Downgrade BluRay Playback Issue: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
Line 368: Line 368:
  0xF60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE  |                  as HRL grows.)
  0xF60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE  |                  as HRL grows.)
  0xF60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB --
  0xF60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB --
 
...
  &
  &
 
...
  0xFA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 --
  0xFA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 --
  0xFA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  | Zero Lines out (Sometimes there are 5 lines and possibly longer
  0xFA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  | Zero Lines out (Sometimes there are 5 lines and possibly longer
Line 384: Line 384:
  0xEC52A0  CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84  |
  0xEC52A0  CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84  |
  0xEC52B0  22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
  0xEC52B0  22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
 
...
  0xEC52C0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line.
  0xEC52C0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line.
 
...
  &
  &
 
...
  0xEC5260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 --
  0xEC5260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 --
  0xEC5270  10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02  |
  0xEC5270  10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02  |
Line 395: Line 395:
  0xEC52A0  CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84  |
  0xEC52A0  CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84  |
  0xEC52B0  22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
  0xEC52B0  22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
 
...
  0xEE52C0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line
  0xEE52C0  00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line



Revision as of 02:30, 14 December 2012

PS3 BLU-RAY PLAYBACK PROHIBITED ROOT CAUSE ANALYSIS

Introduction

Many users have experienced the loss of blu-ray playback on the PS3 after performing a system firmware downgrade to a previous version. Little was known about the cause of this prohibition early on, but this document will outline the causes and effects.


Overview

By the end of this document you will know the issue, the causes, and what is affected.


Reproducing Issue

To reproduce the issue a few pre-requisites must be met:


Pre-requisites for Issue

  1. Service JIG device
    1. PSGrade
  2. Lv2diag.self (stage 1)
    1. DGF.rar archive "File 1"
  3. Lv2diag.self (stage 2)
    1. DGF.rar archive "File 2"
  4. PS3UPDAT.PUP
    1. 3.15 version is best
    2. 3.41 modified version in the DGF.rar is not recommended but is not at issue
  5. PS3 with large NAND (fat models CECHA-CECHG)
    1. Keep in mind there are CECHG systems with small NAND non-volatile memory that rely on HDD volatile memory for dev_flash3 and are unaffected
  6. USB flash device
    1. Any freshly-formatted (BLANK) usb-based flash drive can be utilized


Steps to Reproduce Issue

Steps required to reproduce the issue is the same methodology used to downgrade.

  1. Insert service jig
    1. Use the right-most port closest to the blu-ray drive
  2. jailbreak power sequence
    1. Power then eject within 200 milliseconds
  3. power off via XMB
    1. System will boot and toggle service-mode
    2. Shutdown properly
  4. remove service jig
  5. insert flash drive
    1. Be sure the flash drive has only these 2 files
      1. Lv2diag.self
      2. PS3UPDAT.PUP
  6. power on PS3 normally
    1. No need for the jailbreak sequence
  7. once shutdown remove flash drive
    1. PS3 will load the Lv2diag.self
      1. Create non-volatile memory storage regions (partitions)
      2. Format non-volatile memory partitions
      3. Install update_files from PS3UPDAT.PUP
      4. Update blu-ray revoke list
      5. Write DRL1 and DRL2
      6. Adjust blu-ray drive firmware
      7. UPDATE_LOG.TXT is left behind outlining what was done
  8. insert flash drive with stage 2 Lv2diag.self
    1. PS3 will load the Lv2diag.self
      1. Lv2diag.self will toggle off service mode
  9. power on ps3 normally
    1. unknown additional settings in this reboot
  10. will shutdown automatically
    1. downgrade is now completed
  11. remove flash drive
  12. power on ps3 normally
    1. no jailbreak sequence or dongles
  13. setup ps3, verify firmware version
    1. As a result of the non-volatile memory being created anew, all system settings stored in flash are wiped out
  14. power off ps3 via XMB, then remove power completely
  15. insert jailbreak device
  16. power on ps3
  17. verify DRL1/DRL2
    1. Use DRLinfo (releasing for PS3 soon)


Analyzing UPDATE_LOG.TXT

An analysis of the UPDATE_LOG.TXT follows:

manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...

