Talk:Downgrading with NAND flasher: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
 
(43 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Downgrading with NAND Flasher =
http://pastebin.com/BqW46zjY :
This article is written based on firmware 3.60 (but also works on other firmwares) and Infectus for NAND bases consoles. See [[Hardware_flashing]]


== Prerequisites ==
    Downgrade patches
*NAND based console : CECHA, CECHB, CECHC, CECHE or CECHG. see [[SKU_Models]]
     
*Infectus with <3.9.9.0 firmware (allowing dual NAND flashing)
    http://www.multiupload.com/JJ9U8RM8T1
::In case you need to downgrade the Infectus:
    
::*[http://www.multiupload.com/06EMHFCKN3 Infectus downgrader]
    DIFF:
::*[http://www.multiupload.com/4L1JXGOFOF Infectus_programmer_3.8_Beta_2]
    
*[http://www.sendspace.com/file/qhwkm5 FlowRebuilder v.4.1.0.0]
    -------------
*Hexeditor
    Patch core OS Hash check //product mode always on
    
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C1F40                                      41 9E 00 1C              Až..
    
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C1F40                                      60 00 00 00              `...
    
    -------------
    Patch check_revoke_list_hash check //product mode always on
    
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C2B50  41 9E 00 1C                                      Až..
    
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C2B50  60 00 00 00                                      `...
    
    -------------
    Patch In product mode erase standby bank skipped
    
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C6AD0                          41 9E 00 0C                      Až..
    
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    002C6AD0                          60 00 00 00                      `...
    
    -------------
    
    Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware


== Accessing the NAND ==


Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode:


Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.
== NAND Offsets ==


Use the Infectus to read the 2 different NAND chips. You get 2 files this way, one for each NAND : flash0.bin & flash1.bin
===1patchcos.bin===
CTRL-F : <code>00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0</code>


Interleave the 2 previous mentioned bin files into 1 single flash dump: flashfinal.bin (256MB)
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]):
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
  000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... .......
  000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
  000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
  000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà</pre>
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
  007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
  007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà</pre>




( work in progress )
here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):<!--//bluemimmo//-->


----
<pre>  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
         
  000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
  000C0030  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà
  000C0040  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................
  000C0050  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
  000C0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C0070  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................
  000C0080  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
  000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C00A0  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ
  000C00B0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
  000COOC0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C00D0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð
  000C00E0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........</pre>


===2patchtrvk.bin===
Note: CTRL-F : not <code>00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code> but <code>00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code>


Posted on request by author: dospiedras1973
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]):
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... .......
  00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
  00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
  00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
  00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@</pre>


=== Original Spanish text ===
[http://www.elotrolado.net/hilo_downgrade-3-6x-nands-256-con-infectus-y-reparacion-del-resto-de-consolas-waninbrick_1638386 Original text] :


<pre>
CECHA-06/COK-001 datas from offset 0x00093800:<!--//bluemimmo//-->
Hola , llevo trabajando en este proyecto cerca de dos meses y ahora mismo ya que he conseguido que funcione lo publico para que todo el mundo pueda usarlo, este tutorial es para consolas con NAND flash de 256mb , no significa que no funcione en las de 16mb , en sí se modifica casi lo mismo en las que tienen nor flash , pero debido a que aún tengo jodida mi fat 80gb de 16mb no lo he podido ni probar ni verificar.


Al turrón ( la frase se la debo a algún forero de por aquí que me gustó mucho la expresión ) :
  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00093800  00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................
  00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................
  00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@
  00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE.............
  00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
  00093850  F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–


Con infectus sacamos nuestra nand flash0.bin y flash1.bin y como en el tutorial de lukin para reparar las bad nands hacemos el mismo proceso hasta que obtenemos nuestro dump flashfinal.bin de 256mb


esta nand la abrimos con un editor simple hex editor y buscamos esta parte
'''revoke package:'''
for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60
http://pastie.org/3006911


"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"
'''revoke program:'''
for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0
http://pastie.org/3006958
----


vereis que justo debajo ay una linea muy parecida , yo estos datos los encuentro en el offset 000C0020 , puede variar segun la nand y aqui empieza la fiesta :-D
Example, copy ros1 to ros0 and overwrite (HxD):


reemplazamos INCLUSO ESA LINEA con el archivo 1patchcos.bin si usais el hxd poneros en el primer 0 de esa linea ->boton derecho y pegar escribiendo , antes teneis que tener abierto el 1patchcos.bin en el hxd y copiar en hex todo su contenido para poder pegarlo..
* goto edit
* select block (CTRL-E) : start 7C0020 - length 6FFFE0
* copy (CTRL-C)
* goto (CTRL-G) : C0030
* overwrite (CTRL-B)


luego vamos a buscar el segundo archivo a parchear buscamos en el hxd en nuestro dump la parte :


"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
----
 
y de la misma manera que se parchea el primero se parchea este también , cojemos el archivo 2patchtrvk.bin del pack y reemplazamos todo el contenido incluso el "00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
 
luego cogemos con el flowrebuilder usamos la opcion reescramble this dump para que nos vuelva a generar nuestro flash0.ECC.bin y flash1.ECC.bin
 
y flasheamos el resultado , cuando termineis notareis que la ps3 ahora enciende pero tiene un bonito black screen , vale cojemos nuestro jig para ponerla en factory service mode y la ponemos en factory , luego cojemos el tipico lv2diag de marras y el pup que querais
 
( AVISO : el primer pup que metais se quedará en la consola como la versión minima que podeis downgradear luego , por si quereis bajar de 3.55 a 3.41 luego tendreís que meter el pup 3.41 antes de subir a 3.55 o se quedará en 3.55 por que si no os costará volver a escribir el dump de nuevo para poder downgradear mas bajo del pup que pusisteis la primera vez. )
 
luego poneis el lv2diag para salir del factory service y ya está ;-)
 
Notas : esto vale para reparar el brick de waninkoko SIN NAND DONADA incluso en las placas sem-001 ( probado ) ( y de paso downgradeas xD )
 
agradecimientos :
 
a todo el canal #darkps3 de irc-hispano por apoyarme durante tanto tiempo ;-)
a austaquio32 por donar el infectus que lograra que siguiera con mi proyecto
a Nodial2ne por la ayuda que prestó localizando archivos en la nand
a robs1 por ayudarme en todo el proceso con ideas para que esto fuera posible
 
y a todo el que tuvo paciencia y no me atosigó por privado xD
 
 
pack :
 
http://pastebin.com/7tmtcdNN
 
Desagradecimientos :
 
er_poty : post que hago , post que viene a crear peleas y a mandarme privados diciendome que le llego a la suela de los zapatos a PDNKED
 
pd: llevo 4 años en paro , quien quiera donar algo desinteresadamente pueden ponerse en contacto conmigo via privado ( lo siento pero tengo 2 hijos y la ps3 no me da de comer ni a mi ni a ellos xD )
o eso o dadme un trabajo leñe!
</pre>
 
=== Translate Google English text ===
[http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=es&tl=en&u=http%3A%2F%2Fwww.elotrolado.net%2Fhilo_downgrade-3-6x-nands-256-con-infectus-y-reparacion-del-resto-de-consolas-waninbrick_1638386 Google translate] (sorry, i'm lazy atm) :
<pre>
256 with 3.6x downgrade INFECTUS nands [and other consoles repair waninbrick]
 
Mensaje by dospiedras1973 36 minutes ago
Hello, I've been working on this project about two months now since I've gotten to work as public so that everyone can use, this tutorial is for consoles with 256MB NAND flash does not mean it does not work in 16MB in itself is changed almost the same in those with normal flash, but because even I have my fat fucking 16mb 80GB I have not been able to neither prove nor verified.
 
Nougat (the phrase I owe to some forero around here that I really liked the expression):
 
With INFECTUS flash0.bin and we get our nand flash1.bin as in the tutorial to repair bad lukin nands do the same process until we get our dump flashfinal.bin 256MB
 
nand we open this with a simple hex editor and look for this part editor
 
"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"
 
ay you will see that just under a very similar line, I find this data in the offset 000C0020 may vary according to the nand and the party starts here:-D


EVEN replace that line with the file if you use the hxd 1patchcos.bin get in the first 0 of the line -> right click and paste writing before you have to have an open 1patchcos.bin hxd in hex and copy its contents to can paste ..
=== Simplyfied V2 NAND downgrade ===
====Patches to use====
{|class="wikitable"
|-
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.multiupload.com/GB4LPBNJBY patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.multiupload.com/GB4LPBNJBY patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [http://www.multiupload.com/RTIK2IUUCL patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
|-
|}
<!--// 3.55 did greenlight power off [http://www.multiupload.com/9Z5D080KLO patch2 (16 KB)] not work:avati//-->
<!--// 3.15 [http://www.multiupload.com/KT6BAXH8O5 patch2 (16 KB)] not work:avati//-->


then we find the second file to patch at hxd we dump on our part:
==== PUP to use ====
[[Talk:Downgrading_with_NOR_flasher#Premade_CFW_Rogero_V2| Rogero V2]] or any firmware with prepatched lv1 (no syscon hash checks)
<!--//
downgrade and 3.41downgrader = manufacturing updating SUCCESS(0x8002f000) = YLOD http://mibpaste.com/WP3suB
downgrade and Rogero PUP = Bul-ray Disc Player Revoke done(0x8002f057) = YLOD http://mibpaste.com/oj8EL5
downgrade and Rogero NoBD PUP = manufacturing updating SUCCESS(0x8002f000) + autopower off = OK  http://mibpaste.com/sAguEj
//-->


"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
====Different Factory Service Mode SELFs====
For factory Service Mode install:
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP


and in the same way as the first patched patched this also cojemos 2patchtrvk.bin pack the file and replace the entire contents including the "00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 "
{|class="wikitable"
 
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
then we take the option we use reescramble flowrebuilder this dump so we rebuild our flash0.ECC.bin and flash1.ECC.bin
|-
 
| [http://www.multiupload.com/Y0Z8WNY009 Lv2diag.self&nbsp;(227.38&nbsp;KB)] || 232832 || jaicrab noBD patched || <code>180823003B086D9D49BC7F83BEA9C769BF73A5EA</code> || <code>3615770407C0C3FA00D8CA49C8ADB362</code> || <code>25E85CFB</code> || <code>EDD0</code>
and flash the result, when you finish you will notice that the PS3 now has a nice on but black screen, it cojemos our factory jig to put it into service mode and put it in factory, then the typical cojemos lv2diag of yore and the pup you please
|-
 
| [http://www.multiupload.com/V1YTTWGKH0 Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.55 get in FSM || <code>1ED037740D67FEBACA6449CABFF4E95400C9E2EE</code> || <code>099F33A7967F99E91C07E870FD78B3DB</code> || <code>9338ABF2</code> || <code>4FCC</code>
(NOTE: the first pup that metais will stay in the console as the minimum version that you can downgrade then, if you want to lose 3.55 to 3.41 then you will have to put the pup up to 3.41 before 3.55 or 3.55 will remain in that if cost will not rewrite the dump again to downgrade to lower the pup that you put the first time.)
|-
 
| [http://www.multiupload.com/ZHJMPSMLYR Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.50- get in FSM || <code>1E770010A3A6EF572AF39783A04DF792670998D3</code> || <code>90168C03B217CE775A7839D87BBFF2A3</code> || <code>D1F0AAFC</code> || <code>CD8D</code>
then you put your factory lv2diag to leave the service and you're ;-)
|-
 
| [http://www.multiupload.com/VGQTFV56CO Lv2diag.self&nbsp;(201.42&nbsp;KB)] || 206256 || get out FSM || <code>329877CBD47B994EC0AFCEA6AF98114FD9E5128B</code> || <code>7A20BFDAE65EEFB47A4425DB1B52DCDE</code> || <code>72740080</code> || <code>502A</code>
Note: this applies to repair the brick Waninkoko NAND NOT DONATED plates even sem-001 (tested) (and step downgrade xD)
|-
 
|}
Thanks:
 
