH.×./ƒ. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 9E 00 48 38 60 00 00 2F 83 00 ž.H8`../ƒ. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D260 38 60 00 00 48 01 8E AD 8`..H.Ž Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D260 38 60 00 01 48 01 8E AD 8`..H.Ž Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00222260 60 64 00 00 3B F9 3F 01 C8 60 00 F7 EE `d..;ù?.È`.÷î 00222270 F8 1F 01 ø.. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00222260 60 64 00 FF FF F9 3F 01 C8 60 00 FF FE `d.ÿÿù?.È`.ÿþ 00222270 F8 1F 01 ø.. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C5030 1B 00 00 ... 002C5040 41 9D 00 A8 7B FD 00 A..¨{ý. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C5030 1B 00 00 ... 002C5040 60 00 00 00 7B FD 00 `...{ý. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C7A20 02 B7 01 E8 18 00 08 2F A0 00 .·.è.../ . Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C7A20 02 B7 01 38 00 00 00 2F A0 00 .·.8.../ . Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002DC410 38 00 00 09 8... 002DC420 41 9D 00 4C 48 00 05 A..LH.. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002DC410 38 00 00 09 8... 002DC420 60 00 00 00 48 00 05 `...H.. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00340790 38 00 00 0D 8... 003407A0 7C 63 00 38 4E 80 00 |c.8N€. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00340790 38 00 00 0D 8... 003407A0 38 60 00 00 4E 80 00 8`..N€. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003787E0 00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00 ..À€......À€.... Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003787E0 00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00 ..Ð.......Ð..... Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00378830 00 00 00 01 C0 80 00 00 00 01 ....À€.... Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00378830 00 00 00 01 D0 00 00 00 00 01 ....Ð..... Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00378BD0 00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00 ..À€......À€.... Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00378BD0 00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00 ..Ð.......Ð..... Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003895C0 33 78 3x 003895D0 48 00 03 E1 EB A2 80 H..á뢀 Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003895C0 33 78 3x 003895D0 48 01 B6 1D EB A2 80 H.¶.뢀 Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0038EF20 83 E3 78 F8 01 00 98 48 00 50 81 ƒãxø..˜H.P. 0038EF30 7F A4 EB 78 7F 83 E3 78 3B 81 00 78 48 00 4D 15 .¤ëx.ƒãx;..xH.M. 0038EF40 48 00 5A 71 7F A4 EB 78 7F 85 E3 78 4B FF F0 E5 H.Zq.¤ëx.…ãxKÿðå 0038EF50 54 63 06 Tc. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0038EF20 83 E3 78 60 00 00 00 48 00 50 81 ƒãx`...H.P. 0038EF30 7F A4 EB 78 7F 83 E3 78 3B 81 00 78 48 00 4D 15 .¤ëx.ƒãx;..xH.M. 0038EF40 48 00 5A 71 7F A4 EB 78 7F 85 E3 78 38 60 00 01 H.Zq.¤ëx.…ãx8`.. 0038EF50 54 63 06 Tc. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0038EFC0 7F 84 E3 78 38 A1 00 70 9B E1 00 70 48 00 5F A5 .„ãx8¡.p›á.pH._¥ 0038EFD0 2F 83 00 00 /ƒ.. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0038EFC0 7F 84 E3 78 3B E0 00 01 9B E1 00 70 38 60 00 00 .„ãx;à..›á.p8`.. 0038EFD0 2F 83 00 00 /ƒ.. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A4BE0 C0 00 4E 38 00 00 00 00 À.N8.... 