Why so important?

Whenever you want to mess with flash (NAND or NOR), you have to make sure you are getting 100% correct, valid, verified dumps.

When you don't, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).

So what can we use to prevent that, and make sure our dumps are as proper as we can check?

Visual inspection

HxD - hexeditor

Open up the flashdump (make it unified first if it is still 2 seperate NAND dumps) with a hexeditor (e.g. HxD)
and compare what you see with the Flash page.

Statistical analysis

One neat option in HxD is the analysis option. Open dump file and select Statistics in the Analysis menu.

Valid dumps will have

Bytereversed

  00 00 00 00 AC 0F FF E0 00 00 00 00 AD DE EF BE  (HEX)   and   saceru_eoldare  (Text)
  instead of
  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  (HEX)   and   asecure_loader  (Text)

You can use either the bytereverse option in the the flasher application and redump, or bytereverse the current dump with Flowrebuilder.

Only zeroes

00 00 00 00 00 00 00 00 00 where data should've been

• Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

patterned non zeroes / patterned non ff's

  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
  00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80   where zeroes should've been

  EF FF EF FF EF FF EF FF EF FF EF FF EF FF EF FF   where FF's should've been

• Seems reading is a problem, mostly caused by bad wiring/clip seating -> check
• Can also be caused by bad grounding, too low Vcc, interference or too long wires -> check

Repetitions

take 16 bytes of an offset that should be unique, e.g. the 0x10 offset which normaly has the DEADBEEF magic header :

  NOR: 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  //  NAND: 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF

And find all instances in hexeditor
When it says found in 0x10 and 0x10010 you substract them (0x10010 - 0x10 = 0x10000)
So that means there is an error with setting 0x10000 (only one bit set!) low
because the programmer applies 0x10010 but the actual data on the address lines (received by the nor flash) is 0x10

Checking again with other unique 16 byte sequence

  617365637572655F6C6F616465720000 (asecure_loader in hex)

Same check, found at 0x420 and 0x10420 (0x10420-0x420 = 0x10000)

OK, you've found the pattern, now how do we deduct from that the faulty line?

address is 2 bytes. 0x10 in dump with hexeditor is in reality 0x8 on the address bus because we read 2 bytes at once
so the address is no longer 0x10000 but 0x8000
0x8000 (hexadecimal = base 16) = 1000 0000 0000 0000 (binary = base 2)
which means the 16th bit = 1, we start counting at A0, so the 16th is A15

conclusion : A15 is bad

Quick lookup table

Flowrebuilder

Flow Rebuilder

Links to versions

• FlowRebuilder v.4.2.1.1.exe (473.57 KB)
• FlowRebuilder v.4.2.0.1.exe (474.01 KB)
• FlowRebuilder v.4.1.3.2.exe (459.95 KB)
• FlowRebuilder v.4.1.0.0.exe (454.85 KB)

Flowrebuilder options

• (NAND only) Unscramble then interleave flashes into one unified dump : Makes a single dump.bin from 2 seperate NAND flash dumps.
  • In the second step it also extract the content of the unified dump. Make sure it extracts correctly (it will give no warning if it fails!) and all the needed files are there.
• (NAND only) Re-scramble modified dump then de-interleave it into two new flashes : Splits the single dump.bin into 2 seperate NAND flash dumps.
• Byte reverse and extract a NOR dump file : First byte reverse the single dump.bin then extract NOR content.
• Extract a Byte reversed NOR dump or an interleaved and unscrambled NAND dump : Extract the single dump.bin

Extracted flash content files

(make sure they are all there, flowrebuilder will not give warning when it fails!):

• bootloader_0
• bootloader_1
• cCSD
• cISD
• creserved_0
• cvtrm
• eEID
• trvk_pkg
• trvk_prg
• \asecure_loader\metldr
• \ros\[two seperate folders named to FW version]\CoreOS files (19 up to 25 files, depending the FW version)

Notes: if it only extracted bootloader_0 + bootloader_1, check that both NANDs are dumped correct (known error with flashers that has bug with second NAND channel to read),

From unified to seperate low/high NAND files

If for some reason you loose the original seperate low/high NAND files, you need donor files to regenerate them.

• NAND0-1.rar (209.83 MB)

extract and in Flowrebuilder select the option "Re-scramble a modified dump then de-interleave it into two new flashes"

• Select the NAND backup "Flash 0" (TOP) file : here drop the 1bkp.bin
• Select the NAND backup "Flash 0" (TOP) file : here drop the 2bkp.bin
• Select the Input NAND interleaved Modified file : here drop your unified flash .bin file

and click Execute Operation

This will result in making 2 new deinterleaved files you could use for reflashing (it is recommended to alway use your own deinterleaved sourcedumps, this method is only mentioned as last resort for people that lost their backups).

Online help

Upload your dump to a fileshare host (e.g. http://www.multiupload.com/) and join IRC ef.net in channel #ps3downgrade

Please use this method only after you first tried the above options first (so you have learned from it as well) :)