all channel # irc-hispano darkps3 for supporting me for so long ;-)
to donate the INFECTUS austaquio32 to achieve to continue with my project
to Nodial2ne paid for the help locating files in the nand
to robs1 for helping throughout the process with ideas to make this possible
 
and everyone who was patient and not by private haunts me xD
 
 
pack:
 
http://pastebin.com/7tmtcdNN
 
Ingratitude:
 
er_poty: I do post, post it comes to creating private fights and telling him to send me get to the bottom of the shoes PDNKED
 
pd: I have 4 years unemployed, who selflessly want to donate something please contact me via private (sorry but I have 2 children and the PS3 does not give me to eat me or them xD)
either that or give me a job lene!
</pre>
 
 
----
Reposted on :
*http://www.ps3hax.net/2011/06/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix/
*http://psx-scene.com/forums/content/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix-63/

Latest revision as of 00:18, 14 December 2011

http://pastebin.com/BqW46zjY :

   Downgrade patches
      
   http://www.multiupload.com/JJ9U8RM8T1
      
   DIFF:
      
   -------------
   Patch core OS Hash check //product mode always on
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C1F40                                      41 9E 00 1C              Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C1F40                                      60 00 00 00              `...
      
   -------------
   Patch check_revoke_list_hash check //product mode always on
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C2B50  41 9E 00 1C                                      Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C2B50  60 00 00 00                                      `...
      
   -------------
   Patch In product mode erase standby bank skipped
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C6AD0                          41 9E 00 0C                      Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C6AD0                          60 00 00 00                      `...
      
   -------------
      
   Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware


NAND Offsets[edit source]

1patchcos.bin[edit source]

CTRL-F : 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0

CECHC-04/COK-002 MFW 3.15 (Euss):

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
   000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
   007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà


here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):

   Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
          
   000C0020   00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
   000C0030   00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà
   000C0040   00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................
   000C0050   63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
   000C0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C0070   00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................
   000C0080   73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
   000C0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C00A0   00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ
   000C00B0   6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
   000COOC0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C00D0   00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð
   000C00E0   6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........

2patchtrvk.bin[edit source]

Note: CTRL-F : not 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 but 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40

CECHC-04/COK-002 MFW 3.15 (Euss):

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
   00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
   00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
   00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@


CECHA-06/COK-001 datas from offset 0x00093800:

  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00093800   00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................
  00093810   00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................
  00093820   00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@
  00093830   53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE.............
  00093840   00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
  00093850   F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–


revoke package: for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 http://pastie.org/3006911

revoke program: for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 http://pastie.org/3006958


Example, copy ros1 to ros0 and overwrite (HxD):

  • goto edit
  • select block (CTRL-E) : start 7C0020 - length 6FFFE0
  • copy (CTRL-C)
  • goto (CTRL-G) : C0030
  • overwrite (CTRL-B)



Simplyfied V2 NAND downgrade[edit source]

Patches to use[edit source]

Target area Patchfile NAND Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0030 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0020 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x91800)
trvk_prg1 (0x92810)
trvk_pkg (0x93800)
patch2 (16 KB) 0x91800 0x4000 one big patch overlapping several revoke area's

PUP to use[edit source]

Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)

Different Factory Service Mode SELFs[edit source]

For factory Service Mode install:

  • if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP
Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (227.38 KB) 232832 jaicrab noBD patched 180823003B086D9D49BC7F83BEA9C769BF73A5EA 3615770407C0C3FA00D8CA49C8ADB362 25E85CFB EDD0
Lv2diag.self (365.5 KB) 374272 3.55 get in FSM 1ED037740D67FEBACA6449CABFF4E95400C9E2EE 099F33A7967F99E91C07E870FD78B3DB 9338ABF2 4FCC
Lv2diag.self (365.5 KB) 374272 3.50- get in FSM 1E770010A3A6EF572AF39783A04DF792670998D3 90168C03B217CE775A7839D87BBFF2A3 D1F0AAFC CD8D
Lv2diag.self (201.42 KB) 206256 get out FSM 329877CBD47B994EC0AFCEA6AF98114FD9E5128B 7A20BFDAE65EEFB47A4425DB1B52DCDE 72740080 502A