Downgrading with Hardware flasher: Difference between revisions
m (→NOR) |
m (→NOR) |
||
Line 31: | Line 31: | ||
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks | ! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks | ||
|- | |- | ||
| ROS0 || [http://www. | | ROS0 || [http://www.mirrorcreator.com/files/IFUWRKWE/patch1._links patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55) | ||
|- | |- | ||
| ROS1 || [http://www. | | ROS1 || [http://www.mirrorcreator.com/files/IFUWRKWE/patch1._links patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0) | ||
|- | |- | ||
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www. | | trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.mirrorcreator.com/files/XB1XFMMF/rvk-040000._links rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's | ||
|- | |- | ||
|} | |} |
Revision as of 02:23, 16 February 2012
Dump
Connect your Hardware flashing device and make sure you are getting 100% correct, valid, verified dumps.
Checking console capability of running 3.55
Compare the values found in your dump with those in the table below
metldr+bootldr sizes
You can check metldr and bootldr sizes easily with HxD
- either after extracting flash with Flowrebuilder and opening seperate files
- or by looking in the unextracted Flash dump at the correct offset.
This table lists some common known values for your convenience as quick lookup:
IDPS/Product Code | SKU - Datecode / Manufacturing date | metldr offset | bootldr | Notes | lowest known firmware | |||
---|---|---|---|---|---|---|---|---|
0x2F077 (NOR) 0x80877 (NAND) |
0x81E (NOR) 0x4081E (NAND) |
0x842 (NOR) 0x40842 (NAND) |
size | 0xFC0002 (NOR) 0x02 (NAND) |
0xFC0012 (NOR) 0x12 (NAND) | |||
n/a | CEB-2030 (MPU-501) PROTO | n/a | n/a | 28C20 | 28 BE | 28 BE | Patch + FSM = OK | <=0.50.003 |
01 | DEH-Z1010 (TMU-520) SD | 14 20 | 11 3E | 2D020 | 2C FE | 2C FE | Patch + FSM = OK | <=0.80.004 |
01 | DECR-1000 (TMU-520) DECR Every DECR manufactured before January 2009 Share the same BL/Metldr revisions | EC 40 | 0E C0 | 2A840 | 2A 80 | 2A 80 | Patch + FSM = OK | <=0.85.010 |
01 | ?DEH-H1001-D? (COOKIE13) CEX | EC 40 | 0E C0 | 2A830 | 2A 7F | 2A 7F | Patch + FSM = OK | <=0.85.010 |
01 | DEH-H1000A-E (COK-001) DEX | EC 70 | 0E C3 | 2A1E0 | 2A 1A | 2A 1A | Patch + FSM = OK | <095.001 |
01 04 |
CECHAxx (COK-001) CECHExx (COK-002) |
EE 10 | 0E DD | 2A430 | 2A 3F | 2A 3F | Patch + FSM = OK | 1.00 1.00 |
01 02 03 01 |
CECHAxx (COK-001) with 1.00 from factory CECHBxx (COK-001) CECHCxx (COK-002) DECHAxx (COK-001) DEX |
ED A0 | 0E D6 | 2A2E0 | 2A 2A | 2A 2A | Patch + FSM = OK | 1.00 1.00 1.00 1.00 |
03 | CECHCxx (COK-002) with 1.00 from factory | EB F0 | 0E BB | 30480 | 30 44 | 30 44 | Patch + FSM = OK | 1.00 1.00 |
01 02 03 |
CECHAxx (COK-001) CECHBxx (COK-001) CECHCxx (COK-002) |
ED E0 | 0E DA | 2A3B0 | 2A 37 | 2A 37 | Patch + FSM = OK | 1.00 1.00 1.00 |
04 05 |
Namco System 357 (COK-002) ARC CECHGxx (SEM-001) |
E7 B0 | 0E 77 | 2E900 | 2E 8C | 2E 8C | Patch + FSM = OK | ?1.90? 1.90 |
05 06 |
CECHGxx (SEM-001) CECHHxx (DIA-001) |
E7 B0 | 0E 77 | 2F200 | 2F 1C | 2F 1C | Patch + FSM = OK | 2.30 2.30 |
05 06 |
CECHGxx (SEM-001) CECHHxx (DIA-001) |