003A4BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4C90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4E90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4EA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4EB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4EC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4ED0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4EE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4EF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4F90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A4FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A50A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A50B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A50C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A50D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A50E0 00 00 00 00 00 00 00 00 00 00 .......... Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003A4BE0 C0 00 4E 38 F8 21 FF 01 À.N8ø!ÿ. 003A4BF0 7C 08 02 A6 F8 01 01 10 FB 21 00 F8 FB 41 00 F0 |..¦ø...û!.øûA.ð 003A4C00 FB 61 00 E8 FB 81 00 E0 FB A1 00 D8 FB C1 00 D0 ûa.èû..àû¡.ØûÁ.Ð 003A4C10 FB E1 00 C8 F8 61 00 C0 F8 81 00 B8 F8 A1 00 B0 ûá.Èøa.Àø..¸ø¡.° 003A4C20 48 00 00 05 7F E8 02 A6 3B FF FF C8 E8 1F 04 A0 H....è.¦;ÿÿÈè.. 003A4C30 F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 B0 ø..ˆè..¨ø...è..° 003A4C40 F8 01 00 98 E8 1F 04 B8 F8 01 00 A0 38 00 00 00 ø..˜è..¸ø.. 8... 003A4C50 F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88 ø..xø..€8`..8..ˆ 003A4C60 38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0 8¡.x;À..gÞ€.cÞ/Ð 003A4C70 7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18 .É.¦N€.!/£..@ž.. 003A4C80 E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F è..xx.. /€.ÿ;`.. 003A4C90 40 9E 03 54 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8 @ž.Tè.. ø..ˆè..¨ 003A4CA0 F8 01 00 90 E8 1F 04 C0 F8 01 00 98 E8 1F 04 C8 ø...è..Àø..˜è..È 003A4CB0 F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80 ø.. 8...ø..xø..€ 003A4CC0 38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00 8`..8..ˆ8¡.x;À.. 003A4CD0 67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21 gÞ€.cÞ/Ð.É.¦N€.! 003A4CE0 2F A3 00 00 40 9E 00 18 E8 01 00 78 78 00 06 20 /£..@ž..è..xx.. 003A4CF0 2F 80 00 FF 3B 60 00 0F 40 9E 02 EC E8 1F 04 A0 /€.ÿ;`..@ž.ìè.. 003A4D00 F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 D0 ø..ˆè..¨ø...è..Ð 003A4D10 F8 01 00 98 E8 1F 04 C8 F8 01 00 A0 38 00 00 00 ø..˜è..Èø.. 8... 003A4D20 F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88 ø..xø..€8`..8..ˆ 003A4D30 38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0 8¡.x;À..gÞ€.cÞ/Ð 003A4D40 7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18 .É.¦N€.!/£..@ž.. 003A4D50 E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F è..xx.. /€.ÿ;`.. 003A4D60 40 9E 02 84 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8 @ž.„è.. ø..ˆè..¨ 003A4D70 F8 01 00 90 E8 1F 04 D8 F8 01 00 98 E8 1F 04 C8 ø...è..Øø..˜è..È 003A4D80 F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80 ø.. 8...ø..xø..€ 003A4D90 38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00 8`..8..ˆ8¡.x;À.. 003A4DA0 67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21 gÞ€.cÞ/Ð.É.¦N€.! 003A4DB0 2F A3 00 00 40 9E 00 18 E8 01 00 78 78 00 06 20 /£..@ž..è..xx.. 003A4DC0 2F 80 00 FF 3B 60 00 0F 40 9E 02 1C E8 61 00 B0 /€.ÿ;`..@ž..èa.° 003A4DD0 38 80 00 00 EB 5F 04 58 EB 9F 04 80 7C BA E2 14 8€..ë_.XëŸ.€|ºâ. 003A4DE0 38 C1 00 A8 3B C0 00 00 67 DE 80 00 63 DE 26 B4 8Á.¨;À..gÞ€.cÞ&´ 003A4DF0 7F C9 03 A6 4E 80 04 21 2F 83 00 00 7C 7B 1B 78 .É.¦N€.!/ƒ..|{.x 003A4E00 40 9E 01 E4 E8 61 00 A8 38 80 00 00 7F 85 E3 78 @ž.äèa.¨8€...