Talk:Patches: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (Text replacement - "http://web.archive.org/web→‎/http://ps3devwiki.com/files" to "https://web.archive.org/web/: http://ps3devwiki.com/files")
 
(65 intermediate revisions by 11 users not shown)
Line 1: Line 1:
==Patches Sandbox==
There is a wiki page for patch tests that is not tracked by the wiki search engine, to access it click in the next link, and feel free to use it for any experiments:
See: [http://www.psdevwiki.com/ps3/Patches/sandbox patches sandbox]
==Shop firmware on Retail console==
==Shop firmware on Retail console==


Line 222: Line 227:
=== Conclusion / Status ===
=== Conclusion / Status ===


Although it is possible to add as a task, it is not recommended in general. There is brick risk.
Although it is possible to add as a task, it is not recommended in general. There is brick risk (on 3.55 reported blackscreen brick -> seems to be related to self_rebuilder bug).


   <mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target
   <mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target
== JFW MA-1 3.56 "bad idea" ==
http://www.multiupload.com/WO4UYJIJ6T
  SHA1: 9FDC74F0BB4244EF37DEFD20E7CF9E5B08BD4DD3  MD5: EFE066E4836393C8BF60A5CC6804DDC3  CRC32: 735B21DC  CRC16: 4766  HMAC_SHA1: 1D4382A5EB811859192DF75BB3284E284EF70601
<!--//PUP file information
Package version: 1
Image version: 64017
File count: 9
Header length: 656
Data length: 184549480
PUP file hash : 1D4382A5EB811859192DF75BB3284E284EF70601
File 0
Entry id: 0x100
Filename : version.txt
Data offset: 0x290
Data length: 5
File hash : DE5F93B189BB136A1544465A1DB333F66DA67D6D
File 1
Entry id: 0x101
Filename : license.xml
Data offset: 0x295
Data length: 264283
File hash : 367FCD28D27719525D0A11A4F2679FBF35B4681F
File 2
Entry id: 0x103
Filename : update_flags.txt
Data offset: 0x40AF0
Data length: 5
File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB
File 3
Entry id: 0x200
Filename : ps3swu.self
Data offset: 0x40AF5
Data length: 5660160
File hash : F8E6F0D100433C6B63A615FA513967250996F771
File 4
Entry id: 0x201
Filename : vsh.tar
Data offset: 0x5A68F5
Data length: 10240
File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08
File 5
Entry id: 0x202
Filename : dots.txt
Data offset: 0x5A90F5
Data length: 3
File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A
File 6
Entry id: 0x300
Filename : update_files.tar
Data offset: 0x5A90F8
Data length: 172882944
File hash : 99485FA5EA876EC502091F5CB6A5C68A9BD89277
File 7
Entry id: 0x501
Filename : Unknown entry id
Data offset: 0xAA88CF8
Data length: 71680
File hash : 84F7D4FDBE9A1EEAF6E0EB3EFC7A5E53ECD7B448
File 8
Entry id: 0x601
Filename : Unknown entry id
Data offset: 0xAA9A4F8
Data length: 5660160
File hash : B3318822A7F60B2C104EE1789532B9B779094D62//-->
Patches (compared to OFW 3.56) : http://pastie.org/private/z0evad6frsdlbntk2suqa <br />
shortlist changed files:
*lv1ldr
*lv1.self
*lv2ldr
*lv2_kernel.self
*appldr
*nas_plugin.sprx
*vsh.self
*explore_category_game.sprx
*explore_plugin.sprx
Request for anyone that installed this FW : lv1 and lv2 dump (can be done e.g. with glevand' PKGs).
<!--//
http://www.mediafire.com/?8yhidf1a8ng0v5w LV1
http://www.mediafire.com/?dajss2b3c3hyj5v LV2
(TechnoDon) //-->
=== JFW-DH added custom keys ===
<pre>lv1-iv:    148E7A251EC03A2FA88EFCC13D882D4B
lv1-key:  962E952E25236322FE415F6EAC9DEC6BB2AD93CA1FE6B4B82C9A21510BE4B76D
lv1-pub:  625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782</pre>
<pre>lv2-iv:    7E90800265795153BAB81C5E74623639
