Dual Firmware: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 17: Line 17:
== Dual-Banking ==
== Dual-Banking ==


This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros1 region of the flash.
This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros0 region of the flash.


By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros1 region on flash.
By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros1 region on flash.

Revision as of 02:27, 25 August 2011

These methods are currently theoretical and have not been tested as of yet.

Hardware Based

NOR/Nand Piggybacking

This method involves physically soldering another flash chip ontop of the existing flash packages, soldering the legs pin for pin (piggybacking). You will lift both #CE pins and provide a switch between them to select the appropriate flash chip, of which each will have a different firmware.

E.g.: http://www.elotrolado.net/hilo_la-dual-nand-fat40g-ya-es-una-realidad_1650176

Reset pin for NOR

After looking into this some more, Simply switching the #CE pin may not be sufficient as the chip is still operating and can interfere with the bus. However, it appears that whilst the #reset pin is tied low, all input/output pins on the flash are in a state of high-impedance. We should be able to simply ground this pin to disable that chip, rather than lifting the #CE pin.

Dual-Banking

This method relies on the fact that SYSCON has 2 EEPROM banks, and a "recovery mode" flag that can be set to load a recovery firmware located in the ros0 region of the flash.

By pulling the backup_mode pin low or high, you can aparently switch eeprom banks in the SYSCON EEPROM. In the second bank, you would have the recovery mode flag set, thus loading firmware from the ros1 region on flash.

Increased size NOR Flash

This method relies on entirely lifting the existing NOR flash chip and planting a 256mbit chip, you could lift Address pin 23 and have a switch to tie this low or high to switch banks. A compatable samsung chip can be found below: http://www.samsung.com/global/system/business/semiconductor/product/2007/8/7/620430ds_k8p5615uqa_rev11.pdf

This looks like it could work, as per the spansion and samsung charts, when using autoselect commands etc, it does not care about the state of pin 23. So there should not be any interference.

Limitations

Firmware hash checks

Firmware hash checks are located on SYSCON EEPROM, aparently these checks are run within Indi info manager on LV1. These compare the hashes stored in syscon with the files stored on flash. If the checks fail, the console does not boot. We could get around this by using dual-banking on SYSCON or by patching the checks out.

VFlash

Only a single version of VFlash is stored on flash in NAND consoles, and a single copy is stored at the beginning of the PS3 hard drive on NOR consoles. Because the firmware stored here doesn't match that stored on flash, you would have to reinstall the rest of firmware everytime you switch. We could possibly overcome this limitation by patching the storage manager to redirect vflash to another region of the hard disk.

Software based

Using graf_chokolo's payload

In graf_chokolo payloads, there is a payload that can be used to load an alternative lv2_kenel.self

You have to save the alternative lv2_kernel.self on flash and use the payload to make lv1 load it.

See Graf's PSGroove Payload

Quoting graf_chokolo

Guys and be careful with store_file_on_flash.c and replace_lv2.c payloads. 
With store_file_on_flash.c i’m able to store a new file on FLASH memory where CORE OS files are stored from PUP. 
If you do not know what that means then don’t play with this, it could brick your PS3, but it’s safe to use when you know what you do.
With both of those payloads i’m able to boot a patched lv2_kernel.self from FLASH without flashing PUP, i just store a second lv2_lernel.self
on FLASH, then patch System Manager in HV which is reponsible for booting GameOS and boot custom LV2 kernel from 3.41. 
You don’t need NOR flasher if something goes wrong:
just reboot HV and your original lv2_kernel.self will be booted again

The same way you could boot lv2_kernel.self from dev_flash. 
Just patch path to lv2_kernel.self in System Manager and point it to lv2_kernel.self stored on dev_flash

Limitations

  • Same as above and this could ONLY be used with a lv2_kernel.self compatible with you actual lv1.self
  • You can only customize lv2_kernel.self and below


Bootloader

There is master hardware based different for every PS3. It is said that some have managed to get ahold of it. Being able to sign in a higher privilege would give us the ability to create a bootloader that would allow us to load any firmware previously patching it.

This would be the best solution, having a bootmii like bootloader with recovery options, but it is also the most farfetched.


Manual dualboot 3.55 & 3.70 with 2 flashdumps and 2 harddrives

original italian and english guide posted by digitalangel

Today I will write a tutorial to “fast-swap” between CFW 3.55 and OFW 3.70, using 2 HDDs… at the end of the tutorial, you will be able to swap between the firmware just flashing a dump on your PS3 using Progskeet. (instead of downgrading and losing all data).

The first steps are not so easy, so take your time and go on, by the way, you must have some skill with Progskeet, and it must be 100% working on your console.

What we need:

  • PS3 Slim running with FW 3.70
  • 2 Hard Disks
  • Progskeet installed and working on your PS3 Slim
  • Downgrade.bin edited with your personal data (there are tons of tutorials for do this)
  • 3.55 Downgrade Dongle to do the downgrade process.
  • Sony OFW 3.70 UPDATE.(DOWNLOAD)
  • CFW 3.55 KMEAW “NO CHECK” by dospiedra.(DOWNLOAD)
  • Lv2Diag By Jaicrab. (DOWNLOAD)
  • Lv2Diag “FILE 2″ to go out of Service/Factory Mode. (DOWNLOAD)

We need 2 harddrives because the firmware is partial on NOR (CoreOS) and the rest is on the harddrive. so we will need 2 HDDs, one for 3.55, and one for 3.70..

We will call those HDD “A” (for 3.70) and “B” (for 3.55) dont mix them up!

Starting with a PS3 Slim with OFW 3.70.

  1. Plug in HDD “B”, format and prepare it if it’s required by the PS3 and you should have your 3.70 up and running.
  2. DUMP your actual NOR and call it “original dump 3.70.bin”
  3. Now flash your “downgrade.bin” (edited with the personal data found in “original dump 3.70.bin”)
  4. Turn on your PS3 and be sure that the PS3 is asking you to press the PS button (downgrade.bin flashed correctly :D )
  5. Insert a 3.55 Downgrade dongle and enter factory/service mode.
  6. Copy Lv2Diag.self by Jaicrab and the 3.55 NO CHECK UPDATE renamed as “PS3UPDAT.PUP” in the root of your USB Stick.
  7. Plug in the USB Stick in the most-right USB port of your PS3 and wait for it to turn OFF.
  8. Leave the factory mode using the other Lv2Diag.self
  9. After the reboot, you need to configure and set up your system… now you have a fully working 3.55 CFW based on KMEAW “NO CHECK”.
  10. DUMP your actual NOR and call it “swap dump 3.55.bin”
  11. Unplug HDD B and Plug in HDD A.
  12. Turn on your PS3, plug in your USB Stick containing official 3.70 update and press start+select when asked.
  13. When the PS3 reboots, check that the system is fully working and DUMP your actual NOR and call it “swap dump 3.70.bin”.

NOW IT’S FINISHED! You should have “swap dump 3.55.bin” and “swap dump 3.70.bin” … Now you just have to swap HDD and flash the correspondening dump:

  • HDD A = swap dump 3.70.bin
  • HDD B = swap dump 3.55.bin

WARNING: Do not install other CFW than the “NO CHECK” one… because it’s used to make the “fast-swap” working… if you flash something different you will not be able to go between the 2 FWs. This patch disables the LV1 for checking the Syscon hashes at startup… so it will not freeze or complain when the syscon hashes says “3.70″ and your FW is 3.55 ;)

WARNING: In case you wanna update your console with a future “3.80″ or-so firmware. Do not update your console when you are running 3.55 firmware! You have to go to “swap dump 3.70.bin” and then update as usual (XMB or recovery)… -By the way, the downgrade is confirmed working only on 3.70… we haven’t tested it on other FWs, you could loose the possibility to go back to 3.55!-