The PS3UPDAT.PUP file was found on the usb-based device, and "vflash" (virtual flash) is disabled because the device uses real "flash".

creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)

All non-volatile memory regions have been created, if they had previously existed with data that data is gone.

Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 58 msec
check UPL
Check UPL elapsed time = 51 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 30
Update packages total size = 162260220

30 packages included for updating in the update_files.tar archive in the PS3UPDAT.PUP

Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 22 msec
update package revoke list elapsed = 107 msec
Update Package Revoke list done(0x8002f000)

Package revoke list has been updated

Update Core OS Package
read core os package (5182047 bytes) elapsed = 305 msec
update core os package elapsed = 1806 msec
Update Core OS Package done(0x8002f000)

Core OS package has been installed and compared

Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/22
read vsh package (1847 bytes) elapsed = 9 msec
decrypt and verify vsh package elapsed = 26 msec
write vsh package elapsed = 8953 msec
compare vsh package elapsed = 0 msec
...
Update VSH's package : 22/22
read vsh package (5315230 bytes) elapsed = 329 msec
decrypt and verify vsh package elapsed = 223 msec
write vsh package elapsed = 1955 msec
compare vsh package elapsed = 381 msec
Update VSH Package done(0x8002f000)

VSH packages have been installed and compared

Bul-ray Disc Player Revoke
read bdp revoke package (1905 bytes) elapsed = 24 msec
decrypt and verify bdp revoke package elapsed = 33 msec
write bdp revoke package elapsed = 2747 msec
compare bdprevoke package elapsed = 58 msec
Bul-ray Disc Player Revoke done(0x8002f000)

Bul-ray (sic) disc player revoke package installed and compared

Update Program Revoke list
read program revoke list package (736 bytes) elapsed = 23 msec
update program revoke list elapsed = 317 msec
Update Program Revoke list done(0x8002f000)

Program revoke list updated

move_2block_status_into_the_region(): region id = 3

??? unknown

rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1103 msec

DRL1 has been written

touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1422 msec

??? unknown, perhaps verification of write

rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1103 msec

DRL2 has been written

Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 120 msec
update BD firmware elapsed = 186 msec
...
read BD firmware package (1639296 bytes) elapsed = 102 msec
update BD firmware elapsed = 153 msec
Update BD firmware done(0x8002f000)

Drive firmware has been updated

Update Multi-Card controller firmware
read MCC package (28636 bytes) elapsed = 24 msec
update MCC elapsed = 28 msec
Update Multi-Card controller firmware done(0x8002f000)

MC firmware has been updated

Update BlueTooth firmware
read BT package (644322 bytes) elapsed = 44 msec
update BT elapsed = 59 msec
Update BlueTooth firmware done(0x8002f000)

BT firmware has been updated

Update System controller firmware
read SC patch package (4864 bytes) elapsed = 23 msec
read SC patch package (4864 bytes) elapsed = 22 msec
read SC patch package (4864 bytes) elapsed = 22 msec
Update System controller firmware done(0x8002f000)

SC firmware has been updated

update package elapsed time = 262119 msec
post processiong...
post processiong done
cleanup update status (ret = 0)

Post processing and cleanup

os version = 03.4100
build_version = 45039,20100721
region of core os package = 0x40000000
build_target = CEX-ww
build target id = 0x83
manufacturing updating SUCCESS(0x8002f000)
set product mode (ret = 0)
Total Elapsed time = 264647 msec

Details of the system downgraded


Restoring Service

There are two different methods of restoring service as it was from backup, real backup, and derived backup. The two methods only differ in the origination of the backup files to be utilized, both methods ultimately will utilize the same files.
Backup
Playback is easily restored by copying a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) of DRL1 and DRL2 to /dev_flash3/data-revoke/drl directory.
Derived backup
When a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) is not available it is possible to derive the DRL1 and DRL2 files from the AACS protected title that was used by the system to create the DRL1 and DRL2 files.
This method requires precise knowledge of the following:
  • all blu-ray titles the drive has loaded
  • the order they were loaded
  • MKB versions of each disc loaded
If the above conditions have been met, deriving the DRL1 and DRL2 files only requires the MKB, which is stored as /AACS/MKB_RO.inf on the AACS protected blu-ray disc.
Link to DRLgen instructions here.


