Software Dumping: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (Text replacement - "http://web.archive.org/web→‎/http://ps3devwiki.com/files" to "https://web.archive.org/web/: http://ps3devwiki.com/files")
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Category:Software]]
== Software dumping ==
== Software dumping ==


Line 13: Line 12:
  addi    %r12, %r4, 0x200 # r4 = start sector
  addi    %r12, %r4, 0x200 # r4 = start sector


256MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 002786E8
256MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 0x2786A0 (3.41) / 0x2786E8 (3.55) / 0x27B1B4 (4.21-4.46)


To be able to dump that section, it needs to be unmasked, using poke
To be able to dump that section, it needs to be unmasked, using poke
Line 24: Line 23:


==== Memdump ====
==== Memdump ====
<div style="float:right">[[File:Memdump-main 1280.png|200px|thumb|left|Memdump - main screen]]<br />[[File:Memdump-about 1280.png|200px|thumb|left|Memdump - about screen]]<br />[[File:Memdump-help 1280.png|200px|thumb|left|Memdump - help screen]]<br />[[File:Memdump-lv1 1280.png|200px|thumb|left|Memdump - lv1 screen]]<br />[[File:Memdump-lv2 1280.png|200px|thumb|left|Memdump - lv2 screen]]</div>
<div style="float:right">[[File:Memdump-lv1 1280.png|x300px|thumb|left|Memdump - lv1 screen]]</div>
PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS.
 
PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS (e.g. stored named with the detected firmware version as : lv1_dump_35500.bin [16 MB], lv2_dump_35500.bin [8MB], flash_stor_35500.bin [16MB if NOR] and flash_eEID_35500.bin [64 KB] respectively, plus a memdump_35500.log file, if tried it on a 3.55 compatible version).


Download:  
Download:  
* http://gitorious.ps3dev.net/memdump/memdump/trees/master
* http://gitorious.ps3dev.net/memdump/memdump/trees/master -> [[Gitorious]]
* http://www.ps3devwiki.com/files/devtools/dumpers/memdump_0.01-FINAL/
* https://web.archive.org/web/*/http://ps3devwiki.com/files/devtools/dumpers/memdump_0.01-FINAL/
* http://www.mirrorcreator.com/files/0GJIQJKJ/memdump_0.01-FINAL.rar_links
 
<gallery>
File:Memdump-main 1280.png|Memdump - main screen
File:Memdump-about 1280.png|Memdump - about screen
File:Memdump-help 1280.png|Memdump - help screen
File:Memdump-lv1 1280.png|Memdump - lv1 screen
File:Memdump-lv2 1280.png|Memdump - lv2 screen
</gallery>


===== Applicable firmwares =====
===== Applicable firmwares =====
Line 125: Line 134:
====== NAND patch method ======
====== NAND patch method ======
# Extract the dump ("EXTRACT a NOR dump or an interleaved and unscrambled NAND dump." with FlowRebuilder v.4.2.3.0 or higher - it will warn for missing bootldr)
# Extract the dump ("EXTRACT a NOR dump or an interleaved and unscrambled NAND dump." with FlowRebuilder v.4.2.3.0 or higher - it will warn for missing bootldr)
# Open dump with HxD
# Open dump with [http://mh-nexus.de/en/downloads.php?product=HxD HxD]
# Select Block (CTRL-E), start offset 0, end offset 3FFFF
# Select Block (CTRL-E), start offset 0, end offset 3FFFF, Copy (CTRL-C) that block
# New File (CTRL-N), and paste insert (CTRL-V)
# New File (CTRL-N), and paste insert (CTRL-V)
# Save as "bootldr"
# Save (CTRL-S) as "bootldr"
# Go back to your incomplete dump to the last offset
# Go back to your incomplete dump to the last offset (use scrollbar all the way down and left click on the last "FF" byte below the 0F header)
# Insert bytes 1040000, hex value 00 (full dump ends at 0xFFFFFFF , incomplete dump ends at 0xEFBFFFF, we thus need to add 0x1040000)
# Insert bytes (under "Edit" menu option) bytecount: 1040000, hex value 00 (full dump ends at 0xFFFFFFF , incomplete dump ends at 0xEFBFFFF, we thus need to add 0x1040000)
# Goto offset (CTRL-G) F000000
# Goto offset (CTRL-G) F000000
# Open previously saved "bootldr", select all (CTRL-A), Copy (CTRL-C)
# Open previously saved "bootldr", select all (CTRL-A), Copy (CTRL-C)
# Back to the incomplete dump on offset 0xF000000 paste write (CTRL-B) the bootldr in it
# Back to the incomplete dump on offset 0xF000000 paste write (CTRL-B) the bootldr in it
# Check filesize is still ending at 0xFFFFFFF
# Check filesize is still ending at 0xFFFFFFF (use scrollbar all the way down - on the left it will note 0FFFFFF0 below "Offset (h).)"
# Save file as "fixed.bin"  
# Save file (CTRL-S) as "fixed.bin" (or whatever you find easy to notice as a fixed/cleaned-up dump)
# The file "fixed.bin" will now no longer give warnings with FlowRebuilder v.4.2.3.0 or higher.
# That file "fixed.bin" will be 262144 KBytes (256 MBytes or 268.435.456 bytes) large (0FFFFFFF in hex). It will not give warnings with FlowRebuilder v.4.2.3.0 or higher like nonfixed one you started out with at step 1.


