Talk:Downgrading with NAND flasher: Difference between revisions
Jump to navigation
Jump to search
| Line 147: | Line 147: | ||
downgrade and 3.41downgrader = manufacturing updating SUCCESS(0x8002f000) = YLOD http://mibpaste.com/WP3suB | downgrade and 3.41downgrader = manufacturing updating SUCCESS(0x8002f000) = YLOD http://mibpaste.com/WP3suB | ||
downgrade and Rogero PUP = Bul-ray Disc Player Revoke done(0x8002f057) = YLOD http://mibpaste.com/oj8EL5 | downgrade and Rogero PUP = Bul-ray Disc Player Revoke done(0x8002f057) = YLOD http://mibpaste.com/oj8EL5 | ||
downgrade and Rogero NoBD PUP = | downgrade and Rogero NoBD PUP = manufacturing updating SUCCESS(0x8002f000) + autopower off = http://mibpaste.com/sAguEj | ||
//--> | //--> | ||
Revision as of 22:20, 13 December 2011
http://pastebin.com/BqW46zjY :
Downgrade patches http://www.multiupload.com/JJ9U8RM8T1 DIFF: ------------- Patch core OS Hash check //product mode always on ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1F40 41 9E 00 1C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1F40 60 00 00 00 `... ------------- Patch check_revoke_list_hash check //product mode always on ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2B50 41 9E 00 1C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2B50 60 00 00 00 `... ------------- Patch In product mode erase standby bank skipped ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6AD0 41 9E 00 0C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6AD0 60 00 00 00 `... ------------- Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
NAND Offsets
1patchcos.bin
CTRL-F : 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0
CECHC-04/COK-002 MFW 3.15 (Euss):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C0000 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... .......
000C0010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à..........
000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
000C0030 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
007C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
007C0020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà
here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
000C0030 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà
000C0040 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................
000C0050 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
000C0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000C0070 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................
000C0080 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
000C0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000C00A0 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ
000C00B0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
000COOC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000C00D0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð
000C00E0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........
2patchtrvk.bin
Note: CTRL-F : not 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 but 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40
CECHC-04/COK-002 MFW 3.15 (Euss):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093800 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... 00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
CECHA-06/COK-001 datas from offset 0x00093800:
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00093800 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................
00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................
00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@
00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE.............
00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
00093850 F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–
revoke package:
for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60
http://pastie.org/3006911
revoke program: for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 http://pastie.org/3006958
Example, copy ros1 to ros0 and overwrite (HxD):
- goto edit
- select block (CTRL-E) : start 7C0020 - length 6FFFE0
- copy (CTRL-C)
- goto (CTRL-G) : C0030
- overwrite (CTRL-B)
Simplyfied V2 NAND downgrade
| Target area | Patchfile | NAND Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0030 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
| ROS1 | patch1 (7 MB) | 0x7C0020 | 0x6FFFE0 | CoreOS (SAME as ros0) |
| trvk_prg0 (0x91800) trvk_prg1 (0x92810) trvk_pkg (0x93800) |
patch2 (16 KB) | 0x91800 | 0x4000 | one big patch overlapping several revoke area's |