Editing Downgrading with Hardware flasher

[[Category:Software]][[Category:Hardware]]
<div style="float:right">[[File:NAND-downgrading-steps.png|200px|thumb|left|NAND flasher downgrader steps]]<br />[[File:NOR-downgrading-steps.png|200px|thumb|left|NOR flasher downgrader steps]]<br />[[File:Downgrading-installation-steps.png|200px|thumb|left|Downgrading installation steps ]]</div>

== Dump ==
Connect your [[Hardware flashing]] device and '''[[Validating_flash_dumps|make sure you are getting 100% correct, valid, verified dumps]].'''

== Checking console capability of running 3.55 ==
Compare the values found in your dump with those in the table below
=== metldr+bootldr sizes ===
{{metbootldr}}

==Patch the dump & Reflash it to the console ==
<div style="float:right">[[File:Flowrebuilder-Autopatcher.png|200px|thumb|left|Flowrebuilder : Autopatcher]]<br />[[File:Flowrebuilder-Autopatcher-completed.png|200px|thumb|left|Flowrebuilder : Autopatcher - completed]]</div>
For patching you can use:
* Hexeditor (e.g. [http://mh-nexus.de/en/hxd/ HxD])
* [http://www.ps3devwiki.com/files/flash/Tools/Flowrebuilder/ Flowrebuilder] (both NOR + unified NAND)
* in case of Progskeet, latest Winskeet/iSkeet/YASkeet (both NOR + unified NAND)

=== NAND ===
Use [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/ NAND patches] only on NAND consoles, not on NOR!
{|class="wikitable"
|-
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch2-0x91800.bin patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
|-
|}
(above patches in a single package + autopatcher file: [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade.rar NAND downgrade.rar])

=== NOR ===
Use [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/ NOR patches] only on NOR consoles, not on NAND!
{|class="wikitable"
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/rvk-040000 rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
|-
|}
(above patches in a single package + autopatcher file: [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade.rar NOR downgrade.rar])

==== E3 Flasher ====
Use these instead, otherwise you get into a maze of bytereversing: [[E3#Manual_E3_downgrade_v2|E3 Manual downgrade patches]]

== '''E3 Flasher Error Codes and Solutions''' ==

'''1 is for Blue LED flashing / 0 is for no LED'''
----

* 10000100 - E3 can not initialize PS3 Nor Chip
* 10001100 - Error initializing the PS3 BIOS
* 10001101 - Error while reading PS3 BIOS
* 10001111 - Error writing PS3 BIOS 

Problem: bad solder points / E3 Nor Clip does not work right with Ps3 Nor 

<span style="text-decoration: underline;">'''solution''':</span> 

- check solder points (resolder) 

- Fat PS3 only: refit the Nor Clip by smoothing it down with a little screwdriver / sandpaper  

- clean contacts on Nor and E3 Clip with Isopropylalkohol 70% -

- use pads or cardboard to press down Nor Clip                                                                                                                       

[[File:E3.jpg]] 




'''Note:''' 

- dont use to much pressure on the Nor or you can destroy the solder balls of your southbridge and damage your system .. 

- dont glue the inside of the clip to the nor chip 



----

* 10000101 - Reading error (E3 Nor)
* 10000111 - Error writing E3 Nor
* 10000110 - Error deleting data on E3 Nor
* 10001110 - Error erasing PS3 BIOS

Problem: faulty solder points / E3 Nor Clip does not work right with Ps3 Nor / E3 Nor bricked

<span style="text-decoration: underline;">'''solution''':</span> 

- check solder points 

- clean contacts on Nor and E3 Clip with Isopropylalkohol 70%

- use pads or cardboard to press down Nor Clip 

- reset E3 flasher while system is running (little red button on the upper side '''of the flasher''' / NOT little red button on front panel under Esata !!)

[[File:E3Platine.JPG]]


'''Note:''' dont use to much pressure an the Nor as you can destroy the solder balls of your southbridge and damage your system .. 



