Talk:Downgrading with NAND flasher: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
No edit summary
 
(39 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Downgrading with NAND Flasher =
This article is written based on firmware 3.60 (but also works on other firmwares) and Infectus for NAND bases consoles. See [[Hardware_flashing]]
== Prerequisites ==
*NAND based console : CECHA, CECHB, CECHC, CECHE or CECHG. see [[SKU_Models]]
*Infectus with <3.9.9.0 firmware (allowing dual NAND flashing)
::In case you need to downgrade the Infectus:
::*[http://www.multiupload.com/06EMHFCKN3 Infectus downgrader]
::*[http://www.multiupload.com/4L1JXGOFOF Infectus_programmer_3.8_Beta_2]
*[http://www.sendspace.com/file/qhwkm5 FlowRebuilder v.4.1.0.0]
*Hexeditor
== Accessing the NAND ==
Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode:
Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.
Use the Infectus to read the 2 different NAND chips. You get 2 files this way, one for each NAND : flash0.bin & flash1.bin
Interleave the 2 previous mentioned bin files into 1 single flash dump: flashfinal.bin (256MB)
( work in progress )
----
Posted on request by author: dospiedras1973
=== Original Spanish text ===
[http://www.elotrolado.net/hilo_downgrade-3-6x-nands-256-con-infectus-y-reparacion-del-resto-de-consolas-waninbrick_1638386 Original text] :
<pre>
Hola , llevo trabajando en este proyecto cerca de dos meses y ahora mismo ya que he conseguido que funcione lo publico para que todo el mundo pueda usarlo, este tutorial es para consolas con NAND flash de 256mb , no significa que no funcione en las de 16mb , en sí se modifica casi lo mismo en las que tienen nor flash , pero debido a que aún tengo jodida mi fat 80gb de 16mb no lo he podido ni probar ni verificar.
Al turrón ( la frase se la debo a algún forero de por aquí que me gustó mucho la expresión ) :
Con infectus sacamos nuestra nand flash0.bin y flash1.bin y como en el tutorial de lukin para reparar las bad nands hacemos el mismo proceso hasta que obtenemos nuestro dump flashfinal.bin de 256mb
esta nand la abrimos con un editor simple hex editor y buscamos esta parte
"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"
vereis que justo debajo ay una linea muy parecida , yo estos datos los encuentro en el offset 000C0020 , puede variar segun la nand y aqui empieza la fiesta :-D
reemplazamos INCLUSO ESA LINEA con el archivo 1patchcos.bin si usais el hxd poneros en el primer 0 de esa linea ->boton derecho y pegar escribiendo , antes teneis que tener abierto el 1patchcos.bin en el hxd y copiar en hex todo su contenido para poder pegarlo..
luego vamos a buscar el segundo archivo a parchear buscamos en el hxd en nuestro dump la parte :
"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
y de la misma manera que se parchea el primero se parchea este también , cojemos el archivo 2patchtrvk.bin del pack y reemplazamos todo el contenido incluso el "00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
luego cogemos con el flowrebuilder usamos la opcion reescramble this dump para que nos vuelva a generar nuestro flash0.ECC.bin y flash1.ECC.bin
y flasheamos el resultado , cuando termineis notareis que la ps3 ahora enciende pero tiene un bonito black screen , vale cojemos nuestro jig para ponerla en factory service mode y la ponemos en factory , luego cojemos el tipico lv2diag de marras y el pup que querais
( AVISO : el primer pup que metais se quedará en la consola como la versión minima que podeis downgradear luego , por si quereis bajar de 3.55 a 3.41 luego tendreís que meter el pup 3.41 antes de subir a 3.55 o se quedará en 3.55 por que si no os costará volver a escribir el dump de nuevo para poder downgradear mas bajo del pup que pusisteis la primera vez. )
luego poneis el lv2diag para salir del factory service y ya está ;-)
Notas : esto vale para reparar el brick de waninkoko SIN NAND DONADA incluso en las placas sem-001 ( probado ) ( y de paso downgradeas xD )
