NOR patches

355checkoff.PUP

PS3 CFW Kmeaw by dospiedra - 355checkoff.PUP
('kmeaw' + lv1 nocheck (see below, V1/V2 etc)

Patches included (using PS3MFW Builder and Patches naming) :

• Patch LV1 hypervisor (lv1_function_114 mmap) lv1.self
  • Allow mapping of any memory area (Needed for LV2 Poke)

• Patch LV2 kernel (lv2 peek/lv2 poke) lv2_kernel.self
  • Patch to add Peek&Poke system calls to LV2

• Patch package installer (debug pkg/pseudo-retail pkg) nas_plugin.sprx
  • Patch to allow installation of pseudo-retail package
  • Patch to allow installation of debug packages

• Patch Application Launcher (unsigned app) vsh.self
  • Patch to allow running of unsigned applications

• Add new icons to the XMB Game category (install pkgs/app_home) category_game.xml
  • Add "Install Package Files" icon to the XMB Game Category
  • Add "/app_home" icon to the XMB Game Category

Extracting pup and comparing

to see the actual patches/changes done:

CORE_OS_PACKAGE.pkg

default.spp
emer_init.self
lv1.self
lv2_kernel.self
  
   
emer_init.elf
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0005B5A0                                      79 27 F0 82              y'ð‚
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0005B5A0                                      38 E9 FF F8              8éÿø
   
   
lv1.elf
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00093490              39 20 00 4F 7C 00 F8                     9 .O|.ø
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00093490              39 20 00 5F 7C 00 F8                     9 ._|.ø
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000F5A40              39 20 00 00 38 60 00                     9 ..8`.
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000F5A40              39 20 00 01 38 60 00                     9 ..8`.
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000F5EB0  41 DA 00 54                                      AÚ.T
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000F5EB0  60 00 00 00                                      `...
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FD5C0                                      E8 1E 00 18              è...
    000FD5D0  E9 5E 00 20 E9 1E 00 28 E8 FE 00 30 EB EB 00 50  é^. é..(èþ.0ëë.P
    000FD5E0  F8 01 00                                         ø..
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FD5C0                                      E8 1E 00 20              è.. 
    000FD5D0  E9 5E 00 28 E9 1E 00 30 E8 FE 00 38 EB FE 00 18  é^.(é..0èþ.8ëþ..
    000FD5E0  F8 01 00                                         ø..
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FD850  E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 E9 1E 00 30  è...é>. é^.(é..0
    000FD860  E8 FE 00 38 E8 DE 00 40 EB EB 00 50 90 A1 00 70  èþ.8èÞ.@ëë.P.¡.p
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FD850  E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 E9 1E 00 38  è.. é>.(é^.0é..8
    000FD860  E8 FE 00 40 E8 DE 00 48 EB FE 00 18 90 A1 00 70  èþ.@èÞ.Hëþ...¡.p
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FDCF0              E8 1E 00 18 E9 3E 00                     è...é>.
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FDCF0              E8 1E 00 20 E9 3E 00                     è.. é>.
   
   
  Original ofw355:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FDCF0              E8 1E 00 18 E9 3E 00 20 E9 5E 00 28      è...é>. é^.(
    000FDD00  E9 1E 00 30 E8 FE 00 38 E8 DE 00 40 EB EB 00 50  é..0èþ.8èÞ.@ëë.P
    000FDD10  90 A1 00                                         .¡.
   
  Patched 355checkoff:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000FDCF0              E8 1E 00 20 E9 3E 00 28 E9 5E 00 30      è.. é>.(é^.0
    000FDD00  E9 1E 00 38 E8 FE 00 40 E8 DE 00 48 EB FE 00 18  é..8èþ.@èÞ.Hëþ..
    000FDD10  90 A1 00                                         .¡.

dev_flash_010.tar.aa.2010_11_27_051337

dev_flash\vsh\module\nas_plugin.sprx

dev_flash_016.tar.aa.2010_11_27_051337

dev_flash\vsh\resource\explore\xmb\category_game.xml

V1

Tasks

MFW Task::patch_lv1.tcl with the following patches selected:

• --patch-lv1-storage-skip-acl-check
• --patch-lv1-sysmgr-disable-integrity-check

Patches

http://pastebin.com/aNehMfGi :

   Downgrade patches
          
   http://www.multiupload.com/O0TZGNP92M
          
   DIFF:
          
   -------------
   patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340  54 63 06 3E                                      Tc.>
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340  38 60 00 01                                      8`..
          
   -----
   patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
          
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340                                      E8 01 00 70              è..p
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340                                      38 00 00 01              8...
          