lv2-key:  0829876E2B9BAB777F5710DABB9AFC86510FA598AC98056DCD4F7A17E68CC479
lv2-pub:  625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782</pre>
<pre>app-iv:    20CF5F16EC9ABBD5ECEE9A957B4CD543
app-key:  6DEC0F32E7403B6302122678A8DB1B41EEAB9A8449CFBD241C7FEAFEFD609094
app-pub:  71F46AC33FF89DF589A100A7FB64CEAC244C9A0CBBC1FDCE80FB4BF8A0D2E66293309CB8EE8CFA95
app-priv:  0010818ED8A666051C6198662C3D6DDE2CA4901DDC
app-ctype: 0x12</pre>
<!--// http://pastie.org/private/nnaxm6hvrdyo42hxqbqyvq ; see also #ps3dev backlog //-->
=== Preloader Advance : Another bad idea? ===
http://jaicrab.blogspot.com/2011/12/ps3-preloader-advance.html
Backuprflash.bin
As usual the NAND dumps are missing things because of lv1 masking first section:
====NAND: missing bootldr at offset 0x0 and 0xF000000====
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ­¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00  ..............v.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0F000000  8C A5 FA 66 E4 E1 F4 05 ED 79 5B 90 2D 1B FE C6  Œ¥úfäáô.íy[.-.þÆ
0F000010  23 C8 CD 66 8D 6C F4 76 21 E3 D7 FD 9C 2D FA 37  #ÈÍf.lôv!ã×ýœ-ú7
0F000020  21 3C C7 74 D9 57 B1 AA 97 74 4F F6 0E 73 B6 79  !<ÇtÙW±ª—tOö.s¶y
====NAND: missing any bootldr header====
00 00 2A 3F
00 00 2A 2A
00 00 30 44
00 00 2A 37
00 00 2E 8C
00 00 2F 1C
00 00 2E F4
00 00 2E E3
00 00 2E AB
00 00 2E B3
00 00 2F 13
00 00 2F 3B
00 00 2F 4B
00 00 2F 53
00 00 2F 5B
00 00 2F FB 
====NOR: missing second region at offset 0xF00000====
On NOR dumps, the [[Flash:Second_Region|second region]] is missing:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00F00000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F00010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F00020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  ....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA
====Conclusion====
not suitable as debrick dump with hardware flasher.
;Option:
:NAND:
:use flasher with option to start writing at offset 0x40000 (where Backuprflash.bin 0x0 begins) and thus skip overwriting first bootldr section.
:NOR:
:use flasher to stop writing after offset 0xEFFFFF
;NAND - Partial extraction:
# Add 0x40000 of 00 bytes at offset 0x0
# After that, use flowrebuilder to extract part of the data inside the dump (missing bootldr!)
asecure_loader\metldr
ros\[versionstring-ROS0 $]\[coreosfiles $]
ros\[versionstring-ROS1 $]\[coreosfiles $]
cCSD
cISD
creserved_0
cvtrm
eEID
trvk_pkg
trvk_prg
== OtherOS patches ==
=== 3.55 LV1 patches ===
http://pastie.org/private/zvohgrd80htu7s47zqu0yg
=== 3.55 LV2 patches ===
http://pastie.org/private/qrirgh0qjsoo4acbuiag
=== 3.15 LV1 patches ===
http://pastie.org/private/imxnatxezislsxjmsci6gg (including 'in hvdump' offsets)
== dexl0ve ==
=== dexl0ve lv2_kernel ===
http://pastie.org/private/zbhkmnldresx3cdxfufqkg
== Rebug spoofer ==
Index.dat and Version.txt from to spoof firmware (.dat is always static key, so no need for resigning)
vsh.self patches: http://pastie.org/3495642 (CEX 3.55 OFW vs Rebug Spoofer 4.00)
=== PSN enabled spoofer ===
vsh.self patches: http://pastie.org/private/94i2skcva5qvkypdtx4g6w (CEX 3.55 OFW vs Rebug Spoofer 4.11)
=== PSoN!/PS3ITA rebug based variant ===
http://www.ps3hax.net/showthread.php?t=39462<br />
vsh.self patches: http://pastie.org/private/lugpsiiaww1upltdlebr5w (CEX 3.55 OFW vs PS3ITA and Rebug Spoofer 4.11)
== PS2 on non BC enabler ==
game_ext_plugin
  set search  "\x88\x1f\x00\x06\x3b\x80\x00\x01"
  set replace "\x88\x1f\x00\x02\x3b\x80\x00\x01"
   
