Validating flash dumps

From PS3 Developer wiki
Revision as of 03:14, 10 February 2014 by Euss (talk | contribs)
Jump to navigation Jump to search
Dumpchecker

Why so important?

Whenever you want to mess with flash (NAND or NOR), you have to make sure you are getting 100% correct, valid, verified dumps.

Warning
If you do not validate your flash, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).

So what can we use to prevent that, and make sure our dumps are as proper as we can check?

Visual inspection

HxD - hexeditor

Open up the flashdump (make it unified first if it is still 2 seperate NAND dumps) with a hexeditor (e.g. HxD)
and compare what you see with the Flash page.

Statistical analysis

One neat option in HxD is the analysis option. Open dump file and select Statistics in the Analysis menu. Mouse over the blue graph bars of 00 and FF

Valid dumps will have

Value NAND NOR
00's 1.43% - 2.68%
>3838627 <7194070
18.38% - 29.01%
>3083652 <4867070
FF's 18.25% - 24.54%
>48989471 <65874061
10.42% - 10.48%
>1748186 <1758252
rest below 0.5%
<1342177
below 0.5%
<83886

Note: if you get deviating statistics (since 3.60 CoreOS/ROS will deviate because of lv0 loaders encapsulation, 00's NOR statistics thus will be above/equal 18.23% and below 18.38%). Prepatch it so that both ROS and RVK areas are filled with 3.55 reference data. If still bad statistics, it means dump is bad in perconsole regions, prone to permabrick!


If you do not have HxD many other hex editors have a statistics option. If you want a standalone application that specifically informs you on the validity of the given statistical range (NOR only) use the BwE NOR Statistics application.

Bytereversed

  00 00 00 00 AC 0F FF E0 00 00 00 00 AD DE EF BE  (HEX)   and   saceru_eoldare  (Text)   RAW/PS3 readable - this is E3 default byteorder
  instead of
  00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  (HEX)   and   asecure_loader  (Text)   REV/Human readable - this is Progskeet default byteorder

You can use either the bytereverse option in the the flasher application and redump, or bytereverse the current dump with Flowrebuilder or cmdline tools (using record to swap: 2).

Only zeroes

00 00 00 00 00 00 00 00 00 where data should've been
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

patterned non zeroes / patterned non ff's

  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
  00 80 00 80 00 80 00 80 00 80 00 80 00 80 00 80   where zeroes should've been
  EF FF EF FF EF FF EF FF EF FF EF FF EF FF EF FF   where FF's should've been
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check
  • Can also be caused by bad grounding, too low Vcc, interference or too long wires -> check

patterned FF's

  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF   repetive banding of FF's where data or zeroes should have been
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

malformed headers / filenames / regionnames

  IJI              instead of   IFI
  asecure_loaher                asecure_loader
  eIIH                          eEID
  cESH                          cISD
  cCSH                          cCSD
  trvg_prk0                     trvk_prg0
  trvg_prk1                     trvk_prg1
  trvg_pkk0                     trvk_pkg0
  trvg_pkk1                     trvk_pkg1
  cztrm                         cvtrm
  mitldr                        metldr
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

absent files / regions

  00FC0000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    missing bootldr in NOR
  00000000  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ    missing bootldr in NAND
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

malformed files / regions

  00FC0000  28 B4 4F D2 F9 3F BC 43 28 B4 4F D2 F9 3F BC 43  (´OÒù?¼C(´OÒù?¼C    corrupted bootldr in NOR (it should always start with 00 00 there)
  • Seems reading is a problem, mostly caused by bad wiring/clip seating -> check

Repetitions

take 16 bytes of an offset that should be unique, e.g. the 0x10 offset which normaly has the DEADBEEF magic header :

  NOR: 0x0000010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF  //  NAND: 0x040010 00 00 00 00 0F AC E0 FF 00 00 00 00 DE AD BE EF

And find all instances in hexeditor
When it says found in 0x10 and 0x10010 you substract them (0x10010 - 0x10 = 0x10000)
So that means there is an error with setting 0x10000 (only one bit set!) low
because the programmer applies 0x10010 but the actual data on the address lines (received by the nor flash) is 0x10

Other semistatics: http://pastebin.com/7QMpLSBw (not all unique, but can be used to check offsetting by bad addresslines)

Checking again with other unique 16 byte sequence

  617365637572655F6C6F616465720000 (asecure_loader in hex)

