Editing Dual Firmware

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
[[Category:Hardware]]
These methods are currently theoretical and have not been tested as of yet.
= Hardware Based =
= Hardware Based =


== NOR/Nand Piggybacking ==
== NOR/Nand Piggybacking ==


This method involves physically soldering another flash chip ontop of the existing flash packages, soldering the legs pin for pin ([http://home.comcast.net/~twisted.penguin/eeprom_piggyback.JPG piggybacking]). You will lift both #CE pins and provide a switch between them to select the appropriate flash chip, of which each will have a different firmware.
This method involves physically soldering another flash chip ontop of the existing flash packages, soldering the legs pin for pin (piggybacking). You will lift both #CE pins and provide a switch between them to select the appropriate flash chip, of which each will have a different firmware.
 
E.g.: http://www.elotrolado.net/hilo_la-dual-nand-fat40g-ya-es-una-realidad_1650176 / http://www.ps3hax.net/2011/07/dual-ps3-nand-on-40gb-phat-ps3-working/


other example (non PS3) : http://electro-music.com/forum/post-85678.html#85678
E.g.: http://www.elotrolado.net/hilo_la-dual-nand-fat40g-ya-es-una-realidad_1650176


=== Reset pin for NOR ===
=== Reset pin for NOR ===
Line 13: Line 14:
After looking into this some more, Simply switching the #CE pin may not be sufficient as the chip is still operating and can interfere with the bus.
After looking into this some more, Simply switching the #CE pin may not be sufficient as the chip is still operating and can interfere with the bus.
However, it appears that whilst the #reset pin is tied low, all input/output pins on the flash are in a state of high-impedance. We should be able to simply ground this pin to disable that chip, rather than lifting the #CE pin.
However, it appears that whilst the #reset pin is tied low, all input/output pins on the flash are in a state of high-impedance. We should be able to simply ground this pin to disable that chip, rather than lifting the #CE pin.
EDIT: it seems it is sufficient to use only CE# as several tests (some on this very same page) prove.
=== more than 2 (virtually limitless) ===
Theoretical there is no limit to the amount of flashchips you can stack and CE switch (practical limit is the space to stack, length of wiring and real use for that many FW versions). Using a [http://www.electro-nc.com/m7.htm 48 step rotaryswitch] and stacking 47 Flashchips (1x47 for NOR / 2x 1x47 for NAND) parallel to the original one, its even possible to make a 48-boot system (just remember you have to have a seperate harddrive for every selected flash firmware version).


== Dual-Banking ==
== Dual-Banking ==


This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros0 region of the flash.
This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros1 region of the flash.


By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros0 region on flash.
By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros1 region on flash.


== Increased size NOR Flash ==
== Increased size NOR Flash ==


This method relies on entirely lifting the existing NOR flash chip and planting a 256mbit chip, you could lift Address pin 23 and have a switch to tie this low or high to switch banks. A compatable samsung k8p5615uqa chip ([http://www.bdtic.com/DataSheet/SAMSUNG/K8P5615UQA.pdf datasheet])
This method relies on entirely lifting the existing NOR flash chip and planting a 256mbit chip, you could lift Address pin 23 and have a switch to tie this low or high to switch banks. A compatable samsung chip can be found below:
http://www.samsung.com/global/system/business/semiconductor/product/2007/8/7/620430ds_k8p5615uqa_rev11.pdf


This looks like it could work, as per the spansion and samsung charts, when using autoselect commands etc, it does not care about the state of pin 23. So there should not be any interference.
This looks like it could work, as per the spansion and samsung charts, when using autoselect commands etc, it does not care about the state of pin 23. So there should not be any interference.
'''Notes:'''
128mbit and 256mbit chips don't have the same ProductID.
This ID can easily checked by SONY to avoid the principle even if the VendorID is the same.
VendorID = Unique manufacturer ID
ProductID = Unique device ID
ie. :
SPANSION S29GL128P - VendorID = 0x01 & ProductID = 0x7E '''0x21''' 0x01
SPANSION S29GL256P - VendorID = 0x01 & ProductID = 0x7E '''0x22''' 0x01


