Downgrading with Hardware flasher: Difference between revisions
mNo edit summary |
|||
| Line 73: | Line 73: | ||
==Reinstall firmware in Factory Service Mode== | ==Reinstall firmware in Factory Service Mode== | ||
Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port). | |||
See also [[Downgrading with PSgrade Dongle]], which also contains alot of ready to use PSgrade HEX files for several dongles. | See also [[Downgrading with PSgrade Dongle]], which also contains alot of ready to use PSgrade HEX files for several dongles. | ||
Revision as of 07:14, 16 December 2011
Dump
Connect your Hardware flashing device and make sure you are getting 100% correct, valid, verified dumps.
Checking console capability of running 3.55
Compare the values found in your dump with those in the table below
metldr+bootldr sizes
| Datecode / Manufacturing date | metldr offset | bootldr offset | Notes | ||
|---|---|---|---|---|---|
| 0x81E (NOR) 0x4081E (NAND) |
0x842 (NOR) 0x40842 (NAND) |
0xFC0002 (NOR) 0x0 (NAND) |
0xFC0012 (NOR) 0x12 (NAND) | ||
| EE 10 | 0E DD | 2A 3F | 2A 3F | OK | |
| E8 90 | 0E 85 | 2F 13 | 2F 13 | OK | |
| E8 D0 | 0E 89 | 2E AB | 2E AB | OK | |
| CECHH (DIA-001) | E8 E0 | 0E 8A | 2E F4 | 2E F4 | OK |
| CECH-2504B (JTP-001) with 3.40 from factory - datecode 0C | E9 20 | 0E 8E | 2F 4B | 2F 4B | OK |
| CECH-250.B (JTP-001) with 3.56 from factory - datecode 1A | E9 60 | 0E 92 | 2F 53 | 2F 53 | OK |
| CECH2504A (JTP-001) with 3.56 from factory - datecode 1B | E9 60 | 0E 92 | 2F 5B | 2F 5B | (RLOD+)poweroff @ downgrade 355 |
| CECHJ (DIA-002) | EA 60 | 0E A2 | 2E E3 | 2E E3 | OK |
| CECHC (COK-002) with 1.00 from factory | EB F0 | 0E BB | 30 44 | 30 44 | OK |
| CECH2504B (JSD-001), with 3.60 from factory - datecode 1B CECH3012A (KTE-001), with 3.65 from factory - datecode [N.A.] |
F9 20 | 0F 8E | 2F FB | 2F FB | "metldr.2" (RLOD+)poweroff @ downgrade 355 |
Patch the dump & Reflash it to the console
You can use Hexeditor for patching (e.g. HxD).
NAND
Use NAND patches only on NAND consoles, not on NOR!
| Target area | Patchfile | NAND Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0030 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
| ROS1 | patch1 (7 MB) | 0x7C0020 | 0x6FFFE0 | CoreOS (SAME as ros0) |
| trvk_prg0 (0x91800) trvk_prg1 (0x92810) trvk_pkg (0x93800) |
patch2 (16 KB) | 0x91800 | 0x4000 | one big patch overlapping several revoke area's |
NOR
Use NOR patches only on NOR consoles, not on NAND!
| Target area | Patchfile | NOR Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | CoreOS (prepatched 3.55) |
| ROS1 | patch1 (7 MB) | 0x7C0010 | 0x6FFFE0 | CoreOS (SAME as ros0) |
| trvk_prg0 (0x40000) trvk_prg1 (0x60000) trvk_pkg0 (0x80000) trvk_pkg1 (0xA0000) |
rvk-040000 (512 KB) | 0x40000 | 0x80000 | one big patch overlapping several revoke area's |
Reinstall firmware in Factory Service Mode
Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port).
See also Downgrading with PSgrade Dongle, which also contains alot of ready to use PSgrade HEX files for several dongles.
PUP to use
Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)
Different Factory Service Mode SELFs
For factory Service Mode install:
- if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
- if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP
| Filename | Size | Remarks | SHA1 |
MD5 |
CRC32 |
CRC16
|
|---|---|---|---|---|---|---|
| Lv2diag.self (227.38 KB) | 232832 | jaicrab noBD patched | 180823003B086D9D49BC7F83BEA9C769BF73A5EA |
3615770407C0C3FA00D8CA49C8ADB362 |
25E85CFB |
EDD0
|
| Lv2diag.self (365.5 KB) | 374272 | 3.55 get in FSM | 1ED037740D67FEBACA6449CABFF4E95400C9E2EE |
099F33A7967F99E91C07E870FD78B3DB |
9338ABF2 |
4FCC
|
Check the logfile
After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains errors (pastie the log if you want to ask for help online on IRC)
Getting out of Factory Service Mode
If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)
| Filename | Size | Remarks | SHA1 |
MD5 |
CRC32 |
CRC16
|
|---|---|---|---|---|---|---|
| Lv2diag.self (201.42 KB) | 206256 | get out FSM | 329877CBD47B994EC0AFCEA6AF98114FD9E5128B |
7A20BFDAE65EEFB47A4425DB1B52DCDE |
72740080 |
502A
|