agradecimientos :
a todo el canal #darkps3 de irc-hispano por apoyarme durante tanto tiempo ;-)
a austaquio32 por donar el infectus que lograra que siguiera con mi proyecto
a Nodial2ne por la ayuda que prestó localizando archivos en la nand
a robs1 por ayudarme en todo el proceso con ideas para que esto fuera posible
y a todo el que tuvo paciencia y no me atosigó por privado xD
pack :
http://pastebin.com/7tmtcdNN
Desagradecimientos :
er_poty : post que hago , post que viene a crear peleas y a mandarme privados diciendome que le llego a la suela de los zapatos a PDNKED
pd: llevo 4 años en paro , quien quiera donar algo desinteresadamente pueden ponerse en contacto conmigo via privado ( lo siento pero tengo 2 hijos y la ps3 no me da de comer ni a mi ni a ellos xD )
o eso o dadme un trabajo leñe!
</pre>
=== Translate Google English text ===
[http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=es&tl=en&u=http%3A%2F%2Fwww.elotrolado.net%2Fhilo_downgrade-3-6x-nands-256-con-infectus-y-reparacion-del-resto-de-consolas-waninbrick_1638386 Google translate] (sorry, i'm lazy atm) :
<pre>
256 with 3.6x downgrade INFECTUS nands [and other consoles repair waninbrick]
Mensaje by dospiedras1973 36 minutes ago
Hello, I've been working on this project about two months now since I've gotten to work as public so that everyone can use, this tutorial is for consoles with 256MB NAND flash does not mean it does not work in 16MB in itself is changed almost the same in those with normal flash, but because even I have my fat fucking 16mb 80GB I have not been able to neither prove nor verified.
Nougat (the phrase I owe to some forero around here that I really liked the expression):
With INFECTUS flash0.bin and we get our nand flash1.bin as in the tutorial to repair bad lukin nands do the same process until we get our dump flashfinal.bin 256MB
nand we open this with a simple hex editor and look for this part editor
"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"
ay you will see that just under a very similar line, I find this data in the offset 000C0020 may vary according to the nand and the party starts here:-D
EVEN replace that line with the file if you use the hxd 1patchcos.bin get in the first 0 of the line -> right click and paste writing before you have to have an open 1patchcos.bin hxd in hex and copy its contents to can paste ..
then we find the second file to patch at hxd we dump on our part:
"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"
and in the same way as the first patched patched this also cojemos 2patchtrvk.bin pack the file and replace the entire contents including the "00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 "
then we take the option we use reescramble flowrebuilder this dump so we rebuild our flash0.ECC.bin and flash1.ECC.bin
and flash the result, when you finish you will notice that the PS3 now has a nice on but black screen, it cojemos our factory jig to put it into service mode and put it in factory, then the typical cojemos lv2diag of yore and the pup you please
(NOTE: the first pup that metais will stay in the console as the minimum version that you can downgrade then, if you want to lose 3.55 to 3.41 then you will have to put the pup up to 3.41 before 3.55 or 3.55 will remain in that if cost will not rewrite the dump again to downgrade to lower the pup that you put the first time.)
then you put your factory lv2diag to leave the service and you're ;-)
Note: this applies to repair the brick Waninkoko NAND NOT DONATED plates even sem-001 (tested) (and step downgrade xD)
Thanks:
all channel # irc-hispano darkps3 for supporting me for so long ;-)
to donate the INFECTUS austaquio32 to achieve to continue with my project
to Nodial2ne paid for the help locating files in the nand
to robs1 for helping throughout the process with ideas to make this possible