Same check, found at 0x420 and 0x10420 (0x10420-0x420 = 0x10000)

OK, you've found the pattern, now how do we deduct from that the faulty line?

address is 2 bytes. 0x10 in dump with hexeditor is in reality 0x8 on the address bus because we read 2 bytes at once
so the address is no longer 0x10000 but 0x8000
0x8000 (hexadecimal = base 16) = 1000 0000 0000 0000 (binary = base 2)
which means the 16th bit = 1, we start counting at A0, so the 16th is A15

conclusion : A15 is bad


Quick lookup table

repetition addressline 'stuck'
0x2 A0
0x4 A1
0x8 A2
0x10 A3
0x20 A4
0x40 A5
0x80 A6
0x100 A7
0x200 A8
0x400 A9
0x800 A10
0x1000 A11
0x2000 A12
0x4000 A13
0x8000 A14
0x10000 A15
0x20000 A16
0x40000 A17
0x80000 A18
0x100000 A19
0x200000 A20
0x400000 A21
0x800000 A22
0x1000000 A23
0x2000000 A24
0x4000000 A25
0x8000000 A26
0x10000000 A27
0x20000000 A28
0x40000000 A29
0x80000000 A30

Check metldr+bootldr sizes

Warning
If they are even missing or bad, its a sure road to permabrick

Note: There is a program that will list some of the important information below and more - automatically! BwE NOR/NAND Dump Info

You can check metldr and bootldr sizes easily with HxD

  • either after extracting flash with Flowrebuilder and opening seperate files
  • or by looking in the unextracted Flash dump at the correct offset.

This table lists some common known values for your convenience as quick lookup:

IDPS/Product Code SKU - Datecode / Manufacturing date metldr offset bootldr Notes lowest
known
firmware
0x2F077 (NOR)
0x80877 (NAND)
0x81E (NOR)
0x4081E (NAND)
0x842 (NOR)
0x40842 (NAND)
size 0xFC0002 (NOR)
0x02 (NAND)
0xFC0012 (NOR)
0x12 (NAND)
n/a CEB-2030 (MPU-501 PROTO  n/a n/a 28C20 28 BE 28 BE Patch + FSM = OK <=0.50.003
01 DEH-Z1010 (TMU-520 SD  14 20 11 3E 2D020 2C FE 2C FE Patch + FSM = OK <=0.80.004
01 DECR-1000 (TMU-520 DECR  Every DECR manufactured before January 2009 Share the same BL/Metldr revisions EC 40 0E C0 2A840 2A 80 2A 80 Patch + FSM = OK <=0.85.010
01 ?DEH-H1001-D? (COOKIE13 CEX  EC 40 0E C0 2A830 2A 7F 2A 7F Patch + FSM = OK <=0.85.010
01 DEH-H1000A-E (COK-001 DEX  EC 70 0E C3 2A1E0 2A 1A 2A 1A Patch + FSM = OK <095.001
01
04
CECHAxx (COK-001)
CECHExx (COK-002)
EE 10 0E DD 2A430 2A 3F 2A 3F Patch + FSM = OK 1.00
1.00
01
02
03
01
CECHAxx (COK-001) with 1.00 from factory
CECHBxx (COK-001)
CECHCxx (COK-002)
DECHAxx (COK-001 DEX 
ED A0 0E D6 2A2E0 2A 2A 2A 2A Patch + FSM = OK 1.00
1.00
1.00
1.00
03 CECHCxx (COK-002) with 1.00 from factory EB F0 0E BB 30480 30 44 30 44 Patch + FSM = OK 1.00
1.00
01
02
03
CECHAxx (COK-001)
CECHBxx (COK-001)
CECHCxx (COK-002)
ED E0 0E DA 2A3B0 2A 37 2A 37 Patch + FSM = OK 1.00
1.00
1.00
04
05
Namco System 357 (COK-002 ARC 
CECHGxx (SEM-001)
E7 B0 0E 77 2E900 2E 8C 2E 8C Patch + FSM = OK ?1.90?
1.90
05
06
CECHGxx (SEM-001)
CECHHxx (DIA-001)
E7 B0 0E 77 2F200 2F 1C 2F 1C Patch + FSM = OK 2.30
2.30
05
06
CECHGxx (SEM-001)
CECHHxx (DIA-001)
E8 C0 0E 88 2EF80 2E F4 2E F4 Patch + FSM = OK 2.30
2.30
06
07
CECHHxx (DIA-001)
CECHJxx (DIA-002) with 2.30 from factory - datecode 8B
E8 E0 0E 8A 2EF80 2E F4 2E F4 Patch + FSM = OK 1.97
2.30
03
06
06
CECHExx (COK-002)
CECHHxx (DIA-001)
CECHMxx (DIA-001)
EA 60 0E A2 2EE70 2E E3 2E E3 Patch + FSM = OK
1.97
1.97
07 CECHJxx (DIA-002)
CECHKxx (DIA-002) datecode 8C
EA 60 0E A2 2EE70 2E E3 2E E3 Patch + FSM = OK
2.30
08
07
08
Namco System 357 (VER-001 ARC 
DECHJxx (DIA-002 DEX 
CECHLxx / CECHPxx (VER-001)
E8 D0 0E 89 2EAF0 2E AB 2E AB Patch + FSM = OK ?2.45?
2.16
2.45
08 CECHLxx (VER-001) E8 D0 0E 89 2EB70 2E B3 2E B3 Patch + FSM = OK 2.45
08
09
CECHLxx (VER-001) with 2.30 from factory - datecode unknown
CECH-20xx (DYN-001) with 2.76 from factory, datecode unknown
E8 90 0E 85 2F170 2F 13 2F 13 Patch + FSM = OK 2.30
2.70
09 DECR-1400 (DEB-001 DECR  with 2.60 from factory - manufacture date June 09
E8 90 0E 85 2F170 2F 13 2F 13 Patch + FSM = OK 2.60
09 CECH-20xx (DYN-001) E9 20 0E 8E 2F3F0 2F 3B 2F 3B Patch + FSM = OK 2.70
0A CECH-21xx (SUR-001) E9 20 0E 8E 2F4F0 2F 4B 2F 4B Patch + FSM = OK 3.20
03
0B
0B
CECHExx (COK-002W) refurbished
CECH-25xx (JTP-001) with 3.40 from factory - datecode 0C
CECH-25xx (JSD-001) with 3.41 from factory - datecode 0C
E9 20 0E 8E 2F4F0 2F 4B 2F 4B Patch + FSM = OK 3.40
3.40
3.40
0B
0B
CECH-25xx (JSD-001) with 3.56 from factory - datecode 0D
CECH-25xx (JTP-001) with 3.56 from factory - datecode 1A
E9 60 0E 92 2F570 2F 53 2F 53 Patch + FSM = OK 3.50
3.50
0B
0B
0B
CECH-25xx (JTP-001) with 3.56 from factory - datecode 1A (rare)
CECH-25xx (JSD-001) with 3.56 from factory - datecode 1B (common)
CECH-25xx (JTP-001) with 3.56 from factory - datecode 1B (common)
E9 60 0E 92 2F5F0 2F 5B 2F 5B (RLOD+)poweroff @ downgrade 355
(3.56+ + spkg fix + signed 3.55 priv : should work)
Patch + noFSM = OK
3.56
3.56
3.56
0B
0B
0C
CECH-25xx (JSD-001) with 3.60 from factory - datecode 1B
CECH-25xx (JTP-001) with 3.60 from factory - datecode [N.A.]
CECH-30xx (KTE-001) with 3.65 from factory - datecode [N.A.]
F9 20 0F 8E 2FFF0 2F FB 2F FB "metldr.2"
(RLOD+)poweroff @ downgrade 3.55
(RLOD+)poweroff @ Patch + noFSM
3.60
3.60
3.60
0C CECH-30xx (KTE-001) with ? from factory - datecode [?] F9 B0 0F 97 30070 30 03 30 03 "metldr.2"
(RLOD+)poweroff @ downgrade 3.55
(RLOD+)poweroff @ Patch + noFSM
?
0C CECH-30xx (KTE-001) with 3.72 from factory - datecode [1C] F9 B0 0F 97 300F0 30 0B 30 0B "metldr.2"
(RLOD+)poweroff @ downgrade 3.55
(RLOD+)poweroff @ Patch + noFSM
3.72
0D
0D
2C
CECH-40xx (MSX-001)
CECH-40xx (MPX-001)
CECH-40xx (MSX-001) '12GB'
F9 B0 0F 97 301F0 30 1B 30 1B "metldr.2"
(RLOD+)poweroff @ downgrade 3.55
(RLOD+)poweroff @ Patch + noFSM
4.20
?
4.22
12 CECH-42xx (PQX-001) '12GB' F9 B0 0F 97 301F0 30 1B 30 1B "metldr.2"
(RLOD+)poweroff @ downgrade 3.55
(RLOD+)poweroff @ Patch + noFSM
4.20
?
4.22