E8 C0 | 0E 88 | 2EF80 | 2E F4 | 2E F4 | Patch + FSM = OK | 2.30 2.30 |
06 07 |
CECHHxx (DIA-001) CECHJxx (DIA-002) with 2.30 from factory - datecode 8B |
E8 E0 | 0E 8A | 2EF80 | 2E F4 | 2E F4 | Patch + FSM = OK | 1.97 2.30 |
03 06 06 |
CECHExx (COK-002) CECHHxx (DIA-001) CECHMxx (DIA-001) |
EA 60 | 0E A2 | 2EE70 | 2E E3 | 2E E3 | Patch + FSM = OK | 1.97 1.97 |
07 | CECHJxx (DIA-002) CECHKxx (DIA-002) datecode 8C |
EA 60 | 0E A2 | 2EE70 | 2E E3 | 2E E3 | Patch + FSM = OK | 2.30 |
08 07 08 |
Namco System 357 (VER-001) ARC DECHJxx (DIA-002) DEX CECHLxx / CECHPxx (VER-001) |
E8 D0 | 0E 89 | 2EAF0 | 2E AB | 2E AB | Patch + FSM = OK | ?2.45? 2.16 2.45 |
08 | CECHLxx (VER-001) | E8 D0 | 0E 89 | 2EB70 | 2E B3 | 2E B3 | Patch + FSM = OK | 2.45 |
08 09 |
CECHLxx (VER-001) with 2.30 from factory - datecode unknown CECH-20xx (DYN-001) with 2.76 from factory, datecode unknown |
E8 90 | 0E 85 | 2F170 | 2F 13 | 2F 13 | Patch + FSM = OK | 2.30 2.70 |
09 | DECR-1400 (DEB-001) DECR with 2.60 from factory - manufacture date June 09 |
E8 90 | 0E 85 | 2F170 | 2F 13 | 2F 13 | Patch + FSM = OK | 2.60 |
09 | CECH-20xx (DYN-001) | E9 20 | 0E 8E | 2F3F0 | 2F 3B | 2F 3B | Patch + FSM = OK | 2.70 |
0A | CECH-21xx (SUR-001) | E9 20 | 0E 8E | 2F4F0 | 2F 4B | 2F 4B | Patch + FSM = OK | 3.20 |
03 0B 0B |
CECHExx (COK-002W) refurbished CECH-25xx (JTP-001) with 3.40 from factory - datecode 0C CECH-25xx (JSD-001) with 3.41 from factory - datecode 0C |
E9 20 | 0E 8E | 2F4F0 | 2F 4B | 2F 4B | Patch + FSM = OK | 3.40 3.40 3.40 |
0B 0B |
CECH-25xx (JSD-001) with 3.56 from factory - datecode 0D CECH-25xx (JTP-001) with 3.56 from factory - datecode 1A |
E9 60 | 0E 92 | 2F570 | 2F 53 | 2F 53 | Patch + FSM = OK | 3.50 3.50 |
0B 0B 0B |
CECH-25xx (JTP-001) with 3.56 from factory - datecode 1A (rare) CECH-25xx (JSD-001) with 3.56 from factory - datecode 1B (common) CECH-25xx (JTP-001) with 3.56 from factory - datecode 1B (common) |
E9 60 | 0E 92 | 2F5F0 | 2F 5B | 2F 5B | (RLOD+)poweroff @ downgrade 355 (3.56+ + spkg fix + signed 3.55 priv : should work) Patch + noFSM = OK |
3.56 3.56 3.56 |
0B 0B 0C |
CECH-25xx (JSD-001) with 3.60 from factory - datecode 1B CECH-25xx (JTP-001) with 3.60 from factory - datecode [N.A.] CECH-30xx (KTE-001) with 3.65 from factory - datecode [N.A.] |
F9 20 | 0F 8E | 2FFF0 | 2F FB | 2F FB | "metldr.2" (RLOD+)poweroff @ downgrade 3.55 (RLOD+)poweroff @ Patch + noFSM |
3.60 3.60 3.60 |
0C | CECH-30xx (KTE-001) with ? from factory - datecode [?] | F9 B0 | 0F 97 | 30070 | 30 03 | 30 03 | "metldr.2" (RLOD+)poweroff @ downgrade 3.55 (RLOD+)poweroff @ Patch + noFSM |
? |
0C | CECH-30xx (KTE-001) with 3.72 from factory - datecode [1C] | F9 B0 | 0F 97 | 300F0 | 30 0B | 30 0B | "metldr.2" (RLOD+)poweroff @ downgrade 3.55 (RLOD+)poweroff @ Patch + noFSM |
3.72 |
0D 0D 2C |
CECH-40xx (MSX-001) CECH-40xx (MPX-001) CECH-40xx (MSX-001) '12GB' |
F9 B0 | 0F 97 | 301F0 | 30 1B | 30 1B | "metldr.2" (RLOD+)poweroff @ downgrade 3.55 (RLOD+)poweroff @ Patch + noFSM |
4.20 ? 4.22 |
12 | CECH-42xx (PQX-001) '12GB' | F9 B0 | 0F 97 | 301F0 | 30 1B | 30 1B | "metldr.2" (RLOD+)poweroff @ downgrade 3.55 (RLOD+)poweroff @ Patch + noFSM |
4.20 ? 4.22 |
Patch the dump & Reflash it to the console
You can use Hexeditor for patching (e.g. HxD).
