Talk:Downgrading with NAND flasher: Difference between revisions
mNo edit summary |
|||
(43 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
http://pastebin.com/BqW46zjY : | |||
Downgrade patches | |||
| |||
http://www.multiupload.com/JJ9U8RM8T1 | |||
| |||
DIFF: | |||
: | | ||
------------- | |||
Patch core OS Hash check //product mode always on | |||
| |||
ORIGINAL | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C1F40 41 9E 00 1C Až.. | |||
| |||
PATCHED | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C1F40 60 00 00 00 `... | |||
| |||
------------- | |||
Patch check_revoke_list_hash check //product mode always on | |||
| |||
ORIGINAL | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C2B50 41 9E 00 1C Až.. | |||
| |||
PATCHED | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C2B50 60 00 00 00 `... | |||
| |||
------------- | |||
Patch In product mode erase standby bank skipped | |||
| |||
ORIGINAL | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C6AD0 41 9E 00 0C Až.. | |||
| |||
PATCHED | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
002C6AD0 60 00 00 00 `... | |||
| |||
------------- | |||
| |||
Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware | |||
== NAND Offsets == | |||
===1patchcos.bin=== | |||
CTRL-F : <code>00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0</code> | |||
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]): | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
000C0000 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... | |||
000C0010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à.......... | |||
000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà | |||
000C0030 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà</pre> | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
007C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
007C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà | |||
007C0020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà</pre> | |||
( | here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):<!--//bluemimmo//--> | ||
<pre> Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà | |||
000C0030 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà | |||
000C0040 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ | |||
000C0050 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... | |||
000C0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
000C0070 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ | |||
000C0080 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... | |||
000C0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
000C00A0 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ | |||
000C00B0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... | |||
000COOC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |||
000C00D0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð | |||
000C00E0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........</pre> | |||
===2patchtrvk.bin=== | |||
Note: CTRL-F : not <code>00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code> but <code>00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code> | |||
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]): | |||
<pre> Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
00093800 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... | |||
00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... | |||
00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ | |||
00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. | |||
00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@</pre> | |||
< | CECHA-06/COK-001 datas from offset 0x00093800:<!--//bluemimmo//--> | ||
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
00093800 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................ | |||
00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................ | |||
00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ | |||
00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. | |||
00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ | |||
00093850 F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ– | |||
'''revoke package:''' | |||
for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 | |||
http://pastie.org/3006911 | |||
'''revoke program:''' | |||
for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 | |||
http://pastie.org/3006958 | |||
---- | |||
Example, copy ros1 to ros0 and overwrite (HxD): | |||
* goto edit | |||
* select block (CTRL-E) : start 7C0020 - length 6FFFE0 | |||
* copy (CTRL-C) | |||
* goto (CTRL-G) : C0030 | |||
* overwrite (CTRL-B) | |||
---- | |||
=== Simplyfied V2 NAND downgrade === | |||
====Patches to use==== | |||
{|class="wikitable" | |||
|- | |||
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks | |||
|- | |||
| ROS0 || [http://www.multiupload.com/GB4LPBNJBY patch1 (7 MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55) | |||
|- | |||
| ROS1 || [http://www.multiupload.com/GB4LPBNJBY patch1 (7 MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0) | |||
|- | |||
| trvk_prg0 (0x91800)<br />trvk_prg1 (0x92810)<br />trvk_pkg (0x93800) || [http://www.multiupload.com/RTIK2IUUCL patch2 (16 KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's | |||
|- | |||
|} | |||
<!--// 3.55 did greenlight power off [http://www.multiupload.com/9Z5D080KLO patch2 (16 KB)] not work:avati//--> | |||
<!--// 3.15 [http://www.multiupload.com/KT6BAXH8O5 patch2 (16 KB)] not work:avati//--> | |||
==== PUP to use ==== | |||
[[Talk:Downgrading_with_NOR_flasher#Premade_CFW_Rogero_V2| Rogero V2]] or any firmware with prepatched lv1 (no syscon hash checks) | |||
<!--// | |||
downgrade and 3.41downgrader = manufacturing updating SUCCESS(0x8002f000) = YLOD http://mibpaste.com/WP3suB | |||
downgrade and Rogero PUP = Bul-ray Disc Player Revoke done(0x8002f057) = YLOD http://mibpaste.com/oj8EL5 | |||
downgrade and Rogero NoBD PUP = manufacturing updating SUCCESS(0x8002f000) + autopower off = OK http://mibpaste.com/sAguEj | |||
//--> | |||
====Different Factory Service Mode SELFs==== | |||
For factory Service Mode install: | |||
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057) | |||
* if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP | |||
{|class="wikitable" | |||
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code> | |||