Flowrebuilder

Flow Rebuilder

Links to versions

http://www.ps3devwiki.com/files/flash/Tools/Flowrebuilder/

4.2.3.0 changelog
-----------------
added support to manage NAND preloader dumps
message user about the type of dump
message the user if bootloader are missing
auto-recognize if dump is normal or byte swapped and automanage them

Flowrebuilder options

  • (NAND only) UNSCRAMBLE then interleave two NAND flashes into one unified dump - (4.1.0.0 and higher) : Makes a unified dump.bin from 2 seperate NAND flash dumps.
    • In the second step it also extract the content of the unified dump. Make sure it extracts correctly (it will give no warning if it fails!) and all the needed files are there.
  • (NAND only) RE-SCRAMBLE a modified dump then de-interleave it into two new flashes - (4.1.0.0 and higher) : Splits the unified dump.bin into 2 new seperate NAND flash dumps.
  • Byte reverse and EXTRACT a NOR dump file - (4.1.0.0 and higher) : First byte reverse the single dump.bin then extract NOR content.
  • EXTRACT a Byte reversed NOR dump or an interleaved and unscrambled NAND dump - (4.1.0.0 and higher) : Extract the single dump.bin.
  • Byte reverse and PATCH a NOR dump - (4.2.1.1 and higher).
  • PATCH a Byte reversed NOR dump or an interleaved and unscrambled NAND dump - (4.2.1.1 and higher).
  • Byte reverse a dump - (4.2.1.1 and higher).

Note:

  • when getting errors with autopatcher, use Winskeet to patch the unified dump and then Flowrebuilder to Rescramble it. -> Fixed in FlowRebuilder v.4.2.1.2

Extracted flash content files

Flowrebuilder extraction no error

Flowrebuilder extraction error

(make sure they are all there, flowrebuilder will not give warning when it fails!):

  • bootloader_0
  • bootloader_1 (NAND only)
  • cCSD
  • cISD
  • creserved_0 (NAND only)
  • cvtrm
  • eEID
  • trvk_pkg
  • trvk_prg
  • \asecure_loader\metldr
  • \ros\[two seperate folders named to FW version]\CoreOS files (19 up to 25 files, depending the FW version)

Notes:

  • if it only extracted bootloader_0 + bootloader_1, check that both NANDs are dumped correct (known error with flashers that has bug with second NAND channel to read), and that high/low where selected correct.
  • Do not use spaces in the folderpath, or Flowrebuilder will not extract the files.
  • Bug workaround: delete previous extraction attempts to prevent Flowrebuilder to always error. -> bugreport -> Fixed in FlowRebuilder v.4.2.2.0

From unified to seperate low/high NAND files

If for some reason you lose the original seperate low/high NAND files and only have the unified, you need donor files to regenerate them.

extract and in Flowrebuilder select the option "RE-SCRAMBLE a modified dump then de-interleave it into two new flashes"

  • Select the NAND backup "Flash 0" (TOP) file : here drop the 1bkp.bin
  • Select the NAND backup "Flash 1" (BOTTOM) file : here drop the 2bkp.bin
  • Select the Input NAND interleaved Modified file : here drop your unified flash .bin file

and click Execute Operation

This will result in making 2 new deinterleaved files you could use for reflashing (it is recommended to alway use your own deinterleaved sourcedumps, this method is only mentioned as last resort for people that lost their backups).

BwE NOR Validator

Created/Started by BwE on the 14th November 2012 (Because I was too lazy to constantly check everything).

Greetz/Credit: EussNL, Judges, No0bZiLLa, Rogero, Rebug, deank, 3absiso, AFP, SCE & PS3 Dev Wiki (+ Its Contributers).

This all in one validator/patcher will interpret the byte orientation, patch for either 3.55 or 4.40 and will then output the results of 2800+ validations via HTML.

Output Example

How?