== Limitations ==
== Limitations ==
=== Firmware hash checks ===
=== Firmware hash checks ===
Firmware hash checks are located on SYSCON EEPROM, aparently these checks are run within Indi info manager on LV1. These compare the hashes stored in syscon with the files stored on flash. If the checks fail, the console does not boot (RLOD). We could get around this by using dual-banking on SYSCON or by patching the checks out.
Firmware hash checks are located on SYSCON EEPROM, aparently these checks are run within Indi info manager on LV1. These compare the hashes stored in syscon with the files stored on flash. If the checks fail, the console does not boot. We could get around this by using dual-banking on SYSCON or by patching the checks out.


=== VFlash ===
=== VFlash ===
Only a single version of VFlash is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect vflash to another region of the hard disk.
Only a single version of VFlash is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect vflash to another region of the hard disk.


[[Category:Software]]
= Software based =
= Software based =


== Using graf_chokolo's payload ==
== Using graf_chokolo's payload ==


In graf_chokolo payloads, there is a payload that can be used to load an alternative lv2_kernel.self
In graf_chokolo payloads, there is a payload that can be used to load an alternative lv2_kenel.self


You have to save the alternative lv2_kernel.self on flash and use the payload to make lv1 load it.
You have to save the alternative lv2_kernel.self on flash and use the payload to make lv1 load it.
Line 82: Line 64:


*Same as above and this could ONLY be used with a lv2_kernel.self compatible with you actual lv1.self
*Same as above and this could ONLY be used with a lv2_kernel.self compatible with you actual lv1.self
*You can only customize lv2_kernel.self and below
*You can only customize lv2_kernel.self and below  
 


= Bootloader =
= Bootloader =
Line 91: Line 74:




= Manual dualboot 3.55 & 4.x with 2 flashdumps and 2 harddrives =
= Manual dualboot 3.55 & 3.70 with 2 flashdumps and 2 harddrives =
(old longer guide is on talkpage)
 
==Preparation in short==
 
===Getting original and downgrade to 3.55===
# Dump the flash and make sure it is useable for downgrade to 3.55
# Patch it for downgrade
# Reinstall (Factory Service Mode) the prepatched PUP (e.g. {{RogeroFirmware}}) and reboot (normal mode) to make sure it works fine
# Redump the flash to make sure it has filled both ROS0 and ROS1 (they will differ as one will be the prepatched from the previous step, while the other will contain CoreOS from the installed PUP) and keep this as '3.55-swap.bin' together with the used harddrive '3.55.HDD'.
 
===Getting latest===
# Update (normal or recovery mode) to the latest firmware you want to use (e.g. 4.x) and reboot (normal mode) to make sure it works fine
# Dump the flash and keep this as '4.x-swap.bin' together with used different harddrive '4.x.HDD'.
 
==Swapping==
===When you want to boot to 3.55===
# Reflash '3.55-swap.bin' and insert harddrive '3.55.HDD'.
 
===When you want to boot to 4.x===
# Reflash '4.x-swap.bin' and insert harddrive '4.x.HDD'.
 
= Swap Solutions =
 
== Solutions for swapping/connecting the flash ==
 
=== NAND ===
 
==== Ghetto rigs ====
* http://www.uchobby.com/index.php/2007/05/05/read-embedded-flash-chips/
 
==== TSOP Clip/Probe ====
* http://www.360-clip.com/
 
==== TSOP sockets ====
* http://www.primedistributing.com/Enplas_OTS_Series_PDC_p/ots-series-pdc.htm
* https://www.emulation.com/cgi-cfm/insert_quantity.cfm?part_number=S-TSO-SM-048-A%2C%2048-TSO1
* https://www.emulation.com/cgi-cfm/insert_quantity.cfm?part_number=S-TSO-SM-048-A1%2C
* http://www.ebay.com/itm/TSOP48-to-DIP-48-Pin-IC-socket-Adapter-Converter-B-m-/320660655179
 