and everyone who was patient and not by private haunts me xD
pack:
http://pastebin.com/7tmtcdNN
Ingratitude:
er_poty: I do post, post it comes to creating private fights and telling him to send me get to the bottom of the shoes PDNKED
pd: I have 4 years unemployed, who selflessly want to donate something please contact me via private (sorry but I have 2 children and the PS3 does not give me to eat me or them xD)
either that or give me a job lene!
</pre>
----
Reposted on :
*http://www.ps3hax.net/2011/06/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix/
*http://psx-scene.com/forums/content/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix-63/
----
Addition:
*http://www.elotrolado.net/hilo_fix-instalacion-infectus-en-sem-001-funcional_1639311
<pre>
hola , este tuto es pequeñito pero lo pongo en un hilo nuevo por que va a traer miga y no quiero mezclar contenidos :
el infectus se instala de la misma manera que en las demas consolas la unica diferencia es que en esta consola tenemos una nand a un lado de la consola y otro al otro , imaginad que esa nand que cambia de sitio es la segunda nand , en la que en el esquema oficial está por encima del conector del hdd los puntos a soldar son iguales , PERO
el infectus tiene un punto de 5v , NO LO SOLDEIS DEJADLO NO HACE FALTA
hace falta colocar un diodo zener en la nand que está en la otra vuelta de la placa para darle corriente a las 2 nands directamente con el infectus aqui las fotos :
aqui el zener a utilizar para alimentar las nands
Imagen
aqui el punto a donde va el diodo soldado directamente sin cables preferiblemente :
Imagen
el GND que está al lado de los 5v del infectus porfavor soldadlo con un cable gruesín eh ...
y la parte roja del diodo con un cablecito lo conectamos aqui en el infectus :
Imagen
vale , con eso y el resto de la instalación como era , la ps3 la teneis que leer y escribir perfectamente SIN DARLE CORRIENTE a la fuente , no hace falta ya con el infectus alimentas las nands lo suficiente para leer y escribir , porsupuesto he de decir que nunca tengais conectado con este metodo la fuente a la corriente y el infectus al usb , por que podría pasar algo malo xD
gracias al que subió las fotos xD
PD: el diodo lo podeis sacar de muchas placas rotas que tengais por ahi , casi todos los aparatejos calzan un zener de esos xD
por cierto el unico programa compatible con sem-001 es el infectus nand flasher 1.03 ay que instalar otros drivers del libusb que vienen incluidos con el programa que está por ahí xD
</pre>
When downgrading from 3.66 to 3.15 on NAND:
<div style="height:750px; overflow:auto">
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"
|- bgcolor="#cccccc"
! fail BD !! correct BD
|-
| http://pastebin.com/8xvaqDvs
<pre>manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...
creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 61 msec
check UPL
Check UPL elapsed time = 33 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 29
Update packages total size = 160699026
Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 7 msec
update package revoke list elapsed = 331 msec
Update Package Revoke list done(0x8002f000)
Update Core OS Package
read core os package (5193774 bytes) elapsed = 320 msec
update core os package elapsed = 1950 msec
Update Core OS Package done(0x8002f000)
Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/21
read vsh package (2070 bytes) elapsed = 8 msec
decrypt and verify vsh package elapsed = 23 msec
write vsh package elapsed = 9193 msec
compare vsh package elapsed = 0 msec
Update VSH's package : 2/21
read vsh package (5616383 bytes) elapsed = 351 msec
decrypt and verify vsh package elapsed = 340 msec
write vsh package elapsed = 1722 msec
compare vsh package elapsed = 402 msec
Update VSH's package : 3/21
read vsh package (3357780 bytes) elapsed = 212 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 2903 msec