If thus complete and valid, it can be used with hardware flasher or software methods. If you need to debrick, downgrade etc. you will need to prepatch it or convert TargetID as needed.
If thus complete and valid, it can be used with hardware flasher or software methods. If you need to debrick, downgrade etc. you will need to prepatch it or convert TargetID as needed.
Line 148: Line 157:
:# Dump LV2? select no (or yes, if you want it)
:# Dump LV2? select no (or yes, if you want it)
:# Dump flash? select YES.<br />If you do it 4 times, you'll be left with 4 .norbin files on your usb drive
:# Dump flash? select YES.<br />If you do it 4 times, you'll be left with 4 .norbin files on your usb drive
Note: MultiMAN NAND dumps are 239MB, see above section about fixing.


==== Glevand' dump_flash.pkg ====
==== Glevand' dump_flash.pkg ====
[http://ps3devwiki.com/files/flash/Tools/USB%20Flash%20Dump/ USB Flash Dump]<br />
[http://www.file-upload.net/download-8491280/dump_flash_v1.0.pkg.html dump_flash.pkg] / [http://psdevwiki.com/ps3/files/flash/Tools/USB%20Flash%20Dump/ USB Flash Dump]<br />
* NAND: Make sure USB stick is FAT32 with enough free space (256MB per dump) - ''bootldr missing because of masking''
* NAND: Make sure USB stick is FAT32 with enough free space (256MB per dump) - ''bootldr missing because of masking''
* NOR: Make sure USB stick is FAT32 with enough free space (16MB per dump)
* NOR: Make sure USB stick is FAT32 with enough free space (16MB per dump)
Line 167: Line 178:




{{Hardware Flashers}}
{{Hardware Flashers}}<noinclude>[[Category:Main]]</noinclude>
 
[[Category:Hardware Flashers]]

Latest revision as of 06:11, 17 April 2023

Software dumping[edit | edit source]

Masking by hypervisor on NAND consoles[edit | edit source]

software dumps: dump size = 239 MB (251,396,096 bytes)
bootldr not at 0x000000 on NAND :

00000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000010   00 00 00 00 0F AC E0 FF  00 00 00 00 DE AD BE EF   .....¬à ÿ....Þ­¾ï

reason:

addi    %r12, %r4, 0x200 # r4 = start sector

256MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 0x2786A0 (3.41) / 0x2786E8 (3.55) / 0x27B1B4 (4.21-4.46)

To be able to dump that section, it needs to be unmasked, using poke

Original code : 0x39840200f8010090
Change to : 0x39840000f8010090

Note: Memdump 0.1 does unmasking onthefly when needed.

Dump flash from GameOS[edit | edit source]

Memdump[edit | edit source]

Memdump - lv1 screen

PS3 memory dumping tool that can dump lv1, lv2, NAND/NOR Flash, and eEID from GameOS (e.g. stored named with the detected firmware version as : lv1_dump_35500.bin [16 MB], lv2_dump_35500.bin [8MB], flash_stor_35500.bin [16MB if NOR] and flash_eEID_35500.bin [64 KB] respectively, plus a memdump_35500.log file, if tried it on a 3.55 compatible version).

Download:

Applicable firmwares[edit | edit source]
FW lv1 lv2 Flash eEID 0.01 FINAL
Logs Notes
<=2.60 CEX/Retail N / A N / A N / A N / A Not available as target version atm
<=2.60 DEX/Debug N / A N / A N / A N / A
2.70 CEX/Retail Yes Yes Yes Yes
2.70 DEX/Debug Yes Yes Yes Yes
2.76 CEX/Retail Yes Yes Yes Yes
2.76 DEX/Debug Yes Yes Yes Yes
2.80 CEX/Retail Yes Yes Yes Yes
2.80 DEX/Debug Yes Yes Yes Yes
3.00 CEX/Retail Yes Yes Yes Yes
3.00 DEX/Debug Yes Yes Yes Yes
3.01 CEX/Retail Yes Yes Yes Yes
3.01 DEX/Debug Yes Yes Yes Yes
3.10 CEX/Retail Yes Yes Yes Yes
3.10 DEX/Debug Yes Yes Yes Yes
3.15 CEX/Retail Yes Yes Yes Yes
3.15 DEX/Debug Yes Yes Yes Yes
3.20 DEX/Debug Yes Yes Yes Yes
3.21 CEX/Retail Yes Yes Yes Yes
3.21 DEX/Debug Yes Yes Yes Yes
3.30 CEX/Retail Yes Yes Yes Yes
3.30 DEX/Debug Yes Yes Yes Yes
3.40 CEX/Retail Yes Yes Yes Yes
3.41 CEX/Retail Yes Yes Yes Yes
3.41 DEX/Debug Yes Yes Yes Yes
3.42 CEX/Retail Yes Yes Yes Yes
3.50 CEX/Retail Yes Yes Yes Yes
3.50 DEX/Debug Yes Yes Yes Yes
3.55 CEX/Retail Yes Yes Yes Yes
3.55 DEX/Debug Yes Yes Yes Yes
3.56 CEX/Retail Pending Pending Pending Pending
3.56 DEX/Debug Pending Pending Pending Pending
=>3.60 CEX/Retail N / A N / A N / A N / A Not available as target version atm
=>3.60 DEX/Debug N / A N / A N / A N / A
Legenda[edit | edit source]
  • NA : Not Available as target version (mostly because of missing lv1:mmap114 or lv2:peek/poke patches)
  • Yes: Fully supported
  • No: Not supported
  • Partial: Some functions work, others might not be complete
  • Pending: No reports yet (help out by sending in your logs and dumps in a ZIP/RAR/7z!)
Known bugs[edit | edit source]
  • buttons do not come back up after pressing -> to be fixed in v0.02 (button handler thread)
  • exit app gives rightscreen black triangle -> to be fixed in v0.02 (cleanup RSX buffer)
  • when free space is 0 bytes when dumping, application will halt -> to be fixed in v0.02 (check freespace first)
Current limitations[edit | edit source]
  • Needs mmap114+peek/poke as minimal patches
  • Can be buggy with strange spoofs
  • No reports yet on Kiosk/SEX & Tool/DECR models
  • NAND only : second bootldr at 0xF000000 - 0xF03FFFF (The last 256KB of flash) will be missing. Just copypaste the first bootldr 0x0000000 - 0x003FFFF (The first 256KB of flash), they are the same. Also, a console boots fine with only the first one.
NAND patch method[edit | edit source]
  1. Extract the dump ("EXTRACT a NOR dump or an interleaved and unscrambled NAND dump." with FlowRebuilder v.4.2.3.0 or higher - it will warn for missing bootldr)
  2. Open dump with HxD
  3. Select Block (CTRL-E), start offset 0, end offset 3FFFF, Copy (CTRL-C) that block
  4. New File (CTRL-N), and paste insert (CTRL-V)
  5. Save (CTRL-S) as "bootldr"
  6. Go back to your incomplete dump to the last offset (use scrollbar all the way down and left click on the last "FF" byte below the 0F header)
  7. Insert bytes (under "Edit" menu option) bytecount: 1040000, hex value 00 (full dump ends at 0xFFFFFFF , incomplete dump ends at 0xEFBFFFF, we thus need to add 0x1040000)
  8. Goto offset (CTRL-G) F000000
  9. Open previously saved "bootldr", select all (CTRL-A), Copy (CTRL-C)
  10. Back to the incomplete dump on offset 0xF000000 paste write (CTRL-B) the bootldr in it
  11. Check filesize is still ending at 0xFFFFFFF (use scrollbar all the way down - on the left it will note 0FFFFFF0 below "Offset (h).)"
  12. Save file (CTRL-S) as "fixed.bin" (or whatever you find easy to notice as a fixed/cleaned-up dump)
  13. That file "fixed.bin" will be 262144 KBytes (256 MBytes or 268.435.456 bytes) large (0FFFFFFF in hex). It will not give warnings with FlowRebuilder v.4.2.3.0 or higher like nonfixed one you started out with at step 1.

If thus complete and valid, it can be used with hardware flasher or software methods. If you need to debrick, downgrade etc. you will need to prepatch it or convert TargetID as needed.

MultiMAN[edit | edit source]

mmOS->Select any file->Open in HEX viewer->[SELECT]->[START]->DUMP LV2(NO)->DUMP LV1(NO)->DUMP FLASH(YES)  :

  • navigate to mmOS (start + select)
  • open the file browser, and click O on any file, then select open with hex editor
  • Press select to open LV2 view, then press start to dump. You will be asked 3 questions
  1. Dump LV1? select no (or yes, if you want it)
  2. Dump LV2? select no (or yes, if you want it)
  3. Dump flash? select YES.
    If you do it 4 times, you'll be left with 4 .norbin files on your usb drive

Note: MultiMAN NAND dumps are 239MB, see above section about fixing.

Glevand' dump_flash.pkg[edit | edit source]

dump_flash.pkg / USB Flash Dump

  • NAND: Make sure USB stick is FAT32 with enough free space (256MB per dump) - bootldr missing because of masking
  • NOR: Make sure USB stick is FAT32 with enough free space (16MB per dump)

Dumping flash from Linux[edit | edit source]

NAND[edit | edit source]

dd if=/dev/ps3flash of=NAND.BIN bs=1024

or

dd if=/dev/ps3vflasha of=NAND.BIN bs=1024

(needs unmasking, otherwise bootldr missing)

NOR[edit | edit source]

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024