===== Adaptors =====
* http://uk.farnell.com/roth-elektronik/re900-02/adaptor-smd-0-5mm-28-48pin/dp/1426156


=== NOR ===
[http://www.digitalangel.it/2011/08/tutorial-fast-swap-su-ps3-slim-cfw-3-55-3-70-con-2-hard-disk-e-progskeet/ original italian and english guide posted by digitalangel]
==== TSOP Clip/Probe ====
* http://www.adapt-plus.com/products/test_clips_probes/pdf/DP_FOR_SOP_TSOP_1.pdf


==== TSOP sockets ====
Today I will write a tutorial to “fast-swap” between CFW 3.55 and OFW 3.70, using 2 HDDs… at the end of the tutorial, you will be able to swap between the firmware just flashing a dump on your PS3 using Progskeet. (instead of downgrading and losing all data).
* http://www.primedistributing.com/Enplas_OTS_Series_PDC_p/ots-series-pdc.htm


== Solutions for swapping / externalise the harddrive ==
The first steps are not so easy, so take your time and go on, by the way, you must have some skill with Progskeet, and it must be 100% working on your console.


=== Internal tray with eSATA connector ===
What we need:
<gallery>
* PS3 Slim running with FW 3.70
File:Xecuter HDD Xtender.jpg|Xecuter HDD Xtender - nothing special there, just a means to externalise the SATA port and securing it inside the HDD tray
* 2 Hard Disks
File:Ezflash ps3slim hdd expander.jpg|ezflash ps3slim hdd expander - nothing special there, just a means to externalise the SATA port and securing it inside the HDD tray - Notice the false claims of 16TB and SATA300 (the ps3 maximum supports 1TB / SATA-I/150)
* Progskeet installed and working on your PS3 Slim
File:3-in-1 PS3 HD PLUS PHE-02 - pic1.jpg|3-in-1 PS3 HD PLUS PHE-02 - pic1
* Downgrade.bin edited with your personal data (there are tons of tutorials for do this)
File:3-in-1 PS3 HD PLUS PHE-02 - pic2.jpg|3-in-1 PS3 HD PLUS PHE-02 - pic2
* 3.55 Downgrade Dongle to do the downgrade process.
</gallery>
* Sony OFW 3.70 UPDATE.([http://playstation-3.logic-sunrise.com/telechargement-331678-ofw-ps3-370.html DOWNLOAD])
* http://www.ezflash.cn/ps3-hdd-expander/ (ps3 slim)
* CFW 3.55 KMEAW “NO CHECK” by dospiedra.([http://www.multiupload.com/4S6NGO13H4 DOWNLOAD])
* http://www.joystiq.com/2009/02/03/mysterious-ps3-esata-adapter-promises-massive-hdd-storage/ (ps3 fat)
* Lv2Diag By Jaicrab. ([http://playstation-3.logic-sunrise.com/telechargement-225750-lv2diag-patche-par-jaicrab.html DOWNLOAD])
* http://www.destructoid.com/adding-300gb-esata-to-a-ps3-in-pictures-30024.phtml (ps3 fat)
* Lv2Diag “FILE 2″ to go out of Service/Factory Mode. ([http://www.mediafire.com/?b07qrb96iz99ibb DOWNLOAD])


=== External cradle with SATA uplink ===
We need 2 harddrives because the firmware is partial on NOR (CoreOS) and the rest is on the harddrive. so we will need 2 HDDs, one for 3.55, and one for 3.70..
Remember: You still need an eSATA (cradle) to SATA (PS3) cable
* http://www.dealextreme.com/p/all-in-1-dual-hdd-docking-station-with-one-touch-backup-for-2-5-3-5-sata-hdd-71509?item=18
* http://www.dealextreme.com/p/all-in-1-dual-hdd-docking-station-with-one-touch-backup-for-2-5-3-5-sata-hdd-31574?item=10