compare vsh package elapsed = 312 msec
Update VSH's package : 4/21
read vsh package (5240122 bytes) elapsed = 328 msec
decrypt and verify vsh package elapsed = 308 msec
write vsh package elapsed = 2757 msec
compare vsh package elapsed = 399 msec
Update VSH's package : 5/21
read vsh package (24029 bytes) elapsed = 10 msec
decrypt and verify vsh package elapsed = 24 msec
write vsh package elapsed = 1171 msec
compare vsh package elapsed = 9 msec
Update VSH's package : 6/21
read vsh package (9831317 bytes) elapsed = 597 msec
decrypt and verify vsh package elapsed = 280 msec
write vsh package elapsed = 11705 msec
compare vsh package elapsed = 466 msec
Update VSH's package : 7/21
read vsh package (8662380 bytes) elapsed = 533 msec
decrypt and verify vsh package elapsed = 272 msec
write vsh package elapsed = 16403 msec
compare vsh package elapsed = 474 msec
Update VSH's package : 8/21
read vsh package (8657372 bytes) elapsed = 542 msec
decrypt and verify vsh package elapsed = 360 msec
write vsh package elapsed = 5872 msec
compare vsh package elapsed = 448 msec
Update VSH's package : 9/21
read vsh package (10445426 bytes) elapsed = 639 msec
decrypt and verify vsh package elapsed = 254 msec
write vsh package elapsed = 5374 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 10/21
read vsh package (10252830 bytes) elapsed = 642 msec
decrypt and verify vsh package elapsed = 261 msec
write vsh package elapsed = 8594 msec
compare vsh package elapsed = 476 msec
Update VSH's package : 11/21
read vsh package (9922968 bytes) elapsed = 621 msec
decrypt and verify vsh package elapsed = 253 msec
write vsh package elapsed = 6913 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 12/21
read vsh package (8214459 bytes) elapsed = 514 msec
decrypt and verify vsh package elapsed = 197 msec
write vsh package elapsed = 5812 msec
compare vsh package elapsed = 387 msec
Update VSH's package : 13/21
read vsh package (9428094 bytes) elapsed = 593 msec
decrypt and verify vsh package elapsed = 245 msec
write vsh package elapsed = 5217 msec
compare vsh package elapsed = 443 msec
Update VSH's package : 14/21
read vsh package (7973335 bytes) elapsed = 483 msec
decrypt and verify vsh package elapsed = 346 msec
write vsh package elapsed = 13579 msec
compare vsh package elapsed = 456 msec
Update VSH's package : 15/21
read vsh package (9766737 bytes) elapsed = 589 msec
decrypt and verify vsh package elapsed = 359 msec
write vsh package elapsed = 17261 msec
compare vsh package elapsed = 528 msec
Update VSH's package : 16/21
read vsh package (9199234 bytes) elapsed = 583 msec
decrypt and verify vsh package elapsed = 407 msec
write vsh package elapsed = 23183 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 17/21
read vsh package (7260896 bytes) elapsed = 465 msec
decrypt and verify vsh package elapsed = 284 msec
write vsh package elapsed = 14740 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 18/21
read vsh package (6563380 bytes) elapsed = 423 msec
decrypt and verify vsh package elapsed = 155 msec
write vsh package elapsed = 1905 msec
compare vsh package elapsed = 357 msec
Update VSH's package : 19/21
read vsh package (6092245 bytes) elapsed = 376 msec
decrypt and verify vsh package elapsed = 226 msec
write vsh package elapsed = 1457 msec
compare vsh package elapsed = 406 msec
Update VSH's package : 20/21
read vsh package (9859067 bytes) elapsed = 592 msec
decrypt and verify vsh package elapsed = 238 msec
write vsh package elapsed = 2189 msec
compare vsh package elapsed = 498 msec
Update VSH's package : 21/21
read vsh package (6492084 bytes) elapsed = 413 msec
decrypt and verify vsh package elapsed = 321 msec
write vsh package elapsed = 17483 msec
compare vsh package elapsed = 674 msec
Update VSH Package done(0x8002f000)
Bul-ray Disc Player Revoke
read bdp revoke package (1904 bytes) elapsed = 22 msec
decrypt and verify bdp revoke package elapsed = 30 msec