sysconf_plugin
  set search  "\x88\x1c\x00\x06\x54\x00\x07\xfe"
  set replace "\x88\x1c\x00\x02\x54\x00\x07\xfe"
premo_game_plugin
  set search  "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00"
  set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01"
premo_plugin
  set search  "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00"
  set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01"
http://pastie.org/4392598
== appldr 3.55 add 3.56/3.60 keys ==
As used in [http://pastie.org/4458820 mfw\tasks\add_360keys_to_appldr355.tcl] and [https://web.archive.org/web/*/http://ps3devwiki.com/files/firmware/MFW-CEX/Downgrader/Rogero-V3.5/ Rogero V3.5]
appldr.elf 3.55 patches : http://pastie.org/4458799
== Install Packages on 4.xx ==
REBUG style IPF patches for CEX/LITE
=== explore_plugin.sprx ===
http://www.mediafire.com/convkey/e04d/2iar0so3dszczxfzg.jpg
*ex)4.75/4.76
Search  4817487D 5460073E3C800025
Replace 38600001 5460073E3C800025
Search  4807464D 5460073E7FA4EB78
Replace 38600001 5460073E7FA4EB78
*Note
This doesn't require an extra patch on explore_category_game,
If you use this file from DEX FW, you won't need this patch as it's enabled by default.
Reversed by Cyberskunk
== Install Packages on 4.3x ==
=== explore_category_game.prx ===
set search  "\xF8\x21\xFE\xD1\x7C\x08\x02\xA6\xFB\x81\x01\x10\x3B\x81\x00\x70"
set replace "\x38\x60\x00\x01\x4E\x80\x00\x20\xFB\x81\x01\x10\x3B\x81\x00\x70"
=== explore_plugin.sprx ===
set search  "\xF8\x21\xFE\xD1\x7C\x08\x02\xA6\xFB\x81\x01\x10\x3B\x81\x00\x70"
set replace "\x38\x60\x00\x01\x4E\x80\x00\x20\xFB\x81\x01\x10\x3B\x81\x00\x70"
=== category_game.xml ===
Add to end like always:
<syntaxhighlight lang="xml">
  <View id="seg_gamedebug">
      <Attributes>
        <Table key="game_debug">
            <Pair key="icon_rsc"><String>tex_album_icon</String></Pair>
            <Pair key="title_rsc"><String>msg_tool_app_home_ps3_game</String></Pair>
            <Pair key="child"><String>segment</String></Pair>
        </Table>
      </Attributes>
      <Items>
        <Query class="type:x-xcb/game-debug" key="game_debug"  attr="game_debug" />
      </Items>
  </View>
  <View id="seg_package_files">
      <Attributes>
        <Table key="host_device">
            <Pair key="icon_rsc"><String>tex_album_icon</String></Pair>
            <Pair key="title_rsc"><String>msg_tool_install_file</String></Pair>
            <Pair key="child"><String>segment</String></Pair>
            <Pair key="ingame"><String>disable</String></Pair>
        </Table>
      </Attributes>
      <Items>
        <Query
            class="type:x-xmb/xmlpackagefolder"
            key="host_device" attr="host_device"
            src="#seg_packages"
        />
      </Items>
  </View>
  <View id="seg_packages">
      <Items>
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_host" src="host://localhost/q?path=/app_home/&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_bdvd" src="host://localhost/q?path=/dev_bdvd&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_ms" src="host://localhost/q?path=/dev_ms&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb0" src="host://localhost/q?path=/dev_usb000&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb1" src="host://localhost/q?path=/dev_usb001&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb2" src="host://localhost/q?path=/dev_usb002&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb3" src="host://localhost/q?path=/dev_usb003&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb4" src="host://localhost/q?path=/dev_usb004&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb5" src="host://localhost/q?path=/dev_usb005&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb6" src="host://localhost/q?path=/dev_usb006&suffix=.pkg&subclass=x-host/package" />
        <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb7" src="host://localhost/q?path=/dev_usb007&suffix=.pkg&subclass=x-host/package" />
      </Items>
  </View>
</syntaxhighlight>
Add into place where you want app_home and install package to show up:
<syntaxhighlight lang="xml">
        <Query
            class="type:x-xmb/folder-pixmap"
            key="seg_gamedebug"
            src="#seg_gamedebug"
            />
        <Query
            class="type:x-xmb/folder-pixmap"
            key="seg_package_files"
            src="#seg_package_files"
            />
</syntaxhighlight>
== PS3 Turbo load + gameboot + Removal singstar in action ==
{{#ev:youtube|0jgj1ju0bjE}}
PS3 Turbo load + gameboot + Removal singstar in action
==Running fself on CEX CFW 4.20+==
http://www.psx-place.com/forum/mfw/running-fself-cex-cfw-2598.html

