Editing Dual Firmware

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Hardware]]
These methods are currently theoretical and have not been tested as of yet.
= Hardware Based =
= Hardware Based =


== NOR/Nand Piggybacking ==
== NOR/Nand Piggybacking ==


This method involves physically soldering another flash chip ontop of the existing flash packages, soldering the legs pin for pin ([http://home.comcast.net/~twisted.penguin/eeprom_piggyback.JPG piggybacking]). You will lift both #CE pins and provide a switch between them to select the appropriate flash chip, of which each will have a different firmware.
This method involves physically soldering another flash chip ontop of the existing flash packages, soldering the legs pin for pin (piggybacking). You will lift both #CE pins and provide a switch between them to select the appropriate flash chip, of which each will have a different firmware.


E.g.: http://www.elotrolado.net/hilo_la-dual-nand-fat40g-ya-es-una-realidad_1650176 / http://www.ps3hax.net/2011/07/dual-ps3-nand-on-40gb-phat-ps3-working/
E.g.: http://www.elotrolado.net/hilo_la-dual-nand-fat40g-ya-es-una-realidad_1650176
 
other example (non PS3) : http://electro-music.com/forum/post-85678.html#85678


=== Reset pin for NOR ===
=== Reset pin for NOR ===
Line 13: Line 14:
After looking into this some more, Simply switching the #CE pin may not be sufficient as the chip is still operating and can interfere with the bus.
After looking into this some more, Simply switching the #CE pin may not be sufficient as the chip is still operating and can interfere with the bus.
However, it appears that whilst the #reset pin is tied low, all input/output pins on the flash are in a state of high-impedance. We should be able to simply ground this pin to disable that chip, rather than lifting the #CE pin.
However, it appears that whilst the #reset pin is tied low, all input/output pins on the flash are in a state of high-impedance. We should be able to simply ground this pin to disable that chip, rather than lifting the #CE pin.
EDIT: it seems it is sufficient to use only CE# as several tests (some on this very same page) prove.
=== more than 2 (virtually limitless) ===
Theoretical there is no limit to the amount of flashchips you can stack and CE switch (practical limit is the space to stack, length of wiring and real use for that many FW versions). Using a [http://www.electro-nc.com/m7.htm 48 step rotaryswitch] and stacking 47 Flashchips (1x47 for NOR / 2x 1x47 for NAND) parallel to the original one, its even possible to make a 48-boot system (just remember you have to have a seperate harddrive for every selected flash firmware version).


== Dual-Banking ==
== Dual-Banking ==


This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros0 region of the flash.
This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros1 region of the flash.


By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros0 region on flash.
By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros1 region on flash.


== Increased size NOR Flash ==
== Increased size NOR Flash ==


This method relies on entirely lifting the existing NOR flash chip and planting a 256mbit chip, you could lift Address pin 23 and have a switch to tie this low or high to switch banks. A compatable samsung k8p5615uqa chip ([http://www.bdtic.com/DataSheet/SAMSUNG/K8P5615UQA.pdf datasheet])
This method relies on entirely lifting the existing NOR flash chip and planting a 256mbit chip, you could lift Address pin 23 and have a switch to tie this low or high to switch banks. A compatable samsung chip can be found below:
http://www.samsung.com/global/system/business/semiconductor/product/2007/8/7/620430ds_k8p5615uqa_rev11.pdf


This looks like it could work, as per the spansion and samsung charts, when using autoselect commands etc, it does not care about the state of pin 23. So there should not be any interference.
This looks like it could work, as per the spansion and samsung charts, when using autoselect commands etc, it does not care about the state of pin 23. So there should not be any interference.
'''Notes:'''
128mbit and 256mbit chips don't have the same ProductID.
This ID can easily checked by SONY to avoid the principle even if the VendorID is the same.
VendorID = Unique manufacturer ID
ProductID = Unique device ID
ie. :
SPANSION S29GL128P - VendorID = 0x01 & ProductID = 0x7E '''0x21''' 0x01
SPANSION S29GL256P - VendorID = 0x01 & ProductID = 0x7E '''0x22''' 0x01


== Limitations ==
== Limitations ==
=== Firmware hash checks ===
=== Firmware hash checks ===
Firmware hash checks are located on SYSCON EEPROM, aparently these checks are run within Indi info manager on LV1. These compare the hashes stored in syscon with the files stored on flash. If the checks fail, the console does not boot (RLOD). We could get around this by using dual-banking on SYSCON or by patching the checks out.
Firmware hash checks are located on SYSCON EEPROM, aparently these checks are run within Indi info manager on LV1. These compare the hashes stored in syscon with the files stored on flash. If the checks fail, the console does not boot. We could get around this by using dual-banking on SYSCON or by patching the checks out.