----

* 01000000 - Error initializing TF /SD card
* 01001000 - Error opening data from SD/TF card
* 01001100 - Error writing data from SD/TF card

<span style="text-decoration: underline;">'''solution''':</span> 

- check if TF/SD Card is sitting accurate 

- Format your SD/TF Card to FAT 32 

- Rename your backup '''bkpps3''' for writing to PS3 NOR / '''bkpe3''' for writing to E3 NOR 


----

* 11000000 - Wrong position of switches (the action you selected is not possible)
* 11001100 - Wrong position of switches (the action you selected is not possible)
* 11000010 - PS3 is using NOR / you cant use E3 Flasher at the same time

<span style="text-decoration: underline;">'''solution''':</span> 

- change position of switches 



----

* 11001000 - Wrong PS3 Version / Not supported PS3 Version (Nand / Metldr2)

<span style="text-decoration: underline;">'''Solution''':</span> 

- Buy a progskeet for nand :)



----

* 11000100 - corrupt backup of PS3 data

<span style="text-decoration: underline;">'''Solution''':</span> 

- check backup for errors (flowrebuilder etc) / make a new clean dump



<span style="text-decoration: underline;">'''other frequent problems and solutions'''</span>


'''1) HDD in Esata Station cant be found''' 

- restrip contacts on the backside of the E3 Flasher (they must not touch the metal casing)they have to be isolated very good .. they are very sensitive and cause a lot of errors

- check Esata cable ..


'''2) Blackscreen with no hdd activity and only hard reset possible (no brick)'''

- resolder SBCE -> A / cut A/B properly

- restrip contacts on the backside of the E3 Flasher (they must not touch the metal casing)they have to be isolated very good .. they are very sensitive and cause a lot of errors


'''3) yload behavior (3 beeps and turns off)'''

There are two possible solutions .. Always try a) first then b)

a)Dualboot only: Wrong HDD in Esata Station

After downgrading your PS3 you have to install the <span style="text-decoration: underline;">SAME</span> firmware on <span style="text-decoration: underline;">BOTH</span> hdds then upgrade one HDD to OFW .. the error will be gone than .. 

Example: downgrade to 3.55 kmeaw .. put 3.55 kmeaw on BOTH hdds via Recovery Mode .. then update your OFW HDD to 4.11 OFW .. 

b)Brickfix: 

well done .. you bricked your PS3 :)

Solder SBE to Tristate ..  use Flash Fun Mode (10000000) to reflash the valid back up of the firmware revision you bricked on .. 



'''4) TrueBlue Dongle not working with dualboot (only red light)''' 

After downgrading your PS3 you have to install the <span style="text-decoration: underline;">SAME</span> firmware on <span style="text-decoration: underline;">BOTH</span> hdds then upgrade one HDD to OFW .. the error will be gone than .. 

Example: downgrade to 3.55 TBv2 no check .. install 3.55 TBv2 no check on BOTH hdds via Recovery Mode .. then update your OFW HDD to 4.11 OFW ..



'''5) No Blue Leds (only red power led)'''

The Nor Clip is installed the wrong way .. you have to turn it 180° and reinstall it to the NOR .. 

The E3 flat cabel has to lead away from the flasher NOT in the direction of the flasher ..



'''6) Dualboot error: CFW HDD corrupted'''
After updating your OFW HDD to a higher firmware your CFW HDD gets an error message and needs to be updated too  

'''<span style="text-decoration: underline;">Solution</span>''' 

- Resolder SBCE - A again; 

- Make sure the cut between A/B is deep enough 

- First solder then cut the connection between A/B !!!



''' 7) solder points (SBE / SBCE solder points torn off E3 ribbon cable'''


'''<span style="text-decoration: underline;">Solution</span>''' 

- use alternate points on backside of E3 flasher 


[[File:Pinbelegungsdusbivehp.jpg]]

==Reinstall firmware in Factory Service Mode==
For this step it is required to have the console assembled (connected PSU, harddrive, wifi/bt board etc)

# Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port).
# Turn PS3 on, it will trigger Factory Service Mode and turn off the console.
# After triggering Factory Service Mode, put the Lv2diag.self (see below) and prepatched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
# Turn PS3 on, it will install the firmware you had put there (even though you have no screenoutput, you can see it is busy by looking at the activity led of the harddrive and of your USB Mass Storage Device).
# PS3 will turn itself off after finishing the firmware installation.