Latest revision as of 06:14, 17 April 2023

Patches Sandbox[edit source]

There is a wiki page for patch tests that is not tracked by the wiki search engine, to access it click in the next link, and feel free to use it for any experiments:

See: patches sandbox

Shop firmware on Retail console[edit source]

<patote> i used the same shop.tcl : http://pastie.org/1979531 :

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
    
# Priority: 2300
# Description: Patch firmware for installation shop/promo unit

# Option --patch-promo-flags: Patch promo_flags file
# Option --patch-update-flags: Patch update_flags file
# Option --patch-version: Append string to build version

# Type --patch-promo-flags: boolean
# Type --patch-update-flags: boolean
# Type --patch-version: string 
    
namespace eval ::patch_shop {

    array set ::patch_shop::options {
        --patch-promo-flags true
        --patch-update-flags true
        --patch-version "Promotional-to-Retail"
    }

    proc main {} {
        if {$::patch_shop::options(--patch-promo-flags)} {
          debug "Patching [file tail $::CUSTOM_PROMO_FLAGS_TXT]"

        }
        if {$::patch_shop::options(--patch-update-flags)} {
          debug "Patching [file tail $::CUSTOM_UPDATE_FLAGS_TXT]"
          set fd [open $::CUSTOM_UPDATE_FLAGS_TXT w]
          puts -nonewline $fd "0000"
          close $fd
        }
        if {$::patch_shop::options(--patch-version) != ""} {
          append ::options(--build-suffix) "($::patch_shop::options(--patch-version))"
        }
    }
}

patote succesfully installed the resulting 3.55 PUP on a Retail console. The console is in locked mode after installation of the firmware.

 patote	8294 does nothing
 patote	0168 does nothing
 patote	5138 does nothing
 patote	1739 worked fine
 patote	or not ; it didnt said wrong password ; but all is still locked
 patote	2297 nothing
 patote	the code is................. 0000
 patote	and now the install package files and app_home are back in game menu
 patote	ohhh ; and in system too ; all the way down
 patote	if you go to security settings and do l1+r1+select+square it goes back to demo without turn the unit off
 patote	thats system settings install packages option only does blind installations
 patote	you cant browse the thumbdrive ; it just starts installing all the pkgs in the drive
 patote	it works ; but fails in geohot signed ones ; the regular ones installs without problems
 patote	theres another extra option
 patote	automatic update
 patote	"sets wheter to update the system software automatically via internet when the ps3 system is turned on"




FSELF patch appldr[edit source]

MFW does not seem to have (proper) support for fself's.

Mathieulh	why do all those emu devs actually use geohot's tool on their selfs, I wonder xD
Mathieulh	the proper format to use is fself
Mathieulh	there are existing patches for fself on 3.41
Mathieulh	but those guys who make those so called cfw didn't port many patches at all
Mathieulh	if not any
Mathieulh	and the memory patcher one for fself isn't there
eussNL	ehm, including MFW Mathieulh ?
Mathieulh	you should just patch appldr
Mathieulh	and make the function that detects the model return true for debug
Mathieulh	and you get native fself + edata
Mathieulh	it's an easy patch
Mathieulh	you can also patch the sign check along with it
Mathieulh	4 bytes to patch
eussNL	I dont see a mention of appldr patch in MFW or I am overlooking it
Mathieulh	yeah MFW doesn't do that
Mathieulh	but there is a lv2 patch for fself too
Mathieulh	(memory patcher)
Mathieulh	at least in 3.41 there is
Mathieulh	it's in psgroove
Mathieulh	but it doesn't work for compressed fself
Mathieulh	it's better to patch appldr
Mathieulh	besides I use compressed fself on all my shit now xD
Mathieulh	saves some room :P
Mathieulh	people should just use fself anyway
Mathieulh	that way you don't need to sign or encrypt
Mathieulh	and it's future proof
Mathieulh	the geohot signed shit doesn't work with 3.56+ cause of the whitelistù
Mathieulh	so you have to patch the whitelist check in the ldr to get them to run
eussNL	some people are having trouble with ps3load/ps3loadx with launching it fselfs on CFWs
eussNL	and with makeself for the same reason I suppose
irssi_	devs won't support it if the CFW doesn't run it
Mathieulh	if the cfw doesn't run fself, it's not complete
Mathieulh	at least not to me
Mathieulh	all my personal cfw all run fself natively
eussNL	hmmm, seems a thing to add to MFW then... appldr patch for fselfs - if it isnt working now


the 4 byte patch he speaks of is:
< 00001360 40 80 0e 0c 20 00 57 83 32 00 04 80 32 80 80 8e |@... .W.2...2...|
---
> 00001360 40 80 0e 0c 20 00 57 83 32 11 73 00 32 80 80 8e |@... .W.2.s.2...|


Experimental[edit source]

Patch Appldr task[edit source]

patch_appldr.tcl

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch Appldr

# Option --patch-appldr-fself: Patch Appldr to allow Fself (set debug true)

# Type --patch-appldr: boolean

namespace eval ::patch_appldr {

    array set ::patch_appldr::options {
        --patch-appldr-fself true
    }

    proc main { } {
        set self "appldr"

        ::modify_coreos_file $self ::patch_appldr::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_appldr::options(--patch-appldr-fself)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_appldr::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_appldr::options(--patch-appldr-fself)} {
            log "Patching Appldr to allow Fself"

            set search  "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x00\x04\x80\x32\x80\x80"
            set replace "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x11\x73\x00\x32\x80\x80"

            catch_die {::patch_elf $elf $search 7 $replace} \
                "Unable to patch self [file tail $elf]"
        }
    }
}

Errorlog[edit source]

Patching Appldr to allow Fself
Executing command ::patch_elf $elf $search 7 $replace
offset: 4967
Rebuilding self file appldr.self
Executing command makeself $in $out $original
Executing shell self_rebuilder {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.elf} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.self} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr}
FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
See Temp/PS3MFW/ps3mfw.log for more info
Last lines of log : 
*****************
  auth id:        1ff000000c000001 
  vendor id:      00000000ff000000
  app version:    3.55.0
  version suffix: 355 
  SDK type:       Retail (Type 0)
  app type:       secure loader
  file suffix:    355 (rev 0x0a)
  key file:   ps3keys\/ldr-key-355 (ERROR)
key_get failed
FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
Error running script: Could not rebuild file appldr.self : child process exited abnormally

available LDR @ ps3keys: ldr-pub-retail, ldr-priv-retail, ldr-key-retail, ldr-iv-retail, ldr-ctype-retail

Just add those keys to the ps3keys folder to make the task work : ps3keys in RAR sfx (107.37 KB)

Offsets[edit source]

3.55 : offset: 4967
3.50 : offset: 3459
3.42 : offset: 3395
3.41 : offset: 3395
3.40 : offset: 3395
3.30 or lower: FATAL ERROR: Unable to patch self appldr.elf : Could not find pattern to patch
3.30 offset: 2299 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.21 offset: 3064 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.20 DEBUG offset: 3064 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.15 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.10 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )

Conclusion / Status[edit source]

Although it is possible to add as a task, it is not recommended in general. There is brick risk (on 3.55 reported blackscreen brick -> seems to be related to self_rebuilder bug).

  <mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target

JFW MA-1 3.56 "bad idea"[edit source]

http://www.multiupload.com/WO4UYJIJ6T

  SHA1: 9FDC74F0BB4244EF37DEFD20E7CF9E5B08BD4DD3  MD5: EFE066E4836393C8BF60A5CC6804DDC3  CRC32: 735B21DC  CRC16: 4766  HMAC_SHA1: 1D4382A5EB811859192DF75BB3284E284EF70601

Patches (compared to OFW 3.56) : http://pastie.org/private/z0evad6frsdlbntk2suqa
shortlist changed files:

  • lv1ldr
  • lv1.self
  • lv2ldr
  • lv2_kernel.self
  • appldr
  • nas_plugin.sprx
  • vsh.self
  • explore_category_game.sprx
  • explore_plugin.sprx

Request for anyone that installed this FW : lv1 and lv2 dump (can be done e.g. with glevand' PKGs).

JFW-DH added custom keys[edit source]

lv1-iv:    148E7A251EC03A2FA88EFCC13D882D4B
lv1-key:   962E952E25236322FE415F6EAC9DEC6BB2AD93CA1FE6B4B82C9A21510BE4B76D
lv1-pub:   625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782
lv2-iv:    7E90800265795153BAB81C5E74623639
lv2-key:   0829876E2B9BAB777F5710DABB9AFC86510FA598AC98056DCD4F7A17E68CC479
lv2-pub:   625D1DF4C3264BBA9FC17A4437BA42591585A5ECCC6F3042DB3A80CBBC0426DAF33549C537AA7782
app-iv:    20CF5F16EC9ABBD5ECEE9A957B4CD543
app-key:   6DEC0F32E7403B6302122678A8DB1B41EEAB9A8449CFBD241C7FEAFEFD609094
app-pub:   71F46AC33FF89DF589A100A7FB64CEAC244C9A0CBBC1FDCE80FB4BF8A0D2E66293309CB8EE8CFA95
app-priv:  0010818ED8A666051C6198662C3D6DDE2CA4901DDC
app-ctype: 0x12

Preloader Advance : Another bad idea?[edit source]

http://jaicrab.blogspot.com/2011/12/ps3-preloader-advance.html

Backuprflash.bin

As usual the NAND dumps are missing things because of lv1 masking first section:

NAND: missing bootldr at offset 0x0 and 0xF000000[edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  .....¬àÿ....Þ­¾ï
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00  ..............v.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0F000000  8C A5 FA 66 E4 E1 F4 05 ED 79 5B 90 2D 1B FE C6  Œ¥úfäáô.íy[.-.þÆ
0F000010  23 C8 CD 66 8D 6C F4 76 21 E3 D7 FD 9C 2D FA 37  #ÈÍf.lôv!ã×ýœ-ú7
0F000020  21 3C C7 74 D9 57 B1 AA 97 74 4F F6 0E 73 B6 79  !<ÇtÙW±ª—tOö.s¶y