write bdp revoke package elapsed = 2235 msec
compare bdprevoke package elapsed = 57 msec
Bul-ray Disc Player Revoke done(0x8002f000)
Update Program Revoke list
read program revoke list package (704 bytes) elapsed = 8 msec
update program revoke list elapsed = 330 msec
Update Program Revoke list done(0x8002f000)
move_2block_status_into_the_region(): region id = 3
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1265 msec
touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1128 msec
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1264 msec
Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 141 msec
update BD firmware elapsed = 29828 msec
Update BD firmware done(0x8002f14e)
update package elapsed time = 238316 msec
Updating or Verifying failure 0x8002f14e
UpMng.UpdatePackage() failure
manufacturing updating FAILURE(0x8002f14e)
Total Elapsed time = 239526 msec
</pre>
| http://pastebin.com/XhcjfAjw
<pre>manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...
creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 61 msec
check UPL
Check UPL elapsed time = 34 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 29
Update packages total size = 160699026
Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 6 msec
update package revoke list elapsed = 331 msec
Update Package Revoke list done(0x8002f000)
Update Core OS Package
read core os package (5193774 bytes) elapsed = 324 msec
update core os package elapsed = 1965 msec
Update Core OS Package done(0x8002f000)
Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/21
read vsh package (2070 bytes) elapsed = 8 msec
decrypt and verify vsh package elapsed = 23 msec
write vsh package elapsed = 9259 msec
compare vsh package elapsed = 0 msec
Update VSH's package : 2/21
read vsh package (5616383 bytes) elapsed = 351 msec
decrypt and verify vsh package elapsed = 341 msec
write vsh package elapsed = 1725 msec
compare vsh package elapsed = 402 msec
Update VSH's package : 3/21
read vsh package (3357780 bytes) elapsed = 214 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 2926 msec
compare vsh package elapsed = 312 msec
Update VSH's package : 4/21
read vsh package (5240122 bytes) elapsed = 328 msec
decrypt and verify vsh package elapsed = 309 msec
write vsh package elapsed = 2776 msec
compare vsh package elapsed = 399 msec
Update VSH's package : 5/21
read vsh package (24029 bytes) elapsed = 9 msec
decrypt and verify vsh package elapsed = 24 msec
write vsh package elapsed = 1185 msec
compare vsh package elapsed = 9 msec
Update VSH's package : 6/21
read vsh package (9831317 bytes) elapsed = 599 msec
decrypt and verify vsh package elapsed = 279 msec
write vsh package elapsed = 11830 msec
compare vsh package elapsed = 466 msec
Update VSH's package : 7/21
read vsh package (8662380 bytes) elapsed = 539 msec
decrypt and verify vsh package elapsed = 272 msec
write vsh package elapsed = 16532 msec
compare vsh package elapsed = 474 msec
Update VSH's package : 8/21
read vsh package (8657372 bytes) elapsed = 541 msec
decrypt and verify vsh package elapsed = 361 msec
write vsh package elapsed = 5911 msec
compare vsh package elapsed = 448 msec
Update VSH's package : 9/21
read vsh package (10445426 bytes) elapsed = 635 msec
decrypt and verify vsh package elapsed = 255 msec
write vsh package elapsed = 5408 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 10/21
read vsh package (10252830 bytes) elapsed = 641 msec
decrypt and verify vsh package elapsed = 262 msec
write vsh package elapsed = 8646 msec
compare vsh package elapsed = 476 msec
Update VSH's package : 11/21
read vsh package (9922968 bytes) elapsed = 621 msec
decrypt and verify vsh package elapsed = 252 msec
write vsh package elapsed = 6950 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 12/21
read vsh package (8214459 bytes) elapsed = 505 msec
decrypt and verify vsh package elapsed = 199 msec
write vsh package elapsed = 5843 msec