See also [[Downgrading with PSgrade Dongle]], which also contains alot of ready to use PSgrade HEX files for several dongles.

=== PUP to use ===
[http://www.ps3devwiki.com/files/firmware/MFW-CEX/Downgrader/Rogero-V3.1/ Rogero V3.1] or any firmware with prepatched lv1 (no syscon hash checks)

=== Different Factory Service Mode SELFs ===
==== NAND ====
For factory Service Mode install:
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* <span style="text-decoration: line-through; background-color:#FFDDDD;">if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below (and redump flash after FSM to check both ROS)

'''note:''' since V3 Rogero is only available as noBD, use that one with normal lv2diag.self

==== NOR ====
Use the normal lv2diag and use the Rogero normal PUP

Only when having a console with a broken bluraydrive, you either:
* use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* <span style="text-decoration: line-through; background-color:#FFDDDD;">use the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below

'''note:''' since V3 Rogero is only available as noBD, us that one with normal lv2diag.self 

{|class="wikitable"
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
|-
| style="text-align:center; background-color:#DDFFDD;" | [http://www.ps3devwiki.com/files/lv2diag/3.55%20downgrader/FILE1/Lv2diag.self Lv2diag.self&nbsp;(365.5&nbsp;KB)] || style="text-align:center; background-color:#DDFFDD;" | 374272 || style="text-align:center; background-color:#DDFFDD;" | 3.55 get in FSM * || style="text-align:center; background-color:#DDFFDD;" | <code>1ED037740D67FEBACA6449CABFF4E95400C9E2EE</code> || style="text-align:center; background-color:#DDFFDD;" | <code>099F33A7967F99E91C07E870FD78B3DB</code> || style="text-align:center; background-color:#DDFFDD;" | <code>9338ABF2</code> || style="text-align:center; background-color:#DDFFDD;" | <code>4FCC</code>
|-
<!--//
| [http://www.ps3devwiki.com/files/lv2diag/3.50%20downgrader/FILE1/Lv2diag.self Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.50- get in FSM || <code>1E770010A3A6EF572AF39783A04DF792670998D3</code> || <code>90168C03B217CE775A7839D87BBFF2A3</code> || <code>D1F0AAFC</code> || <code>CD8D</code>
|- //-->
| style="text-align:center; background-color:#FFDDDD;" | [http://www.ps3devwiki.com/files/lv2diag/3.55%20jaicrab%20downgrader/Lv2diag.self Lv2diag.self&nbsp;(227.38&nbsp;KB)] || style="text-align:center; background-color:#FFDDDD;" | 232832 || style="text-align:center; background-color:#FFDDDD;" | jaicrab noBD patched || style="text-align:center; background-color:#FFDDDD;" | <code>180823003B086D9D49BC7F83BEA9C769BF73A5EA</code> || style="text-align:center; background-color:#FFDDDD;" | <code>3615770407C0C3FA00D8CA49C8ADB362</code> || style="text-align:center; background-color:#FFDDDD;" | <code>25E85CFB</code> || style="text-align:center; background-color:#FFDDDD;" | <code>EDD0</code>
|-
|}
''* recommended default choice, see above notes''

=== Check the logfile ===
After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains [[Error_Codes#0x8002f..._-_PUP_.2F_Update_errors|errors]] ([http://pastie.org/pastes/new pastie] the log if you want to ask for help online on IRC)

=== Getting out of Factory Service Mode ===
If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)

# Put the Lv2diag.self (see below) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
# Turn PS3 on, it will trigger Factory Service Mode off and shutdown.