NAND: missing any bootldr header[edit source]

00 00 2A 3F 
00 00 2A 2A 
00 00 30 44 
00 00 2A 37 
00 00 2E 8C 
00 00 2F 1C 
00 00 2E F4 
00 00 2E E3 
00 00 2E AB 
00 00 2E B3 
00 00 2F 13 
00 00 2F 3B 
00 00 2F 4B 
00 00 2F 53 
00 00 2F 5B 
00 00 2F FB  

NOR: missing second region at offset 0xF00000[edit source]

On NOR dumps, the second region is missing:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00F00000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F00010  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F00020  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
  ....
00F1FFF0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA

Conclusion[edit source]

not suitable as debrick dump with hardware flasher.

Option
NAND:
use flasher with option to start writing at offset 0x40000 (where Backuprflash.bin 0x0 begins) and thus skip overwriting first bootldr section.
NOR:
use flasher to stop writing after offset 0xEFFFFF
NAND - Partial extraction
  1. Add 0x40000 of 00 bytes at offset 0x0
  2. After that, use flowrebuilder to extract part of the data inside the dump (missing bootldr!)
asecure_loader\metldr
ros\[versionstring-ROS0 $]\[coreosfiles $]
ros\[versionstring-ROS1 $]\[coreosfiles $]
cCSD
cISD
creserved_0
cvtrm
eEID
trvk_pkg
trvk_prg

OtherOS patches[edit source]

3.55 LV1 patches[edit source]

http://pastie.org/private/zvohgrd80htu7s47zqu0yg

3.55 LV2 patches[edit source]

http://pastie.org/private/qrirgh0qjsoo4acbuiag

3.15 LV1 patches[edit source]

http://pastie.org/private/imxnatxezislsxjmsci6gg (including 'in hvdump' offsets)

dexl0ve[edit source]

dexl0ve lv2_kernel[edit source]

http://pastie.org/private/zbhkmnldresx3cdxfufqkg


Rebug spoofer[edit source]

Index.dat and Version.txt from to spoof firmware (.dat is always static key, so no need for resigning)

vsh.self patches: http://pastie.org/3495642 (CEX 3.55 OFW vs Rebug Spoofer 4.00)

PSN enabled spoofer[edit source]

vsh.self patches: http://pastie.org/private/94i2skcva5qvkypdtx4g6w (CEX 3.55 OFW vs Rebug Spoofer 4.11)

PSoN!/PS3ITA rebug based variant[edit source]

http://www.ps3hax.net/showthread.php?t=39462
vsh.self patches: http://pastie.org/private/lugpsiiaww1upltdlebr5w (CEX 3.55 OFW vs PS3ITA and Rebug Spoofer 4.11)

PS2 on non BC enabler[edit source]

game_ext_plugin
 set search  "\x88\x1f\x00\x06\x3b\x80\x00\x01"
 set replace "\x88\x1f\x00\x02\x3b\x80\x00\x01"
    
sysconf_plugin
 set search  "\x88\x1c\x00\x06\x54\x00\x07\xfe"
 set replace "\x88\x1c\x00\x02\x54\x00\x07\xfe"

premo_game_plugin
 set search  "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00"
 set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01"

premo_plugin
 set search  "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x00"
 set replace "\x41\x9e\x00\x4c\xe8\x01\x00\xa0\x38\x60\x00\x01"

http://pastie.org/4392598

appldr 3.55 add 3.56/3.60 keys[edit source]

As used in mfw\tasks\add_360keys_to_appldr355.tcl and Rogero V3.5

appldr.elf 3.55 patches : http://pastie.org/4458799


Install Packages on 4.xx[edit source]