|- | |||
| [http://www.multiupload.com/Y0Z8WNY009 Lv2diag.self (227.38 KB)] || 232832 || jaicrab noBD patched || <code>180823003B086D9D49BC7F83BEA9C769BF73A5EA</code> || <code>3615770407C0C3FA00D8CA49C8ADB362</code> || <code>25E85CFB</code> || <code>EDD0</code> | |||
|- | |||
| [http://www.multiupload.com/V1YTTWGKH0 Lv2diag.self (365.5 KB)] || 374272 || 3.55 get in FSM || <code>1ED037740D67FEBACA6449CABFF4E95400C9E2EE</code> || <code>099F33A7967F99E91C07E870FD78B3DB</code> || <code>9338ABF2</code> || <code>4FCC</code> | |||
|- | |||
| [http://www.multiupload.com/ZHJMPSMLYR Lv2diag.self (365.5 KB)] || 374272 || 3.50- get in FSM || <code>1E770010A3A6EF572AF39783A04DF792670998D3</code> || <code>90168C03B217CE775A7839D87BBFF2A3</code> || <code>D1F0AAFC</code> || <code>CD8D</code> | |||
|- | |||
| [http://www.multiupload.com/VGQTFV56CO Lv2diag.self (201.42 KB)] || 206256 || get out FSM || <code>329877CBD47B994EC0AFCEA6AF98114FD9E5128B</code> || <code>7A20BFDAE65EEFB47A4425DB1B52DCDE</code> || <code>72740080</code> || <code>502A</code> | |||
|- | |||
|} | |||
http:// | |||
</ | |||
Latest revision as of 00:18, 14 December 2011
http://pastebin.com/BqW46zjY :
Downgrade patches http://www.multiupload.com/JJ9U8RM8T1 DIFF: ------------- Patch core OS Hash check //product mode always on ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1F40 41 9E 00 1C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C1F40 60 00 00 00 `... ------------- Patch check_revoke_list_hash check //product mode always on ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2B50 41 9E 00 1C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C2B50 60 00 00 00 `... ------------- Patch In product mode erase standby bank skipped ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6AD0 41 9E 00 0C Až.. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 002C6AD0 60 00 00 00 `... ------------- Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
NAND Offsets[edit source]
1patchcos.bin[edit source]
CTRL-F : 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0
CECHC-04/COK-002 MFW 3.15 (Euss):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0000 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 000C0010 00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00 .....à.......... 000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0030 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 007C0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 007C0010 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 007C0020 00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 .............oÿà
here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 000C0020 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà 000C0030 00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà 000C0040 00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................ 000C0050 63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0..... 000C0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C0070 00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................ 000C0080 73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version..... 000C0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00A0 00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ 000C00B0 6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr.......... 000COOC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000C00D0 00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð 000C00E0 6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........
2patchtrvk.bin[edit source]
Note: CTRL-F : not 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40
but 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40
CECHC-04/COK-002 MFW 3.15 (Euss):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093800 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ....... ....... 00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ...... ......... 00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
CECHA-06/COK-001 datas from offset 0x00093800:
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00093800 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................ 00093810 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................ 00093820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@ 00093830 53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE............. 00093840 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@ 00093850 F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–
revoke package:
for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60
http://pastie.org/3006911
revoke program: for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 http://pastie.org/3006958
Example, copy ros1 to ros0 and overwrite (HxD):
- goto edit
- select block (CTRL-E) : start 7C0020 - length 6FFFE0
- copy (CTRL-C)
- goto (CTRL-G) : C0030
- overwrite (CTRL-B)
Simplyfied V2 NAND downgrade[edit source]
Patches to use[edit source]
Target area | Patchfile | NAND Offset | Paste length | Remarks |
---|---|---|---|---|
ROS0 | patch1 (7 MB) | 0x0C0030 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
ROS1 | patch1 (7 MB) | 0x7C0020 | 0x6FFFE0 | CoreOS (SAME as ros0) |
trvk_prg0 (0x91800) trvk_prg1 (0x92810) trvk_pkg (0x93800) |
patch2 (16 KB) | 0x91800 | 0x4000 | one big patch overlapping several revoke area's |
PUP to use[edit source]
Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)
Different Factory Service Mode SELFs[edit source]
For factory Service Mode install:
- if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
- if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP
Filename | Size | Remarks | SHA1 |
MD5 |
CRC32 |
CRC16
|
---|---|---|---|---|---|---|
Lv2diag.self (227.38 KB) | 232832 | jaicrab noBD patched | 180823003B086D9D49BC7F83BEA9C769BF73A5EA |
3615770407C0C3FA00D8CA49C8ADB362 |
25E85CFB |
EDD0
|
Lv2diag.self (365.5 KB) | 374272 | 3.55 get in FSM | 1ED037740D67FEBACA6449CABFF4E95400C9E2EE |
099F33A7967F99E91C07E870FD78B3DB |
9338ABF2 |
4FCC
|
Lv2diag.self (365.5 KB) | 374272 | 3.50- get in FSM | 1E770010A3A6EF572AF39783A04DF792670998D3 |
90168C03B217CE775A7839D87BBFF2A3 |
D1F0AAFC |
CD8D
|
Lv2diag.self (201.42 KB) | 206256 | get out FSM | 329877CBD47B994EC0AFCEA6AF98114FD9E5128B |
7A20BFDAE65EEFB47A4425DB1B52DCDE |
72740080 |
502A
|