Downgrading with linux: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 109: Line 109:
*target ID
*target ID
*PS3 motherboard revision
*PS3 motherboard revision
Other target IDs (might be helpful if someone messes this up)
==Targets IDs ==
* 81 = reference tool
* 82 = debugging station
* 83 = japan
* 84 = USA
* 85 = Europe
* 86 = Korea, 87 = UK, 88 = Mexico
* 89 = Australia/New Zealand
* 8A = South Asia (Asia except China, Japan and Taiwan),
* 8B = Taiwan
* 8C = Russia
* 8D= China

Revision as of 17:10, 2 April 2011

You should have grafchokolos modules, and patches installed

This works on 3.55 without a fisical dongle

Use this method to install lower firmware! You can install a newer firmware ex 3.60 with this method but you will be loosing your hombrew


Thanks to graf_chokolo for bringing linux, with all this goodies back to the PS3

Downgrade Method - Emulating JIG with Linux

1st step – Generating a challenge


  1. ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_challenge

2nd step – Generating a valid response for a challenge


You need a dongle id. Valid range for dongle IDs is 0×0000 – 0xffff. So choose one, doesn’t matter which one, but some are revoked !!!

  1. ps3dm_usb_dongle_auth /dev/ps3dmproxy gen_resp 0xBABE “here is a challenge like this 0xXX 0xXX … of size 20 bytes”

3rd step – Verifying response (Enabling “Product Mode”)


  1. ps3dm_usb_dongle_auth /dev/ps3dmproxy verify_resp 0xBABE

“here is the response from step 2 like this 0xXX 0xXX … of size 20 bytes”

4th step – Checking if “Product Mode” is enabled


The returned value shouldn’t be 0xff.

  1. ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07

5th step - Inspect if CORE_OS_PACKAGE.pkg isn´t damaged


ps3dm_um /dev/ps3dmproxy inspect_pkg 1 0x9 CORE_OS_PACKAGE.pkg

6th step - Install CORE_OS_PACKAGE.pkg


ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg


7th step – Disabling “Product Mode”


  1. ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff

This step is really important, if Produc Mode isn´t disabled you will need a dongle to get out of it


ALTERNATIVE METHOD - not tested

1st step – Enabling product mode


  1. ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xfe

2th step – Checking if “Product Mode” is enabled


The returned value shouldn’t be 0xff.

  1. ps3dm_um /dev/ps3dmproxy read_eprom 0x48C07

3th step - Inspect if CORE_OS_PACKAGE.pkg isn´t damaged


ps3dm_um /dev/ps3dmproxy inspect_pkg 1 0x9 CORE_OS_PACKAGE.pkg

4th step - Install CORE_OS_PACKAGE.pkg



ps3dm_um /dev/ps3dmproxy update_pkg 1 0x9 CORE_OS_PACKAGE.pkg


5th step – Disabling “Product Mode”


  1. ps3dm_um /dev/ps3dmproxy write_eprom 0x48C07 0xff

This step is really important, if Produc Mode isn´t disabled you will need a dongle to get out of it

Install debug firmware

High brick risk! Don´t try this if you don´t know what you are doing


To install debug firmware, te proper syscon eeprom flags should be set http://www.ps3devwiki.com/index.php?title=Hypervisor_Reverse_Engineering#EEPROM_Offset_Table and EID0 should be resigned, reencrypted and rehashed with the proper target id


Debugging Station Target ID: 0x82


eEID contains

  • system model data
  • target ID
  • PS3 motherboard revision

Other target IDs (might be helpful if someone messes this up)

Targets IDs

  • 81 = reference tool
  • 82 = debugging station
  • 83 = japan
  • 84 = USA
  • 85 = Europe
  • 86 = Korea, 87 = UK, 88 = Mexico
  • 89 = Australia/New Zealand
  • 8A = South Asia (Asia except China, Japan and Taiwan),
  • 8B = Taiwan
  • 8C = Russia
  • 8D= China