   -----
   patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager
          
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0021D0B0              48 00 D7 15                              H.×.
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0021D0B0              38 60 00 00                              8`..
          
   -------------
      
   Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware

Combining patches

There is a difference between the patches on the Talk:Downgrading with NOR flasher and Talk:Downgrading with NAND flasher

what if you combine those together? 1st try: selecting both patch tasks manually:

<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9
<keperfear> could you check if i patched everything correctly
<keperfear> anyway i really need to sleep now
<keperfear> good luck everyone
* keperfear left
<eussNL> oh dear, keperfear is already gone ...  anyhow, this was my version : patched355coreos.rar (4.84 MB) (no "Patch In product mode erase standby bank skipped" selected)

<keperfear> Eussnl try with this one

      # In product mode erase standby bank skipped
     
      log "Patch In product mode erase standby bank skipped"
     
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
 
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\x38 instead of \x41\x9E\x00\x0C\xE8\xA2\x8A\x30)

Combined TCL

2nd try, Combined single TCL "patch-lv1checks.tcl" :

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)

#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch LV1 checks

# Option --patch-lv1checks: Disables many checks in lv1

# Type --patch-lv1checks: boolean

namespace eval ::patch_lv1checks {

    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }

    proc main { } {
        set self "lv1.self"

        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
    
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped" 
      
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  


      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"

      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  
      
      
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"

      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
	  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
      

        }
    }
}

download: patch_lv1checks.rar (1.29 KB) (2.88-3.42 / 3.50-3.55)

PreAlpha v1 smoketest - offsets

patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)

<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: coreos355nandandnordowngradepatches.rosx (7 MB)

Status

MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.

Update:

   [01:43:10]	<Ryd3R>	RSOD x_x
   [01:44:41]	<Ryd3R>	i hate when it show up
   [01:45:20]	<Ryd3R>	@eussNL: are you there ?
   [01:46:41]	<eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden 
                         and what did you do to  make it bitch like that?
   [01:47:36]	<Ryd3R>	i did the 3.70 downgrade using a teensy++
   [01:48:42]	<Ryd3R>	it works well when i revert back to 3.70
   [01:49:23]	<Ryd3R>	i think it have something to do whith the fuckin syscon
   [01:49:37]	<eussNL> ok, did you patch lv1 ?
   [01:49:43]	<Ryd3R>	yeah
   [01:50:09]	<Ryd3R>	the No hash check patch right ?
   [01:51:50]	<Ryd3R>	for some fuckin reason any version perior 3.70 gave me an rsod
   [01:52:41]	<Ryd3R>	i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod
   [01:53:15]	<eussNL> yes and then some... Ryd3R> the No hash check patch right ?
   [01:53:46]	<eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL
   [01:55:47]	<Ryd3R>	i'll give it a try
   
   [02:16:19]	<Ryd3R>	thanks eussNL you'r the man, the patch works like charm
   [02:22:53]	<eussNL> good to hear, hope it stays flawless now :)

V2

http://darkconsoles.com/foro/viewtopic.php?f=7&t=16

NOR offsets used

LV1 patches used

  Downgrade patches v2
         
  http://www.multiupload.com/DVFD9AZGO5
         
  DIFF:
         
  -------------
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
     
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  54 63 06 3E                                      Tc.>
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  38 60 00 01                                      8`..
         
  -----
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      E8 01 00 70              è..p
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      38 00 00 01              8...
         
  -----
  ???? Patch sys_mgr integrity lv1 and lv0 integrity check ????
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              48 00 D7 15                              H.×.
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              38 60 00 00                              8`..
         
  -----

Combined TCL V2

Combined single TCL "patch-lv1checks.tcl" with added new patch :

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)

#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch LV1 checks

# Option --patch-lv1checks: Disables many checks in lv1

# Type --patch-lv1checks: boolean

namespace eval ::patch_lv1checks {

    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }

    proc main { } {
        set self "lv1.self"

        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
    
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped" 
      
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  
      
      
      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"
      
      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"
      
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  
      
      
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"

      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
	  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
      
      
      # LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?)
      log "?Patch sys_mgr integrity lv1 and lv0 integrity check?" 
      
      set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\x01"
      set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

        }
    }
}

download: patch_lv1checks.rar (1.53 KB) (3.40-3.42 / 3.50-3.55)

PreAlpha v2 smoketest - offsets

patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)

Status

MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.

Rogero and VAL_ tested, no problems with games/trophy's and bluray movies

Premade MFW

Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB)