Downgrade BluRay Playback Issue: Difference between revisions
Line 368: | Line 368: | ||
0xF60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE | as HRL grows.) | 0xF60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE | as HRL grows.) | ||
0xF60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB -- | 0xF60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB -- | ||
... | |||
& | & | ||
... | |||
0xFA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 -- | 0xFA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 -- | ||
0xFA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 | Zero Lines out (Sometimes there are 5 lines and possibly longer | 0xFA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 | Zero Lines out (Sometimes there are 5 lines and possibly longer | ||
Line 384: | Line 384: | ||
0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | | 0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | | ||
0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- | 0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- | ||
... | |||
0xEC52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line. | 0xEC52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line. | ||
... | |||
& | & | ||
... | |||
0xEC5260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 -- | 0xEC5260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 -- | ||
0xEC5270 10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02 | | 0xEC5270 10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02 | | ||
Line 395: | Line 395: | ||
0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | | 0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | | ||
0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- | 0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- | ||
... | |||
0xEE52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line | 0xEE52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line | ||
Revision as of 02:30, 14 December 2012
PS3 BLU-RAY PLAYBACK PROHIBITED ROOT CAUSE ANALYSIS
Introduction
Many users have experienced the loss of blu-ray playback on the PS3 after performing a system firmware downgrade to a previous version. Little was known about the cause of this prohibition early on, but this document will outline the causes and effects.
Overview
By the end of this document you will know the issue, the causes, and what is affected.
Reproducing Issue
To reproduce the issue a few pre-requisites must be met:
Pre-requisites for Issue
- Service JIG device
- PSGrade
- Lv2diag.self (stage 1)
- DGF.rar archive "File 1"
- Lv2diag.self (stage 2)
- DGF.rar archive "File 2"
- PS3UPDAT.PUP
- 3.15 version is best
- 3.41 modified version in the DGF.rar is not recommended but is not at issue
- PS3 with large NAND (fat models CECHA-CECHG)
- Keep in mind there are CECHG systems with small NAND non-volatile memory that rely on HDD volatile memory for dev_flash3 and are unaffected
- USB flash device
- Any freshly-formatted (BLANK) usb-based flash drive can be utilized
Steps to Reproduce Issue
Steps required to reproduce the issue is the same methodology used to downgrade.
- Insert service jig
- Use the right-most port closest to the blu-ray drive
- jailbreak power sequence
- Power then eject within 200 milliseconds
- power off via XMB
- System will boot and toggle service-mode
- Shutdown properly
- remove service jig
- insert flash drive
- Be sure the flash drive has only these 2 files
- Lv2diag.self
- PS3UPDAT.PUP
- Be sure the flash drive has only these 2 files
- power on PS3 normally
- No need for the jailbreak sequence
- once shutdown remove flash drive
- PS3 will load the Lv2diag.self
- Create non-volatile memory storage regions (partitions)
- Format non-volatile memory partitions
- Install update_files from PS3UPDAT.PUP
- Update blu-ray revoke list
- Write DRL1 and DRL2
- Adjust blu-ray drive firmware
- UPDATE_LOG.TXT is left behind outlining what was done
- PS3 will load the Lv2diag.self
- insert flash drive with stage 2 Lv2diag.self
- PS3 will load the Lv2diag.self
- Lv2diag.self will toggle off service mode
- PS3 will load the Lv2diag.self
- power on ps3 normally
- unknown additional settings in this reboot
- will shutdown automatically
- downgrade is now completed
- remove flash drive
- power on ps3 normally
- no jailbreak sequence or dongles
- setup ps3, verify firmware version
- As a result of the non-volatile memory being created anew, all system settings stored in flash are wiped out
- power off ps3 via XMB, then remove power completely
- insert jailbreak device
- power on ps3
- verify DRL1/DRL2
- Use DRLinfo (releasing for PS3 soon)
Analyzing UPDATE_LOG.TXT
An analysis of the UPDATE_LOG.TXT follows:
manufacturing updating start PackageName = /dev_usb000/PS3UPDAT.PUP settle polling interval success vflash is disabled... boot from nand flash...
The PS3UPDAT.PUP file was found on the usb-based device, and "vflash" (virtual flash) is disabled because the device uses real "flash".
creating flash regions... create storage region: (region id = 2) format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT) create storage region: (region id = 3) format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT) create storage region: (region id = 4) format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT) create storage region: (region id = 5) create storage region: (region id = 6)
All non-volatile memory regions have been created, if they had previously existed with data that data is gone.
Initializing taking a while... start Updating Proccess Initialize elapsed time = 58 msec check UPL Check UPL elapsed time = 51 msec check Package Size get package size elapsed time = 8 msec start Updating Package Update packages num = 30 Update packages total size = 162260220
30 packages included for updating in the update_files.tar archive in the PS3UPDAT.PUP
Update Package Revoke list read package revoke list package (576 bytes) elapsed = 22 msec update package revoke list elapsed = 107 msec Update Package Revoke list done(0x8002f000)
Package revoke list has been updated
Update Core OS Package read core os package (5182047 bytes) elapsed = 305 msec update core os package elapsed = 1806 msec Update Core OS Package done(0x8002f000)
Core OS package has been installed and compared
Update VSH Package sys_memory_container_create() success(id = 0xc0effffe) Update VSH's package : 1/22 read vsh package (1847 bytes) elapsed = 9 msec decrypt and verify vsh package elapsed = 26 msec write vsh package elapsed = 8953 msec compare vsh package elapsed = 0 msec ... Update VSH's package : 22/22 read vsh package (5315230 bytes) elapsed = 329 msec decrypt and verify vsh package elapsed = 223 msec write vsh package elapsed = 1955 msec compare vsh package elapsed = 381 msec Update VSH Package done(0x8002f000)
VSH packages have been installed and compared
Bul-ray Disc Player Revoke read bdp revoke package (1905 bytes) elapsed = 24 msec decrypt and verify bdp revoke package elapsed = 33 msec write bdp revoke package elapsed = 2747 msec compare bdprevoke package elapsed = 58 msec Bul-ray Disc Player Revoke done(0x8002f000)
Bul-ray (sic) disc player revoke package installed and compared
Update Program Revoke list read program revoke list package (736 bytes) elapsed = 23 msec update program revoke list elapsed = 317 msec Update Program Revoke list done(0x8002f000)
Program revoke list updated
move_2block_status_into_the_region(): region id = 3
??? unknown
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 rewrite region done (ret = 0x8002f000) rewrite region elapsed time = 1103 msec
DRL1 has been written
touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 touch_1st_sector() done (ret = 0x8002f000) touch_1st_sector() elapsed time = 1422 msec
??? unknown, perhaps verification of write
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 rewrite region done (ret = 0x8002f000) rewrite region elapsed time = 1103 msec
DRL2 has been written
Update BD firmware read BD firmware package (1966992 bytes) elapsed = 120 msec update BD firmware elapsed = 186 msec ... read BD firmware package (1639296 bytes) elapsed = 102 msec update BD firmware elapsed = 153 msec Update BD firmware done(0x8002f000)
Drive firmware has been updated
Update Multi-Card controller firmware read MCC package (28636 bytes) elapsed = 24 msec update MCC elapsed = 28 msec Update Multi-Card controller firmware done(0x8002f000)
MC firmware has been updated
Update BlueTooth firmware read BT package (644322 bytes) elapsed = 44 msec update BT elapsed = 59 msec Update BlueTooth firmware done(0x8002f000)
BT firmware has been updated
Update System controller firmware read SC patch package (4864 bytes) elapsed = 23 msec read SC patch package (4864 bytes) elapsed = 22 msec read SC patch package (4864 bytes) elapsed = 22 msec Update System controller firmware done(0x8002f000)
SC firmware has been updated
update package elapsed time = 262119 msec post processiong... post processiong done cleanup update status (ret = 0)
Post processing and cleanup
os version = 03.4100 build_version = 45039,20100721 region of core os package = 0x40000000 build_target = CEX-ww build target id = 0x83 manufacturing updating SUCCESS(0x8002f000) set product mode (ret = 0) Total Elapsed time = 264647 msec
Details of the system downgraded
Restoring Service
- There are two different methods of restoring service as it was from backup, real backup, and derived backup. The two methods only differ in the origination of the backup files to be utilized, both methods ultimately will utilize the same files.
- Backup
- Playback is easily restored by copying a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) of DRL1 and DRL2 to /dev_flash3/data-revoke/drl directory.
- Derived backup
- When a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) is not available it is possible to derive the DRL1 and DRL2 files from the AACS protected title that was used by the system to create the DRL1 and DRL2 files.
- This method requires precise knowledge of the following:
- all blu-ray titles the drive has loaded
- the order they were loaded
- MKB versions of each disc loaded
- This method requires precise knowledge of the following:
- If the above conditions have been met, deriving the DRL1 and DRL2 files only requires the MKB, which is stored as /AACS/MKB_RO.inf on the AACS protected blu-ray disc.
- Link to DRLgen instructions here.
- When a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) is not available it is possible to derive the DRL1 and DRL2 files from the AACS protected title that was used by the system to create the DRL1 and DRL2 files.
- Backup
Fixing
With the root cause of the issue understood, potential methods of fixing the issue can be brain stormed and the original source of the issue can be outright blamed.
The following fixes have been postulated:
- Fix the Lv2diag.self
- The Lv2diag.self (stage 1) file in the DGF.rar is a manufacturing service tool, and assumes the non-volatile memory either does not exist or has been corrupted beyond repair. Of the first steps it performs is the creation and formatting of all storage regions, dev_flash, dev_flash2, and dev_flash3.
- Patch the blu-ray player to not perform the HRL <--> DRL sanity check
- Before the AACS drive-host authentication begins (reading the MKB version to determine if it is newer) the player performs a sanity check to determine if the DRL and HRL are a matched set.
- If the DRL and HRL are not a matched set playback is prohibited
- If the "drl" directory (and therefore DRL1 and DRL2) or DRL1 or DRL2 are not found the error message (8002???) indicates playback is not possible
- Reset the HRL on the drive to match the DRL1 and DRL2 files
- This third Lv2diag.self should have been included in the DGF.rar package by the original creators to prevent this whole issue.
- Having a BluRay Movie Title next to you
- Enter Factory Service Mode and insert the BluRay Movie Title. It should now get recognized and you can leave FSM again.
DRL Tools
The tools in the suite are:
- DRLbackup_PS3_0.90.pkg (used to backup DRL1 / DRL2 files to a USB drive)
- DRLgen_WIN_setup_0.90.exe (Windows .net 2.0 application to derive DRL1 / DRL2 files from an MKB_RO.inf file)
- DRLcopy_PS3_0.90.pkg (to restore previously backed-up DRL1 / DRL2 files or to copy derived DRL1 / DRL2 files from DRLgen)
DRLGen Source: DRLGen.rar (4.53 MB)
How it works
Each Blu-Ray movie contains a Media Key Block (MKB) as part of its copy protection scheme. Newer movies feature higher MKBs; the latest one is MKB v20. Addtionally, each BD movie has a unique encrypted title key. Both are stored inside the AACS/MKB_RO.inf file of each disc. Fixing BD playback requires exact knowledge of which was the first instance of the highest MKB played so far. DRLgen can be used to identify the Blu-Ray movie with the highest MKB, and then create replacement DRL1/2 files for your PS3 which then restore BD playback.
Requirements
- A means to access Blu-Ray title discs to gather the AACS/MKB_RO.inf file, a Blu-Ray drive in a Mac / Windows PC makes the process easiest. Alternatively, SAK v1.0 can be installed as an OtherOS on the PS3 with firmware 3.15 or lower to accomplish this task.
- Explicit knowledge of EVERY blu-ray title the blu-ray drive has played and the MKB versions of those discs. WARNING: While you can safely check every BD's MKB with DRLgen, you should limit the number of attempts of installing DRLs on the PS3, as the full details of the AACS "traitor tracking system" are not well known.
- A FAT32 USB storage device to store and retrieve MKB_RO.inf and DRL files.
Detailed instructions
Full instructions are(sic: was?) available on the Project #PS3bluray wiki http://ps3bluray.info/?title=DRLtools
About the tools
DRLgen
DRLgen is a new and SAFER utility that uses the MKB_RO.inf from a Blu-Ray disc to derive correctly formatted DRL1 and DRL2 files easily every time. No difficult hex editing or byte-counting is involved. It is important to note that DRLgen uses the AACS' specification for the MKB format and does not simply assume DRL records start at a specific position and are of a specific length. The previously leaked information makes all these assumptions and is flat out INCORRECT in many situations today, and is NOT future proof and could lead to permanently broken playback.
DRLbackup
DRLbackup previously released, has been updated to work in cooperation with the other two tools. As a best practice, a backup of the DRL1 / DRL2 files should be made prior to any system downgrade. Use in conjunction with DRLcopy for a completely recreatable process to downgrade your Large NAND PS3 and restore Blu-Ray playback in the future. Note: The location of saved files has changed, users of the older version of the tool should place their saved DRL files into a 'PS3bluray' folder in the root of the USB storage device for compatability with the new DRLcopy tool.
DRLcopy
DRLcopy is a new PS3 tool that uses the output of the new version of DRLbackup (or properly located DRL backups from the previous version) and/or the derived DRL files from DRLgen to restore your blu-ray functionality after a firmware downgrade.
fix your DRL/CRL issues on GameOS with PS3 Linux
see: Fixing DRL and CRL Hashes
rewrite DRL/CRL hashes with multiMAN
since multiMAN ver 04.11.11:
- Added option in “Settings” – Fix Broken Blu-ray Movie Playback
The function will rewrite DRL/CRL hashes if there is a mismatch and will fix “Playback Prohibited” error on 3.41/3.55/4.21/4.30 firmwares.
If all else fails - nikitis method
If like me, you have tried all of the above and still receive a "Prohibited Error" there is one last very drastic measure you may take. This requires a flasher as you are going to purposely RSOD your PS3.
WARNING: Do not try this method until you've done the DRL/CRL matching using a linux distro above using the "fix your DRL/CRL issues on GameOS with PS3 Linux" as the matching is also required. And tried the MultiMan blu-ray fix method.
Requirements:
- A Linux Distro installed, or at least a petitboot which can boot Red Ribbon OS. - Red Ribbon Live Disc. - Make sure your PS3 is has petitboot setup in such a way you can cold boot into petitboot. If you cannot do this, then this method will fail.
First extract your NOR / NAND Data. Search twice for both entries of OCRL and delete them with a Hex editor. (HxD will work.)
Secondly, look for the HRL line somewhere on your Dump. (Should be located at F60000 and FA0000 on NOR's, find equivalent on NAND.) and 00 out the 3-5 lines there until it's all 00's. DO NOT DELETE IT, OVERWRITE WITH 00's at both spots.
0xF60000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 -- 0xF60010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 | Zero Lines out (Sometimes there are 5 lines and possibly longer 0xF60020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE | as HRL grows.) 0xF60030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB -- ... & ... 0xFA0000 10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34 -- 0xFA0010 00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2 | Zero Lines out (Sometimes there are 5 lines and possibly longer 0xFA0020 A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE | as HRL grows.) 0xFA0030 13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB --
Third, Go to Address's on NOR: 0xEC52B0 and 0xEE52B0. Here you may see 1 to several, 6 line entries above this address. You need to Zero all of that data above these lines. Example:
0xEC5260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 -- 0xEC5270 10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02 | 0xEC5280 DA 52 64 4B F1 BA A4 C8 2A 99 4F C6 70 BC 9A D6 | 0xEC5290 86 EE 8C B6 70 10 47 40 80 18 06 1A 8C 92 51 52 | Zero Lines (And above if there are more entries until you reach the void of 00's) 0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | 0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- ... 0xEC52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line. ... & ... 0xEC5260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 12 -- 0xEC5270 10 70 00 00 02 00 00 01 10 70 00 00 03 00 00 02 | 0xEC5280 DA 52 64 4B F1 BA A4 C8 2A 99 4F C6 70 BC 9A D6 | 0xEC5290 86 EE 8C B6 70 10 47 40 80 18 06 1A 8C 92 51 52 | Zero Lines (And above if there are more entries until you reach the void of 00's) 0xEC52A0 CC 51 94 80 54 D^ 4D 9E 91 A8 66 3E 93 A5 C7 84 | 0xEC52B0 22 BB 99 63 09 E4 63 CF 56 F3 39 6C B6 D8 75 93 -- ... 0xEE52C0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF -- Do not touch this line
The cleaning part is done. Flash this back to your PS3, the HRL is blank, and so is the data in CVTRM area. This WILL RSOD your PS3.
Now the reason for having a linux distibution installed or petitboot access. After flashing it back, power off your PS3, turn on and you will get a RSOD.
Power off, then use the cold boot method to boot directly into petitboot, and load Red Ribbon Live Disc. Grab the information on how to re-initialize CVTRM using the linux method (RSOD Linux Fix). Once fixed and re-initialized, reboot into GameOS, and your blu-ray player should be able to play blu-rays again!
If this last ditch effort does not work, then you either did something wrong, forgot to do the CRL/DRL Matching method via linux as stated above, or your drive has a hardware issue.
NOTE: Again please only try this method after you have tried all the other less intrusive methods (i.e. Multiman, CRL/DRL via Linux hash matching etc) as you could ruin your PS3 permanantly if you don't know what you are doing or do not do this correctly. Only attempt if you feel your PS3 is worthless without a working blu-ray drive. And I am not responsible for any damages you may inflict upon your PS3 or yourself using this method.