compare vsh package elapsed = 386 msec
Update VSH's package : 13/21
read vsh package (9428094 bytes) elapsed = 594 msec
decrypt and verify vsh package elapsed = 244 msec
write vsh package elapsed = 5238 msec
compare vsh package elapsed = 442 msec
Update VSH's package : 14/21
read vsh package (7973335 bytes) elapsed = 498 msec
decrypt and verify vsh package elapsed = 346 msec
write vsh package elapsed = 13617 msec
compare vsh package elapsed = 456 msec
Update VSH's package : 15/21
read vsh package (9766737 bytes) elapsed = 603 msec
decrypt and verify vsh package elapsed = 360 msec
write vsh package elapsed = 17267 msec
compare vsh package elapsed = 529 msec
Update VSH's package : 16/21
read vsh package (9199234 bytes) elapsed = 583 msec
decrypt and verify vsh package elapsed = 407 msec
write vsh package elapsed = 23189 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 17/21
read vsh package (7260896 bytes) elapsed = 466 msec
decrypt and verify vsh package elapsed = 286 msec
write vsh package elapsed = 14751 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 18/21
read vsh package (6563380 bytes) elapsed = 422 msec
decrypt and verify vsh package elapsed = 155 msec
write vsh package elapsed = 1906 msec
compare vsh package elapsed = 357 msec
Update VSH's package : 19/21
read vsh package (6092245 bytes) elapsed = 373 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 1457 msec
compare vsh package elapsed = 405 msec
Update VSH's package : 20/21
read vsh package (9859067 bytes) elapsed = 590 msec
decrypt and verify vsh package elapsed = 238 msec
write vsh package elapsed = 2187 msec
compare vsh package elapsed = 498 msec
Update VSH's package : 21/21
read vsh package (6492084 bytes) elapsed = 419 msec
decrypt and verify vsh package elapsed = 321 msec
write vsh package elapsed = 17509 msec
compare vsh package elapsed = 674 msec
Update VSH Package done(0x8002f000)
Bul-ray Disc Player Revoke
read bdp revoke package (1904 bytes) elapsed = 23 msec
decrypt and verify bdp revoke package elapsed = 29 msec
write bdp revoke package elapsed = 2240 msec
compare bdprevoke package elapsed = 57 msec
Bul-ray Disc Player Revoke done(0x8002f000)
Update Program Revoke list
read program revoke list package (704 bytes) elapsed = 7 msec
update program revoke list elapsed = 331 msec
Update Program Revoke list done(0x8002f000)
move_2block_status_into_the_region(): region id = 3
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1262 msec
touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1121 msec
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1262 msec
Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 142 msec
update BD firmware elapsed = 184 msec
read BD firmware package (951040 bytes) elapsed = 78 msec
update BD firmware elapsed = 142 msec
read BD firmware package (951040 bytes) elapsed = 80 msec
update BD firmware elapsed = 13959 msec
Update BD firmware done(0x8002f000)
Update Multi-Card controller firmware
read MCC package (28636 bytes) elapsed = 25 msec
update MCC elapsed = 24 msec
Update Multi-Card controller firmware done(0x8002f000)
Update BlueTooth firmware
read BT package (639368 bytes) elapsed = 62 msec
update BT elapsed = 56 msec
Update BlueTooth firmware done(0x8002f000)
Update System controller firmware
read SC patch package (4864 bytes) elapsed = 24 msec
read SC patch package (4864 bytes) elapsed = 24 msec
read SC patch package (4864 bytes) elapsed = 23 msec
Update System controller firmware done(0x8002f000)
update package elapsed time = 228361 msec
post processiong...
post processiong done
cleanup update status (ret = 0)
os version = 03.1500
build_version = 38031,20091206
region of core os package = 0x40000000
build_target = CEX-ww
build target id = 0x83
manufacturing updating SUCCESS(0x8002f000)
set product mode (ret = 0)
Total Elapsed time = 230556 msec
</pre>
|-
|}
</div>
http://pastebin.com/BqW46zjY :  
http://pastebin.com/BqW46zjY :  


