Editing Downgrading with linux
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
'''You should have grafchokolos modules, and patches installed''' | |||
'''This works on 3.55 without a physical dongle''' | |||
'''Use this method to install lower firmware! You can install a newer firmware ex 3.60 with this method but you will be loosing your homebrew''' | |||
== Thanks to graf_chokolo for bringing linux, with all this goodies back to the PS3 == | |||
= Downgrade Method - Emulating JIG with Linux = | = Downgrade Method - Emulating JIG with Linux = | ||
'''1st step''' – Generating a challenge | '''1st step''' – Generating a challenge | ||
Line 14: | Line 22: | ||
---- | ---- | ||
You need a dongle | You need a dongle id. | ||
Valid range for dongle IDs is 0×0000 – 0xffff. So choose one, | Valid range for dongle IDs is 0×0000 – 0xffff. So choose one, doesn’t matter which one, but some are revoked !!! | ||
# ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xBABE “here is a challenge like this 0xXX 0xXX … of size 20 bytes” | # ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xBABE “here is a challenge like this 0xXX 0xXX … of size 20 bytes” | ||
Line 28: | Line 36: | ||
---- | ---- | ||
The returned value | The returned value shouldn’t be 0xff. | ||
# ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07 | # ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07 | ||
Line 41: | Line 49: | ||
ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg | ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg | ||
'''7th step''' – Disabling “Product Mode” | '''7th step''' – Disabling “Product Mode” | ||
Line 47: | Line 56: | ||
# ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff | # ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff | ||
'''This step is really important, if Product Mode | '''This step is really important, if Product Mode isn't disabled you will need a dongle to get out of it''' | ||
= | = '''ALTERNATIVE METHOD - not tested''' = | ||
'''1st step''' – Enabling product mode | '''1st step''' – Enabling product mode | ||
Line 59: | Line 70: | ||
---- | ---- | ||
The returned value | The returned value shouldn’t be 0xff. | ||
# ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07 | # ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07 | ||
Line 70: | Line 81: | ||
'''4th step''' - Install CORE_OS_PACKAGE.pkg | '''4th step''' - Install CORE_OS_PACKAGE.pkg | ||
---- | ---- | ||
ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg | ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg | ||
'''5th step''' – Disabling “Product Mode” | '''5th step''' – Disabling “Product Mode” | ||
Line 78: | Line 91: | ||
# ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff | # ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff | ||
'''This step is really important, if Product Mode | '''This step is really important, if Product Mode isn´t disabled you will need a dongle to get out of it''' | ||
=Install debug firmware= | |||
'''High brick risk! Don´t try this if you don´t know what you are doing''' | |||
'''If you brick with this the only way to recover is with a nor flasher and a proper backup''' | |||
'''To install debug firmware, EID0 should be reencrypted and rehashed with the proper target and device ids/type''' | |||
Debugging Station Target ID: 0x82 | |||
eEID contains | |||
*system model data | |||
*target ID | |||
*PS3 motherboard revision | |||
*Per ps3 values (console id, psid...) | |||
Other target IDs (might be helpful if someone messes this up) | |||
==Targets IDs == | |||
* A0 = system debugger | |||
* 81 = reference tool | |||
* 82 = debugging station | |||
* 83 = japan | |||
* 84 = USA | |||
* 85 = Europe | |||
* 86 = Korea | |||
* 87 = UK | |||
* 88 = Mexico | |||
* 89 = Australia/New Zealand | |||
* 8A = South Asia (Asia except China, Japan and Taiwan), | |||
* 8B = Taiwan | |||
* 8C = Russia | |||
* 8D = China | |||
"The kernel and most of the loaders check the target id as well as the device id/type to see if your unit is debug or not and if not they disable all the fancy things such as running unsigned code (in the case of appldr). | |||
* a good read about SC http://rms.grafchokolo.com/?p=16 |