…ãx 003A4E10 3B C0 00 00 67 DE 80 00 63 DE 02 78 7F C9 03 A6 ;À..gÞ€.cÞ.x.É.¦ 003A4E20 4E 80 04 21 38 7F 04 88 38 80 00 00 3B 60 00 10 N€.!8..ˆ8€..;`.. 003A4E30 3B C0 00 00 67 DE 80 01 63 DE 3D 40 7F C9 03 A6 ;À..gÞ€.cÞ=@.É.¦ 003A4E40 4E 80 04 21 2F 83 00 00 7C 7D 1B 78 41 9C 01 7C N€.!/ƒ..|}.xAœ.| 003A4E50 7F A3 07 B4 E8 81 00 A8 3B 20 08 00 7F 25 CB 78 .£.´è..¨; ...%Ëx 003A4E60 3B 60 00 10 3B C0 00 00 67 DE 80 01 63 DE 3D B8 ;`..;À..gÞ€.cÞ=¸ 003A4E70 7F C9 03 A6 4E 80 04 21 7F A3 C8 00 40 9E 01 34 .É.¦N€.!.£È.@ž.4 003A4E80 3B 60 00 14 38 7F 04 60 E8 81 00 A8 38 A0 00 10 ;`..8..`è..¨8 .. 003A4E90 3B C0 00 00 67 DE 80 01 63 DE 39 E0 7F C9 03 A6 ;À..gÞ€.cÞ9à.É.¦ 003A4EA0 4E 80 04 21 2F A3 00 00 40 9E 01 08 E8 A1 00 A8 N€.!/£..@ž..è¡.¨ 003A4EB0 83 25 00 10 2F 99 00 01 40 9E 00 F8 E8 A1 00 A8 ƒ%../™..@ž.øè¡.¨ 003A4EC0 83 25 00 20 2F 99 00 00 40 9E 00 E8 E8 A1 00 A8 ƒ%. /™..@ž.èè¡.¨ 003A4ED0 83 25 02 00 2F 99 00 00 41 9E 00 D8 E8 A1 00 A8 ƒ%../™..Až.Øè¡.¨ 003A4EE0 83 25 00 24 7F B9 E0 00 41 9D 00 C8 7F A3 07 B4 ƒ%.$.¹à.A..È.£.´ 003A4EF0 E8 81 00 A8 7F 25 CB 78 3B 60 00 10 3B C0 00 00 è..¨.%Ëx;`..;À.. 003A4F00 67 DE 80 01 63 DE 3D B8 7F C9 03 A6 4E 80 04 21 gÞ€.cÞ=¸.É.¦N€.! 003A4F10 7F A3 C8 00 40 9E 00 9C E8 1F 04 E0 F8 01 00 88 .£È.@ž.œè..àø..ˆ 003A4F20 E8 1F 04 E8 F8 01 00 90 E8 1F 04 F0 F8 01 00 98 è..èø...è..ðø..˜ 003A4F30 E8 1F 04 F8 F8 01 00 A0 38 00 00 00 F8 01 00 78 è..øø.. 8...ø..x 003A4F40 F8 01 00 80 38 60 00 01 38 81 00 88 38 A1 00 78 ø..€8`..8..ˆ8¡.x 003A4F50 3B C0 00 00 67 DE 80 01 63 DE 2F 88 7F C9 03 A6 ;À..gÞ€.cÞ/ˆ.É.¦ 003A4F60 4E 80 04 21 39 20 00 00 48 00 00 14 E8 01 00 A8 N€.!9 ..H...è..¨ 003A4F70 7C 09 02 14 7C 00 00 6C 39 29 00 80 7F A9 E0 00 |...|..l9).€.©à. 003A4F80 41 9C FF EC 7C 00 04 AC 39 20 00 00 48 00 00 14 Aœÿì|..¬9 ..H... 003A4F90 E8 01 00 A8 7C 09 02 14 7C 00 07 AC 39 29 00 80 è..¨|...|..¬9).€ 003A4FA0 7F A9 E0 00 41 9C FF EC 4C 00 01 2C 3B 60 00 00 .©à.AœÿìL..,;`.. 003A4FB0 7F A3 07 B4 3B C0 00 00 67 DE 80 01 63 DE 3D 7C .£.´;À..gÞ€.cÞ=| 003A4FC0 7F C9 03 A6 4E 80 04 21 E8 61 00 A8 7C 9A E2 14 .É.¦N€.!èa.¨|šâ. 003A4FD0 3B C0 00 00 67 DE 80 01 63 DE 3E B8 7F C9 03 A6 ;À..gÞ€.cÞ>¸.É.¦ 003A4FE0 4E 80 04 21 7B 63 00 20 E8 01 01 10 EB 21 00 F8 N€.!{c. è...ë!.ø 003A4FF0 EB 41 00 F0 EB 61 00 E8 EB 81 00 E0 EB A1 00 D8 ëA.ðëa.èë..àë¡.Ø 003A5000 EB C1 00 D0 EB E1 00 C8 2F 83 00 00 41 9E 00 2C ëÁ.Ðëá.È/ƒ..Až., 003A5010 E8 61 00 C0 E8 81 00 B8 E8 A1 00 B0 38 21 01 00 èa.Àè..¸è¡.°8!.. 003A5020 7C 08 03 A6 38 C0 00 00 64 C6 80 00 60 C6 0E 44 |..¦8À..dÆ€.`Æ.D 003A5030 7C C9 03 A6 4E 80 04 20 38 21 01 00 7C 08 03 A6 |É.¦N€. 8!..|..¦ 003A5040 4E 80 00 20 00 00 00 00 00 00 00 00 63 65 6C 6C N€. ........cell 003A5050 5F 65 78 74 5F 6F 73 5F 61 72 65 61 00 00 00 00 _ext_os_area.... 003A5060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003A5070 01 80 00 00 2F 64 65 76 2F 72 66 6C 61 73 68 5F .€../dev/rflash_ 003A5080 6C 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 lx.............. 003A5090 73 73 00 00 70 61 72 61 6D 00 00 00 75 70 64 61 ss..param...upda 003A50A0 74 65 00 00 73 74 61 74 75 73 00 00 70 72 6F 64 te..status..prod 003A50B0 75 63 74 00 6D 6F 64 65 00 00 00 00 72 65 63 6F uct.mode....reco 003A50C0 76 65 72 00 68 64 64 63 6F 70 79 00 00 00 00 00 ver.hddcopy..... 003A50D0 69 6F 73 00 61 74 61 00 00 00 00 00 72 65 67 69 ios.ata.....regi 003A50E0 6F 6E 30 00 61 63 63 65 73 73 on0.access Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003B1420 00 00 0C F0 00 00 ...ð.. Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003B1420 00 00 1C 70 00 00 ...p..