=== DIY / cheap solutions ===
We will call those HDD “A” (for 3.70) and “B” (for 3.55) dont mix them up!
Alot of the above mentioned solutions can be made DIY.
* http://www.aliexpress.com/fm-store/601043/210118527-417040433/SATA-7-pin-Male-to-ESATA-Female-cable-30cm-for-ps3.html (only US $5.99 !)
* http://www.amazon.com/eSATA-Female-Extension-Cable-Bracket/dp/B00IU8Y9AG
* http://maxict.nl/product/3507535/delock-82855-cable-sata-extension-serial-ata-verl-ngerungskabel-serial-ata-150-300-600-serial-ata-7-polig


=== SATA Switches ===
Starting with a PS3 Slim with OFW 3.70.
Switching SATA harddrives:
* http://jivebay.com/2008/12/08/sata-switches-hdd-hard-disk-drive-selectors-part-6/
* http://www.cooldrives.com/4posaiisw3ba.html


=== RAID enclosures with eSATA port ===
# Plug in HDD “B”, format and prepare it if it’s required by the PS3 and you should have your 3.70 up and running.
they must serve the storage as uniform storage device on a single port (not software RAID, relying on host)
# DUMP your actual NOR and call it “original dump 3.70.bin”
* http://akiba-pc.watch.impress.co.jp/hotline/20070120/etc_ps3hd.html
# Now flash your “downgrade.bin” (edited with the personal data found in “original dump 3.70.bin”)
# Turn on your PS3 and be sure that the PS3 is asking you to press the PS button (downgrade.bin flashed correctly :D )
=== Not useable devices ===
# Insert a 3.55 Downgrade dongle and enter factory/service mode.
Devices that state that host must support Port Multiplier (PM) specifications won't work, e.g.
# Copy Lv2Diag.self by Jaicrab and the 3.55 NO CHECK UPDATE renamed as “PS3UPDAT.PUP” in the root of your USB Stick.
* http://www.vantecusa.com/gl/product/view_detail/372
# Plug in the USB Stick in the most-right USB port of your PS3 and wait for it to turn OFF.
# Leave the factory mode using the other Lv2Diag.self
# After the reboot, you need to configure and set up your system… now you have a fully working 3.55 CFW based on KMEAW “NO CHECK”.
# DUMP your actual NOR and call it “swap dump 3.55.bin”
# Unplug HDD B and Plug in HDD A.
# Turn on your PS3, plug in your USB Stick containing official 3.70 update and press start+select when asked.
# When the PS3 reboots, check that the system is fully working and DUMP your actual NOR and call it “swap dump 3.70.bin”.


= Publications based on this article page =
NOW IT’S FINISHED! You should have “swap dump 3.55.bin” and “swap dump 3.70.bin” … Now you just have to swap HDD and flash the correspondening dump:
* PS3 Dual-Firmware – Hardware Hacking Guide – Ed. 2 - Author: No_One - [https://web.archive.org/web/*/http://ps3devwiki.com/files/documents/PS3_Ed2_dualnand.pdf PS3_Ed2_dualnand.pdf] // (mirror: [http://www.mediafire.com/?crkryrb5qdc4n0j PS3_Ed2_dualnand.pdf (128 KB)])
* HDD A = swap dump 3.70.bin
* HDD B = swap dump 3.55.bin


WARNING: Do not install other CFW than the “NO CHECK” one… because it’s used to make the “fast-swap” working… if you flash something different you will not be able to go between the 2 FWs. This patch disables the LV1 for checking the Syscon hashes at startup… so it will not freeze or complain when the syscon hashes says “3.70″ and your FW is 3.55 ;)


{{Hardware Flashers}}<noinclude>[[Category:Main]]</noinclude>
WARNING: In case you wanna update your console with a future “3.80″ or-so firmware. Do not update your console when you are running 3.55 firmware! You have to go to “swap dump 3.70.bin” and then update as usual (XMB or recovery)… -By the way, the downgrade is confirmed working only on 3.70… we haven’t tested it on other FWs, you could loose the possibility to go back to 3.55!-
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)