NAND
Use NAND patches only on NAND consoles, not on NOR!
Target area | Patchfile | NAND Offset | Paste length | Remarks |
---|---|---|---|---|
ROS0 | patch1 (7 MB) | 0x0C0030 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
ROS1 | patch1 (7 MB) | 0x7C0020 | 0x6FFFE0 | CoreOS (SAME as ros0) |
trvk_prg0 (0x91800) trvk_prg1 (0x92810) trvk_pkg (0x93800) |
patch2 (16 KB) | 0x91800 | 0x4000 | one big patch overlapping several revoke area's |
NOR
Use NOR patches only on NOR consoles, not on NAND!
http://www.mirrorcreator.com/files/ZAU6Y65L/NOR-downgradepatches.rar_links
Target area | Patchfile | NOR Offset | Paste length | Remarks |
---|---|---|---|---|
ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
ROS1 | patch1 (7 MB) | 0x7C0010 | 0x6FFFE0 | CoreOS (SAME as ros0) |
trvk_prg0 (0x40000) trvk_prg1 (0x60000) trvk_pkg0 (0x80000) trvk_pkg1 (0xA0000) |
rvk-040000 (512 KB) | 0x40000 | 0x80000 | one big patch overlapping several revoke area's |
Reinstall firmware in Factory Service Mode
- Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port).
- Turn PS3 on, it will trigger Factory Service Mode and turn off the console.
- After triggering Factory Service Mode, put the Lv2diag.self (see below) and prepatched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
- Turn PS3 on, it will install the firmware you had put there (even though you have no screenoutput, you can see it is busy by looking at the activity led of the harddrive and of your USB Mass Storage Device).
- PS3 will turn itself off after finishing the firmware installation.
See also Downgrading with PSgrade Dongle, which also contains alot of ready to use PSgrade HEX files for several dongles.
PUP to use
Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)
Different Factory Service Mode SELFs
NAND
For factory Service Mode install:
- if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
- if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP (and redump flash after FSM to check both ROS)
NOR
Use the normal lv2diag and use the Rogero normal PUP
Only when having a console with a broken bluraydrive, you either:
- use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
- use the jaicrab NoBD lv2diag : Use the Rogero normal PUP
Filename | Size | Remarks | SHA1 |
MD5 |
CRC32 |
CRC16
|
---|---|---|---|---|---|---|
Lv2diag.self (227.38 KB) | 232832 | jaicrab noBD patched | 180823003B086D9D49BC7F83BEA9C769BF73A5EA |
3615770407C0C3FA00D8CA49C8ADB362 |
25E85CFB |
EDD0
|
Lv2diag.self (365.5 KB) | 374272 | 3.55 get in FSM | 1ED037740D67FEBACA6449CABFF4E95400C9E2EE |
099F33A7967F99E91C07E870FD78B3DB |
9338ABF2 |
4FCC
|
Check the logfile
After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains errors (pastie the log if you want to ask for help online on IRC)
Getting out of Factory Service Mode
If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)
- Put the Lv2diag.self (see below) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
- Turn PS3 on, it will trigger Factory Service Mode off and shutdown.
Filename | Size | Remarks | SHA1 |
MD5 |
CRC32 |
CRC16
|
---|---|---|---|---|---|---|
Lv2diag.self (201.42 KB) | 206256 | get out FSM | 329877CBD47B994EC0AFCEA6AF98114FD9E5128B |
7A20BFDAE65EEFB47A4425DB1B52DCDE |
72740080 |
502A
|