Line 611: Line 43:
  &nbsp;     
  &nbsp;     
     Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
     Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
== NAND Offsets ==
===1patchcos.bin===
CTRL-F : <code>00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0</code>
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]):
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
  000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... .......
  000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
  000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
  000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà</pre>
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
  007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
  007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà</pre>
here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1):<!--//bluemimmo//-->
<pre>  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
         
  000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
  000C0030  00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà
  000C0040  00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................
  000C0050  63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
  000C0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C0070  00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................
  000C0080  73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
  000C0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C00A0  00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ
  000C00B0  6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
  000COOC0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000C00D0  00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð
  000C00E0  6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........</pre>
===2patchtrvk.bin===
Note: CTRL-F : not <code>00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code> but <code>00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40</code>
CECHC-04/COK-002 MFW 3.15 ([[User:Euss|Euss]]):
<pre>  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 
  00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... .......
  00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
  00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
  00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
  00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@</pre>
CECHA-06/COK-001 datas from offset 0x00093800:<!--//bluemimmo//-->
  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00093800  00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................
  00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................
  00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@
  00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE.............
  00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
  00093850  F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–
'''revoke package:'''
for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60
http://pastie.org/3006911
'''revoke program:'''
for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0
http://pastie.org/3006958
----
Example, copy ros1 to ros0 and overwrite (HxD):
* goto edit
* select block (CTRL-E) : start 7C0020 - length 6FFFE0
* copy (CTRL-C)
* goto (CTRL-G) : C0030
* overwrite (CTRL-B)
----
=== Simplyfied V2 NAND downgrade ===
====Patches to use====
{|class="wikitable"
|-
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.multiupload.com/GB4LPBNJBY patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.multiupload.com/GB4LPBNJBY patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [http://www.multiupload.com/RTIK2IUUCL patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
|-
|}
<!--// 3.55 did greenlight power off [http://www.multiupload.com/9Z5D080KLO patch2 (16 KB)] not work:avati//-->
<!--// 3.15 [http://www.multiupload.com/KT6BAXH8O5 patch2 (16 KB)] not work:avati//-->
==== PUP to use ====
[[Talk:Downgrading_with_NOR_flasher#Premade_CFW_Rogero_V2| Rogero V2]] or any firmware with prepatched lv1 (no syscon hash checks)
<!--//
downgrade and 3.41downgrader = manufacturing updating SUCCESS(0x8002f000) = YLOD http://mibpaste.com/WP3suB
downgrade and Rogero PUP = Bul-ray Disc Player Revoke done(0x8002f057) = YLOD http://mibpaste.com/oj8EL5
downgrade and Rogero NoBD PUP = manufacturing updating SUCCESS(0x8002f000) + autopower off = OK  http://mibpaste.com/sAguEj
//-->
====Different Factory Service Mode SELFs====
For factory Service Mode install:
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP
{|class="wikitable"
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
|-
| [http://www.multiupload.com/Y0Z8WNY009 Lv2diag.self&nbsp;(227.38&nbsp;KB)] || 232832 || jaicrab noBD patched || <code>180823003B086D9D49BC7F83BEA9C769BF73A5EA</code> || <code>3615770407C0C3FA00D8CA49C8ADB362</code> || <code>25E85CFB</code> || <code>EDD0</code>
|-
| [http://www.multiupload.com/V1YTTWGKH0 Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.55 get in FSM || <code>1ED037740D67FEBACA6449CABFF4E95400C9E2EE</code> || <code>099F33A7967F99E91C07E870FD78B3DB</code> || <code>9338ABF2</code> || <code>4FCC</code>
|-
| [http://www.multiupload.com/ZHJMPSMLYR Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.50- get in FSM || <code>1E770010A3A6EF572AF39783A04DF792670998D3</code> || <code>90168C03B217CE775A7839D87BBFF2A3</code> || <code>D1F0AAFC</code> || <code>CD8D</code>
|-
| [http://www.multiupload.com/VGQTFV56CO Lv2diag.self&nbsp;(201.42&nbsp;KB)] || 206256 || get out FSM || <code>329877CBD47B994EC0AFCEA6AF98114FD9E5128B</code> || <code>7A20BFDAE65EEFB47A4425DB1B52DCDE</code> || <code>72740080</code> || <code>502A</code>
|-
|}