lv2_kernel.elf[edit source]
Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00011700 7C 71 43 A6 7C 92 43 A6 48 00 00 00 00 00 00 00 |qC¦|’C¦H....... 00011710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00011720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00011730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00011740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00011750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00011760 00 00 00 00 00 00 00 00 ........ Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00011700 7C 71 43 A6 7C 92 43 A6 48 00 00 00 7C 08 02 A6 |qC¦|’C¦H...|..¦ 00011710 F8 01 00 10 39 60 00 B6 44 00 00 22 7C 83 23 78 ø...9`.¶D.."|ƒ#x 00011720 E8 01 00 10 7C 08 03 A6 4E 80 00 20 7C 08 02 A6 è...|..¦N€. |..¦ 00011730 F8 01 00 10 39 60 00 B7 44 00 00 22 38 60 00 00 ø...9`.·D.."8`.. 00011740 E8 01 00 10 7C 08 03 A6 4E 80 00 20 7C 08 02 A6 è...|..¦N€. |..¦ 00011750 F8 01 00 10 7D 4B 53 78 44 00 00 22 E8 01 00 10 ø...}KSxD.."è... 00011760 7C 08 03 A6 4E 80 00 20 |..¦N€. Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00029330 3C 60 80 01 <`€. 00029340 60 63 00 03 4E 80 00 20 3C 60 80 01 60 63 00 03 `c..N€. <`€.`c.. 00029350 4E 80 00 20 3C 60 80 01 60 63 00 03 4E 80 00 20 N€. <`€.`c..N€. 00029360 3C 60 80 01 60 63 00 03 4E 80 00 20 3C 60 80 01 <`€.`c..N€. <`€. 00029370 60 63 00 03 4E 80 00 20 3C 60 80 01 60 `c..N€. <`€.` Patched 355checkoff (flukes1): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00029330 E8 63 00 00 èc.. 00029340 60 00 00 00 4E 80 00 20 F8 83 00 00 60 00 00 00 `...N€. øƒ..`... 00029350 4E 80 00 20 4B FE 83 B8 60 00 00 00 60 00 00 00 N€. Kþƒ¸`...`... 00029360 4B FE 83 CC 60 00 00 00 60 00 00 00 4B FE 83 E0 KþƒÌ`...`...Kþƒà 00029370 60 00 00 00 60 00 00 00 3C 60 80 01 60 `...`...<`€.` Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003591D0 E8 CF èÏ Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003591D0 D6 94 Ö” Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003592F0 E8 CF èÏ Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 003592F0 D6 94 Ö” Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00359380 A0 40 36 6B 2D 8A 50 99 1E B3 0C 53 E5 9B 5D 6E @6k-ŠP™.³.Så›]n 00359390 61 2C AC B8 a,¬¸ Patched 355checkoff: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00359380 F3 9F FB 9D 2E 7F B5 EE 64 8B 3A 43 13 81 1E E9 óŸû...µîd‹:C...é 00359390 AD 15 50 5C .P\
dev_flash_010.tar.aa.2010_11_27_051337[edit source]
Patch type: OtherOS++ --allow-pseudoretail-pkg and --allow-debug-pkg
dev_flash\vsh\module\nas_plugin.sprx
nas_plugin.prx[edit source]
Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00003250 7C 60 1B 78 |`.x Patched 355checkoff (OtherOS++ --allow-pseudoretail-pkg): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00003250 38 00 00 00 8... Original ofw355: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00037350 41 9E 00 4C Až.L Patched 355checkoff (OtherOS++ --allow-debug-pkg): Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00037350 60 00 00 00 `...