Fixing

With the root cause of the issue understood, potential methods of fixing the issue can be brain stormed and the original source of the issue can be outright blamed.

The following fixes have been postulated:

  1. Fix the Lv2diag.self
    1. The Lv2diag.self (stage 1) file in the DGF.rar is a manufacturing service tool, and assumes the non-volatile memory either does not exist or has been corrupted beyond repair. Of the first steps it performs is the creation and formatting of all storage regions, dev_flash, dev_flash2, and dev_flash3.
  2. Patch the blu-ray player to not perform the HRL <--> DRL sanity check
    1. Before the AACS drive-host authentication begins (reading the MKB version to determine if it is newer) the player performs a sanity check to determine if the DRL and HRL are a matched set.
    2. If the DRL and HRL are not a matched set playback is prohibited
    3. If the "drl" directory (and therefore DRL1 and DRL2) or DRL1 or DRL2 are not found the error message (8002???) indicates playback is not possible
  3. Reset the HRL on the drive to match the DRL1 and DRL2 files
    1. This third Lv2diag.self should have been included in the DGF.rar package by the original creators to prevent this whole issue.
  4. Having a BluRay Movie Title next to you
    1. Enter Factory Service Mode and insert the BluRay Movie Title. It should now get recognized and you can leave FSM again.

DRL Tools

DRLtools_0.90.rar

The tools in the suite are:

DRLGen Source: DRLGen.rar (4.53 MB)

How it works

Each Blu-Ray movie contains a Media Key Block (MKB) as part of its copy protection scheme. Newer movies feature higher MKBs; the latest one is MKB v20. Addtionally, each BD movie has a unique encrypted title key. Both are stored inside the AACS/MKB_RO.inf file of each disc. Fixing BD playback requires exact knowledge of which was the first instance of the highest MKB played so far. DRLgen can be used to identify the Blu-Ray movie with the highest MKB, and then create replacement DRL1/2 files for your PS3 which then restore BD playback.

Requirements

  1. A means to access Blu-Ray title discs to gather the AACS/MKB_RO.inf file, a Blu-Ray drive in a Mac / Windows PC makes the process easiest. Alternatively, SAK v1.0 can be installed as an OtherOS on the PS3 with firmware 3.15 or lower to accomplish this task.
  2. Explicit knowledge of EVERY blu-ray title the blu-ray drive has played and the MKB versions of those discs. WARNING: While you can safely check every BD's MKB with DRLgen, you should limit the number of attempts of installing DRLs on the PS3, as the full details of the AACS "traitor tracking system" are not well known.
  3. A FAT32 USB storage device to store and retrieve MKB_RO.inf and DRL files.

Detailed instructions

Full instructions are(sic: was?) available on the Project #PS3bluray wiki http://ps3bluray.info/?title=DRLtools

About the tools

DRLgen

DRLgen is a new and SAFER utility that uses the MKB_RO.inf from a Blu-Ray disc to derive correctly formatted DRL1 and DRL2 files easily every time. No difficult hex editing or byte-counting is involved. It is important to note that DRLgen uses the AACS' specification for the MKB format and does not simply assume DRL records start at a specific position and are of a specific length. The previously leaked information makes all these assumptions and is flat out INCORRECT in many situations today, and is NOT future proof and could lead to permanently broken playback.

DRLbackup

DRLbackup previously released, has been updated to work in cooperation with the other two tools. As a best practice, a backup of the DRL1 / DRL2 files should be made prior to any system downgrade. Use in conjunction with DRLcopy for a completely recreatable process to downgrade your Large NAND PS3 and restore Blu-Ray playback in the future. Note: The location of saved files has changed, users of the older version of the tool should place their saved DRL files into a 'PS3bluray' folder in the root of the USB storage device for compatability with the new DRLcopy tool.