=== VFlash ===
=== VFlash ===
Only a single version of VFlash is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect vflash to another region of the hard disk.
Only a single version of VFlash is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect vflash to another region of the hard disk.


[[Category:Software]]
= Software based =
= Software based =


== Using graf_chokolo's payload ==
== Using graf_chokolo's payload ==


In graf_chokolo payloads, there is a payload that can be used to load an alternative lv2_kernel.self
In graf_chokolo payloads, there is a payload that can be used to load an alternative lv2_kenel.self


You have to save the alternative lv2_kernel.self on flash and use the payload to make lv1 load it.
You have to save the alternative lv2_kernel.self on flash and use the payload to make lv1 load it.
Line 72: Line 54:
With both of those payloads i’m able to boot a patched lv2_kernel.self from FLASH without flashing PUP, i just store a second lv2_lernel.self
With both of those payloads i’m able to boot a patched lv2_kernel.self from FLASH without flashing PUP, i just store a second lv2_lernel.self
on FLASH, then patch System Manager in HV which is reponsible for booting GameOS and boot custom LV2 kernel from 3.41.  
on FLASH, then patch System Manager in HV which is reponsible for booting GameOS and boot custom LV2 kernel from 3.41.  
You don’t need NOR flasher if something goes wrong:
You don’t need NOR flasher if something goes wrong, just reboot HV and your original lv2_kernel.self will be booted again
just reboot HV and your original lv2_kernel.self will be booted again


The same way you could boot lv2_kernel.self from dev_flash.  
The same way you could boot lv2_kernel.self from dev_flash. Just patch path to lv2_kernel.self in System Manager and point it to lv2_kernel.self stored on dev_flash
Just patch path to lv2_kernel.self in System Manager and point it to lv2_kernel.self stored on dev_flash
</pre>
</pre>


Line 82: Line 62:


*Same as above and this could ONLY be used with a lv2_kernel.self compatible with you actual lv1.self
*Same as above and this could ONLY be used with a lv2_kernel.self compatible with you actual lv1.self
*You can only customize lv2_kernel.self and below
*You can only customize lv2_kernel.self and below  


= Bootloader =
= Bootloader =
Line 89: Line 69:


This would be the best solution, having a bootmii like bootloader with recovery options, but it is also the most farfetched.
This would be the best solution, having a bootmii like bootloader with recovery options, but it is also the most farfetched.
= Manual dualboot 3.55 & 4.x with 2 flashdumps and 2 harddrives =
(old longer guide is on talkpage)
==Preparation in short==
===Getting original and downgrade to 3.55===
# Dump the flash and make sure it is useable for downgrade to 3.55
# Patch it for downgrade
# Reinstall (Factory Service Mode) the prepatched PUP (e.g. {{RogeroFirmware}}) and reboot (normal mode) to make sure it works fine
# Redump the flash to make sure it has filled both ROS0 and ROS1 (they will differ as one will be the prepatched from the previous step, while the other will contain CoreOS from the installed PUP) and keep this as '3.55-swap.bin' together with the used harddrive '3.55.HDD'.
===Getting latest===
# Update (normal or recovery mode) to the latest firmware you want to use (e.g. 4.x) and reboot (normal mode) to make sure it works fine
# Dump the flash and keep this as '4.x-swap.bin' together with used different harddrive '4.x.HDD'.
==Swapping==
===When you want to boot to 3.55===
# Reflash '3.55-swap.bin' and insert harddrive '3.55.HDD'.
===When you want to boot to 4.x===
# Reflash '4.x-swap.bin' and insert harddrive '4.x.HDD'.
= Swap Solutions =
== Solutions for swapping/connecting the flash ==
=== NAND ===
==== Ghetto rigs ====
* http://www.uchobby.com/index.php/2007/05/05/read-embedded-flash-chips/
==== TSOP Clip/Probe ====
* http://www.360-clip.com/
==== TSOP sockets ====
* http://www.primedistributing.com/Enplas_OTS_Series_PDC_p/ots-series-pdc.htm
* https://www.emulation.com/cgi-cfm/insert_quantity.cfm?part_number=S-TSO-SM-048-A%2C%2048-TSO1
* https://www.emulation.com/cgi-cfm/insert_quantity.cfm?part_number=S-TSO-SM-048-A1%2C
* http://www.ebay.com/itm/TSOP48-to-DIP-48-Pin-IC-socket-Adapter-Converter-B-m-/320660655179
===== Adaptors =====
* http://uk.farnell.com/roth-elektronik/re900-02/adaptor-smd-0-5mm-28-48pin/dp/1426156
=== NOR ===
==== TSOP Clip/Probe ====
* http://www.adapt-plus.com/products/test_clips_probes/pdf/DP_FOR_SOP_TSOP_1.pdf
==== TSOP sockets ====
* http://www.primedistributing.com/Enplas_OTS_Series_PDC_p/ots-series-pdc.htm
== Solutions for swapping / externalise the harddrive ==
=== Internal tray with eSATA connector ===
<gallery>
File:Xecuter HDD Xtender.jpg|Xecuter HDD Xtender - nothing special there, just a means to externalise the SATA port and securing it inside the HDD tray
File:Ezflash ps3slim hdd expander.jpg|ezflash ps3slim hdd expander - nothing special there, just a means to externalise the SATA port and securing it inside the HDD tray - Notice the false claims of 16TB and SATA300 (the ps3 maximum supports 1TB / SATA-I/150)
File:3-in-1 PS3 HD PLUS PHE-02 - pic1.jpg|3-in-1 PS3 HD PLUS PHE-02 - pic1
File:3-in-1 PS3 HD PLUS PHE-02 - pic2.jpg|3-in-1 PS3 HD PLUS PHE-02 - pic2
</gallery>
* http://www.ezflash.cn/ps3-hdd-expander/ (ps3 slim)
* http://www.joystiq.com/2009/02/03/mysterious-ps3-esata-adapter-promises-massive-hdd-storage/ (ps3 fat)
* http://www.destructoid.com/adding-300gb-esata-to-a-ps3-in-pictures-30024.phtml (ps3 fat)
=== External cradle with SATA uplink ===
Remember: You still need an eSATA (cradle) to SATA (PS3) cable
* http://www.dealextreme.com/p/all-in-1-dual-hdd-docking-station-with-one-touch-backup-for-2-5-3-5-sata-hdd-71509?item=18
* http://www.dealextreme.com/p/all-in-1-dual-hdd-docking-station-with-one-touch-backup-for-2-5-3-5-sata-hdd-31574?item=10
=== DIY / cheap solutions ===
Alot of the above mentioned solutions can be made DIY.
* http://www.aliexpress.com/fm-store/601043/210118527-417040433/SATA-7-pin-Male-to-ESATA-Female-cable-30cm-for-ps3.html (only US $5.99 !)
* http://www.amazon.com/eSATA-Female-Extension-Cable-Bracket/dp/B00IU8Y9AG
* http://maxict.nl/product/3507535/delock-82855-cable-sata-extension-serial-ata-verl-ngerungskabel-serial-ata-150-300-600-serial-ata-7-polig
=== SATA Switches ===
Switching SATA harddrives:
* http://jivebay.com/2008/12/08/sata-switches-hdd-hard-disk-drive-selectors-part-6/
* http://www.cooldrives.com/4posaiisw3ba.html
=== RAID enclosures with eSATA port ===
they must serve the storage as uniform storage device on a single port (not software RAID, relying on host)
* http://akiba-pc.watch.impress.co.jp/hotline/20070120/etc_ps3hd.html
=== Not useable devices ===
Devices that state that host must support Port Multiplier (PM) specifications won't work, e.g.
* http://www.vantecusa.com/gl/product/view_detail/372
= Publications based on this article page =
* PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One - [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/PS3_Ed2_dualnand.pdf PS3_Ed2_dualnand.pdf] // (mirror: [http://www.mediafire.com/?crkryrb5qdc4n0j PS3_Ed2_dualnand.pdf (128 KB)])
{{Hardware Flashers}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Dual_Firmware"