dev_flash_016.tar.aa.2010_11_27_051337[edit source]
Patch type : OtherOS++ --patch-package-files and --patch-app-home
dev_flash\vsh\resource\explore\xmb\category_game.xml
category_game.xml[edit source]
Original ofw355: ofw355-category_game.xml (23.74 KB) Patched 355checkoff (OtherOS++ --patch-package-files and --patch-app-home): 355checkoff-category_game.xml (31.54 KB)
Known Issues[edit source]
"Registration of the trophy information could not be completed. The game will quit. (80010505)"
3.56v1/v2 HDD exchange issue[edit source]
option 1[edit source]
<blakcat> i had one 3.56v1 with bucle error <blakcat> i used patchcoreos355 to solve <blakcat> patchcoreos355 is the same thing that if you take all coreos from other 3.55 cfw dump <blakcat> and patch with your console specific files metldr, vtrm, bootloader, EID etc .... <blakcat> http://www.multiupload.com/HA1TLN9HSK <blakcat> for people asking 3.56v1 error <blakcat> you only need to use patchv2 from dospiedras and you get your ps3 unbricked with 3.55 <blakcat> or take another dump 3.55 cfw and patch with your data
option 2[edit source]
1. Use the built-in patcher of progskeet to patch your image : downgrade v2 ProgSkeet.rar (19.62 MB)
NOR offsets used[edit source]
target area | patch no. | NOR Offset | Paste length | Remarks |
---|---|---|---|---|
ROS0 | patch1 | 0x0C0010 | 0x6FFFE0 | |
ROS1 | patch2 | 0x7C0010 | 0x6FFFE0 | |
trvk_pkg0 | patch3 | 0x80000 | 0x20000 | |
trvk_pkg1 | patch4 | 0xA0000 | 0x20000 | |
trvk_prg0 | patch5 | 0x40000 | 0x20000 | |
trvk_prg1 | patch6 | 0x60000 | 0x20000 |
2. After flashing, install the prepatched PUP (.e.g Rogero v2)
option 3[edit source]
- Dump flash and patch with downgrader (insert 3.55 CoreOS in ROS'), reflash
- Put lv2diag.self and 3.7x PUP on USB stick (make sure no discs are in drive) to upgrade to 3.7x in service mode (normally a sin to do UPdate in service mode!)
- Once on 3.7x, redo the downgrade steps to get back to 3.55 and use the second lv2diag.self file to get out of service mode.
option 4[edit source]
note: Not tried+tested
- Dump flash and patch with downgrader (insert 3.55 CoreOS in ROS'), reflash
- Put lv2diag.self and 3.55 Dex Downgrader PUP on USB stick (make sure no discs are in drive) to crossgrade to 3.55 DEX in service mode (normally a sin to do crossgrade without EID change in service mode!)
- Once on 3.55 DEX downgrader, don't leave service mode or you'll brick. Redo the downgrade steps to flash NAND/NOR to 3.55 prepatched Retail/CEX.
- Reinstall 3.55 Retail/CEX PUP in service mode
- Use the second lv2diag.self file to get out of service mode.
Hashing[edit source]
CELL_EXTNOR_AREA[edit source]
magic "CELL_EXTNOR_AREA" @ offset 0, size 0x10 :
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20000 43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41 CELL_EXTNOR_AREA
version @ offset 0x10, 4 bytes :
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20010 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
data offset field @ offset 0x20 (02 meaning second sector) / datasize @ offset 0x24, 4 bytes (0x44 bytes):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20020 00 00 02 00 00 00 00 44 00 00 00 00 .......D....
Calculate SHA1 over whole data and compare with data @ offset 0x2C:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20020 A9 C8 06 D0 ©È.Ð 00F20030 C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10 À..4U§bsÝ.¦ûu Ò.
Harddrive model:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20200 00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32 ....FUJITSU MHZ2 00F20210 30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20 080BH G1 00F20220 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Hardrive serial:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00F20230 20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B K63RT8B4HYBK
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F [...] 00F60000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00F60010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00F60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00F60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00FA0000-00FA0040
00FA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 ............ ..4 00F60000-00F60040 (differs in other version/console dump) 00FA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 ........[?s´š†Ç² is the 00FA0020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE Ñ.¯§›—âzË.+Ma&® same as 00FA0030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB .Ê)„.“.áJÛ,·|.äë 00F60000-00F60040