DRLcopy

DRLcopy is a new PS3 tool that uses the output of the new version of DRLbackup (or properly located DRL backups from the previous version) and/or the derived DRL files from DRLgen to restore your blu-ray functionality after a firmware downgrade.


fix your DRL/CRL issues on GameOS with PS3 Linux

see: Fixing DRL and CRL Hashes

rewrite DRL/CRL hashes with multiMAN

since multiMAN ver 04.11.11:

  • Added option in “Settings” – Fix Broken Blu-ray Movie Playback

The function will rewrite DRL/CRL hashes if there is a mismatch and will fix “Playback Prohibited” error on 3.41/3.55/4.21/4.30 firmwares.

If all else fails - nikitis method

If like me, you have tried all of the above and still receive a "Prohibited Error" there is one last very drastic measure you may take. This requires a flasher as you are going to purposely RSOD your PS3.

WARNING: Do not try this method until you've done the DRL/CRL matching using a linux distro above using the "fix your DRL/CRL issues on GameOS with PS3 Linux" as the matching is also required. And tried the MultiMan blu-ray fix method.

Requirements:

- A Linux Distro installed, or at least a petitboot which can boot Red Ribbon OS.
- Red Ribbon Live Disc.
- Make sure your PS3 is has petitboot setup in such a way you can cold boot into petitboot.  If you cannot do this, then this method will fail.

First extract your NOR / NAND Data. Search twice for both entries of OCRL and delete them with a Hex editor. (HxD will work.)

Secondly, look for the HRL line somewhere on your Dump. (Should be located at F60000 and FA0000 on NOR's, find equivalent on NAND.) and 00 out the 3-5 lines there until it's all 00's. DO NOT DELETE IT, OVERWRITE WITH 00's at both spots.

0xF60000   10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 --
0xF60010   00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2   | Zero Lines out (Sometimes there are 5 lines and possibly longer
0xF60020   A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   |                  as HRL grows.)
0xF60030   13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB --
...
&
...
0xFA0000   10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 --
0xFA0010   00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2   | Zero Lines out (Sometimes there are 5 lines and possibly longer
0xFA0020   A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE   |                  as HRL grows.)
0xFA0030   13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB --

Third, Go to Address's on NOR: 0xEC52B0 and 0xEE52B0. Here you may see 1 to several, 6 line entries above this address. You need to Zero all of that data above these lines. Example:

0xEC5260   00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 --
0xEC5270   10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02   |
0xEC5280   DA 52 64 4B F1 BA A4 C8 2A 99 4F C6 70 BC 9A D6   |
0xEC5290   86 EE 8C B6 70 10 47 40 80 18 06 1A 8C 92 51 52   | Zero Lines (And above if there are more entries until you reach the void of 00's)
0xEC52A0   CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84   |
0xEC52B0   22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
...
0xEC52C0   00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line.
...
&
...
0xEC5260   00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 --
0xEC5270   10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02   |
0xEC5280   DA 52 64 4B F1 BA A4 C8 2A 99 4F C6 70 BC 9A D6   |
0xEC5290   86 EE 8C B6 70 10 47 40 80 18 06 1A 8C 92 51 52   | Zero Lines (And above if there are more entries until you reach the void of 00's)
0xEC52A0   CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84   |
0xEC52B0   22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 --
...
0xEE52C0   00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF --  Do not touch this line

The cleaning part is done. Flash this back to your PS3, the HRL is blank, and so is the data in CVTRM area. This WILL RSOD your PS3.

Now the reason for having a linux distibution installed or petitboot access. After flashing it back, power off your PS3, turn on and you will get a RSOD.

Power off, then use the cold boot method to boot directly into petitboot, and load Red Ribbon Live Disc. Grab the information on how to re-initialize CVTRM using the linux method (RSOD Linux Fix). Once fixed and re-initialized, reboot into GameOS, and your blu-ray player should be able to play blu-rays again!

If this last ditch effort does not work, then you either did something wrong, forgot to do the CRL/DRL Matching method via linux as stated above, or your drive has a hardware issue.

NOTE: Again please only try this method after you have tried all the other less intrusive methods (i.e. Multiman, CRL/DRL via Linux hash matching etc) as you could ruin your PS3 permanantly if you don't know what you are doing or do not do this correctly. Only attempt if you feel your PS3 is worthless without a working blu-ray drive. And I am not responsible for any damages you may inflict upon your PS3 or yourself using this method.