Latest revision as of 00:18, 14 December 2011

http://pastebin.com/BqW46zjY : 

   Downgrade patches
      
   http://www.multiupload.com/JJ9U8RM8T1
      
   DIFF:
      
   -------------
   Patch core OS Hash check //product mode always on
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C1F40                                      41 9E 00 1C              Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C1F40                                      60 00 00 00              `...
      
   -------------
   Patch check_revoke_list_hash check //product mode always on
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C2B50  41 9E 00 1C                                      Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C2B50  60 00 00 00                                      `...
      
   -------------
   Patch In product mode erase standby bank skipped
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C6AD0                          41 9E 00 0C                      Až..
      
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   002C6AD0                          60 00 00 00                      `...
      
   -------------
      
   Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware


NAND Offsets[edit source]

1patchcos.bin[edit source]

CTRL-F : 00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0

CECHC-04/COK-002 MFW 3.15 (Euss): 

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
   000C0000  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   000C0010  00 00 00 00 00 E0 00 00 00 00 00 00 00 00 00 00  .....à..........
   000C0020  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   000C0030  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    
   007C0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   007C0010  00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0  .............oÿà
   007C0020  00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0  .............oÿà


here dump from CECHA-006/COK-001 found @ 0x000C0020 (ros0) and 0x007c0010 (ros1): 

   Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
          
   000C0020   00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 .............oÿà
   000C0030   00 00 00 01 00 00 00 18 00 00 00 00 00 6F FF E0 .............oÿà
   000C0040   00 00 00 00 00 00 04 90 00 00 00 00 00 04 00 00 ................
   000C0050   63 72 65 73 65 72 76 65 64 5F 30 00 00 00 00 00 creserved_0.....
   000C0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C0070   00 00 00 00 00 04 04 90 00 00 00 00 00 00 00 08 ................
   000C0080   73 64 6B 5F 76 65 72 73 69 6F 6E 00 00 00 00 00 sdk_version.....
   000C0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C00A0   00 00 00 00 00 04 05 00 00 00 00 00 00 01 E7 C8 ..............çÈ
   000C00B0   6C 76 31 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv1ldr..........
   000COOC0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   000C00D0   00 00 00 00 00 05 ED 00 00 00 00 00 00 01 6F F0 ......í.......oð
   000C00E0   6C 76 32 6C 64 72 00 00 00 00 00 00 00 00 00 00 lv2ldr..........

2patchtrvk.bin[edit source]

Note: CTRL-F : not 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 but 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40

CECHC-04/COK-002 MFW 3.15 (Euss): 

  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
   00093800  00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20  ....... ....... 
   00093810  00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  ...... .........
   00093820  00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40  ...............@
   00093830  53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00  SCE.............
   00093840  00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40  ...............@


CECHA-06/COK-001 datas from offset 0x00093800: 

  Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
  00093800   00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 ................
  00093810   00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 ................
  00093820   00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40 ...............@
  00093830   53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE.............
  00093840   00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 40 ...............@
  00093850   F6 93 38 8E C8 46 D5 FF 34 53 9D 12 91 7E C6 96 ö“8ŽÈFÕÿ4S..‘~Æ–


revoke package: for a 3.72 console it would be : 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 http://pastie.org/3006911

revoke program: for a 3.72 console it would be : 00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 http://pastie.org/3006958

Example, copy ros1 to ros0 and overwrite (HxD):

  • goto edit
  • select block (CTRL-E) : start 7C0020 - length 6FFFE0
  • copy (CTRL-C)
  • goto (CTRL-G) : C0030
  • overwrite (CTRL-B)


Simplyfied V2 NAND downgrade[edit source]

Patches to use[edit source]

Target area Patchfile NAND Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0030 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0020 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x91800)
trvk_prg1 (0x92810)
trvk_pkg (0x93800)		 patch2 (16 KB) 0x91800 0x4000 one big patch overlapping several revoke area's

PUP to use[edit source]

Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)

Different Factory Service Mode SELFs[edit source]

For factory Service Mode install:

  • if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP
Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (227.38 KB) 232832 jaicrab noBD patched 180823003B086D9D49BC7F83BEA9C769BF73A5EA 3615770407C0C3FA00D8CA49C8ADB362 25E85CFB EDD0
Lv2diag.self (365.5 KB) 374272 3.55 get in FSM 1ED037740D67FEBACA6449CABFF4E95400C9E2EE 099F33A7967F99E91C07E870FD78B3DB 9338ABF2 4FCC
Lv2diag.self (365.5 KB) 374272 3.50- get in FSM 1E770010A3A6EF572AF39783A04DF792670998D3 90168C03B217CE775A7839D87BBFF2A3 D1F0AAFC CD8D
Lv2diag.self (201.42 KB) 206256 get out FSM 329877CBD47B994EC0AFCEA6AF98114FD9E5128B 7A20BFDAE65EEFB47A4425DB1B52DCDE 72740080 502A
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Talk:Downgrading_with_NAND_flasher&oldid=7497"