{|class="wikitable"
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
|-
| [http://www.ps3devwiki.com/files/lv2diag/3.55%20downgrader/FILE2/Lv2diag.self Lv2diag.self&nbsp;(201.42&nbsp;KB)] || 206256 || get out FSM || <code>329877CBD47B994EC0AFCEA6AF98114FD9E5128B</code> || <code>7A20BFDAE65EEFB47A4425DB1B52DCDE</code> || <code>72740080</code> || <code>502A</code>
|-
|}

== Dehashing ==
Goal: To be able to install unpatched firmwares on consoles that where previously on 3.56+ ('''highly recomended''')

You can use either or both QA/reFSM way:

=== QA way ===
# Patch as normal downgrader (ROS 0/1 + RVK prg/pkg)
# install prepatched firmware in service mode
Above is already done if you just downgraded

# Install and run [http://www.ps3devwiki.com/files/flash/Tools/toggle-qa/ QA-toggle] and make sure it beeps as written in that readme
::* Note: for above to work, you need a BD drive connected and married to the console.
# Poweroff console
# Put unpatched official firmware (e.g. [http://www.ps3devwiki.com/wiki/3.55_CEX 3.55]) on USB Mass Storage device as /PS3/UPDATE/PS3UPDAT.PUP and insert in PS3
#  Boot into [http://www.ps3devwiki.com/wiki/Talk:Playstation_Update_Package_%28PUP%29#PS3_Recovery_Menu Recovery Menu], select "''6. System Update''" to reinstall firmware.
# If installation finishes without error (there will be no logs you can check!) and boots XMB OK, then dehashing was successful. Congrats, you now finished downgrading and dehashing. Console runs 3.55 and any firmware of choice can be installed, no longer needing to be patched for downgrader.


=== reFSM way ===
# Patch as normal downgrader (ROS 0/1 + RVK prg/pkg)
# install prepatched firmware in service mode
Above is already done if you just downgraded

# Put console in service mode with JIG (in case you left service mode and ran the prepatched firmware in normal mode)
# Use normal lv2diag.self and unpatched official firmware (e.g. [http://www.ps3devwiki.com/wiki/3.55_CEX 3.55]) on USB Mass Storage device in root and let the system reinstall that in factory service mode (FSM).
# After installation is finished console will turn off. Check UPDATER_LOG.TXT in root of USB Mass Storage device (it should have "''manufacturing updating SUCCESS(0x8002f000)''" in end section).
# If everything is OK, then reinsert USB Mass Storage device and let it install again.
# After installation is finished console will turn off. Check UPDATER_LOG.TXT in root of USB Mass Storage device (it should have "''manufacturing updating SUCCESS(0x8002f000)''" in end section).
# If everything is OK, then console should now be dehashed and no longer brick with any unpatched firmwares.
# Replace lv2diag.self for he one getting out of service mode and put in root.
# Power on console, it should turn off and not boot XMB.
# Remove USB Mass Storage device and boot console normally. If all went well it should load to XMB now. Congrats, you now finished downgrading and dehashing. Console runs 3.55 and any firmware of choice can be installed, no longer needing to be patched for downgrader.

==== Remarks ====
  <domelec> dehash procedure: fsm install ofw
            after console turns off take out usb stick and look at log file, 
            if log is ok then reinsert usb stick and turn on console,
            ofw will then reinstall, after console turns off again 
            take out usb stick and check log, if ok then exit fsm 

  <eussNL> do double FSM OFW, then get out of service mode.
  <eussNL> check everything is working
  <eussNL> THEN and only THEN, you can install whatever you want, in recovery.
  <eussNL> there is no need for factory mode after dehashing complete
  <eussNL> in fact, if everything works on OFW 3.55 after dehashing, 
  <eussNL> you can install Rogero V3.1 in recovery and [http://www.ps3devwiki.com/files/flash/Tools/toggle-qa/ QA-extra] flag it  
  <eussNL> if OFW 3.55 works then you proven that you dehashed
  <eussNL> so after that you can install whatever MFW 3.55 you want

  <eussNL> If for some reason you cannot dehash because of BD or BT errors
           then you can use PS3MFW Builder and the broken Blueray / broken Bluetooth
           tasks. Do not select downgrader patches, or you will not dehash!

  <eussNL> BD error can be persistant if flasher is still attached, 
           see: http://www.ps3devwiki.com/wiki/Talk:Hardware_flashing#BD_drive_not_found_problem
  <eussNL> 3 options: 1. open R7/R8  /  2. remove flasher control lines / 3. remove all flasher wiring

  <playonlcd> i  think you can update on wiki "dehashing with jaicrab is not recomended
              and will not dehash as needed and thus semibrick by syscon hash panic