REBUG style IPF patches for CEX/LITE

explore_plugin.sprx[edit source]

http://www.mediafire.com/convkey/e04d/2iar0so3dszczxfzg.jpg

  • ex)4.75/4.76
Search  4817487D 5460073E3C800025
Replace 38600001 5460073E3C800025
Search  4807464D 5460073E7FA4EB78
Replace 38600001 5460073E7FA4EB78
  • Note

This doesn't require an extra patch on explore_category_game, If you use this file from DEX FW, you won't need this patch as it's enabled by default. Reversed by Cyberskunk

Install Packages on 4.3x[edit source]

explore_category_game.prx[edit source]

set search  "\xF8\x21\xFE\xD1\x7C\x08\x02\xA6\xFB\x81\x01\x10\x3B\x81\x00\x70"
set replace "\x38\x60\x00\x01\x4E\x80\x00\x20\xFB\x81\x01\x10\x3B\x81\x00\x70"

explore_plugin.sprx[edit source]

set search  "\xF8\x21\xFE\xD1\x7C\x08\x02\xA6\xFB\x81\x01\x10\x3B\x81\x00\x70"
set replace "\x38\x60\x00\x01\x4E\x80\x00\x20\xFB\x81\x01\x10\x3B\x81\x00\x70"

category_game.xml[edit source]

Add to end like always:

   <View id="seg_gamedebug">
      <Attributes>
         <Table key="game_debug">
            <Pair key="icon_rsc"><String>tex_album_icon</String></Pair>
            <Pair key="title_rsc"><String>msg_tool_app_home_ps3_game</String></Pair>
            <Pair key="child"><String>segment</String></Pair>
         </Table>
      </Attributes>
      <Items>
         <Query class="type:x-xcb/game-debug" key="game_debug"  attr="game_debug" />
      </Items>
   </View>

   <View id="seg_package_files">
      <Attributes>
         <Table key="host_device">
            <Pair key="icon_rsc"><String>tex_album_icon</String></Pair>
            <Pair key="title_rsc"><String>msg_tool_install_file</String></Pair>
            <Pair key="child"><String>segment</String></Pair>
            <Pair key="ingame"><String>disable</String></Pair>
         </Table>
      </Attributes>
      <Items>
         <Query
            class="type:x-xmb/xmlpackagefolder"
            key="host_device" attr="host_device"
            src="#seg_packages"
         />
      </Items>
   </View>

   <View id="seg_packages">
      <Items>
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_host" src="host://localhost/q?path=/app_home/&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_bdvd" src="host://localhost/q?path=/dev_bdvd&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_ms" src="host://localhost/q?path=/dev_ms&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb0" src="host://localhost/q?path=/dev_usb000&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb1" src="host://localhost/q?path=/dev_usb001&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb2" src="host://localhost/q?path=/dev_usb002&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb3" src="host://localhost/q?path=/dev_usb003&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb4" src="host://localhost/q?path=/dev_usb004&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb5" src="host://localhost/q?path=/dev_usb005&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb6" src="host://localhost/q?path=/dev_usb006&suffix=.pkg&subclass=x-host/package" />
         <Query class="type:x-xmb/xmlpackagefolder" key="host_provider_usb7" src="host://localhost/q?path=/dev_usb007&suffix=.pkg&subclass=x-host/package" />
      </Items>
   </View>

Add into place where you want app_home and install package to show up:

         <Query
            class="type:x-xmb/folder-pixmap"
            key="seg_gamedebug"
            src="#seg_gamedebug"
            />
         <Query
            class="type:x-xmb/folder-pixmap"
            key="seg_package_files"
            src="#seg_package_files"
            />

PS3 Turbo load + gameboot + Removal singstar in action[edit source]

PS3 Turbo load + gameboot + Removal singstar in action

Running fself on CEX CFW 4.20+[edit source]

http://www.psx-place.com/forum/mfw/running-fself-cex-cfw-2598.html