1 - Place your .bin/s in the same folder as the validator.
2 - Run the validator (in Administrator mode if using Windows Vista or higher) and press Start.
3 - A console will appear asking you to select your dump (if you have more than one in the folder).
4 - Make your selection and/or select if you want to patch it (either in its current byte orientation or the opposite).
5 - Wait patiently.
6 - Press Enter at the end to launch the output.

Explanation

After selecting your dump and choosing which patch you want it will begin to process the validation. Once it is finished it will give you a brief count of the results, after this you simply press enter to exit.

The program will then open a html output illustrating everything that has been validated. Scroll through or use the menu at the top and read each section.

If a validation says 'warning' or 'danger' investigate it yourself manually using a hex editor, or contact somebody knowledgeable. Only corruption messages will show you the exact offset to look at, everything else won't so this is where you have to read/learn about it on the ps3devwiki.

Some validations will tell you that you need to patch it (e.g. TRVK_PRG0 / TRVK_PRG1 / TRVK_PKG0 / TRVK_PKG1 / ROS0 / ROS1 errors or warnings), if this is the case then do so (don't forget to rename the patched dump e.g. bkpps3.bin_patched to bkpps3.bin_patched.bin) and re-validate the patched dump (you can move the original unpatched dump to make sure it is checking the patched one).

If your dump has any 'danger' messages in the per console sections (find them in the menu) then there is a good chance its completely ruined and unfixable. Also, if your dump has a large amount of 'danger' messages then there is a serious issue - bad wiring can be discovered if you have any repetition in the dump.

If a bkpps3_patched.bin output file is not produced, you need to run the program in Administrator Mode or turn off UAC.

Areas Of Validation

* Statistics
* First Region Header
* Flash Format
* Flash Region
* Asecure_Loader/Metldr
* Asecure_Loader/Metldr Corrupt Sequences
* Asecure_Loader/Metldr Encrypted Statistics/Entropy
* EID
* EID0
* EID1
* EID2
* EID3
* EID4
* EID5
* IDPS
* CISD
* CISD0
* CISD1
* CISD2
* CCSD
* CCSD0
* TRVK_PRG0
* TRVK_PRG1
* TRVK_PKG0
* TRVK_PKG1
* ROS0
* ROS1
* ROS0/1 AuthID's/MD5's
* Revoke/CoreOS MD5's
* CVTRM/VTRM0
* VTRM 1
* Second Region Header
* Second Region Block 0
* Second Region Block 1
* CELL_EXTNOR_AREA
* Lv0ldr/Bootldr
* Lv0ldr/Bootldr Corrupt Sequences
* Lv0ldr/Bootldr Statistics/Entropy
* Minimum Version
* File Digest Keys
* PerConsole Nonce
* Corrupt Sequences
* Repetition
* Authentication IDs

Download

BwE NOR Validator v1.31.rar https://mega.co.nz/#!9FV3TJib!FXqhSFu1jLJ6-nhb3qs3CQT5na9-h1CXPn8BpoW3y_o

Changelog

Note: 1.31 does not recognise 4.45/4.46 and later, to doublecheck ROS/RVK with norpatch (recommended) or ignore ROS/RVK you can choose to prepatch it (second best option)

  • 1.31 - 27/05/2013 : added eid4 + fixed bug in entropy (note: possibly final version, unless adding firmware revisions/new consoles)
  • 1.30 - 21/05/2013 : completely rewritten eid, cisd, ccsd + added more validations to it, upgraded other minor validations. all due to upcoming nand validator
  • 1.28 - 15/05/2013 : completely rewritten cvtrm validation + added more validations to it, upgraded/perfected entropy
  • 1.25 - 13/05/2013 : added entropy check for metldr/bootldr
  • 1.24 - 06/05/2013 : added more information to suit newly discovered ps3 data, improved validation, added a tip for bad md5's, removed version forcing
  • 1.23 - 29/04/2013 : improved validation, added 4.41 ofw information
  • 1.22 - 16/04/2013 : added 115 more validations + changed statistic range for bootldr + other small boring changes
  • 1.21 - 11/04/2013 : patch3 error fix.
  • 1.20 - 10/04/2013 : added new console data, removed 3.56 patch (replaced with 4.40), added protection against using old validator, changed corruption check (again!), added quick info for console.
  • 1.19 - 09/04/2013 : changed metldr statistic range, minver check (to suit refurbished ps3s), corruption changes
  • 1.18 - 08/04/2013 : upgraded cisd/cell_ext_nor_area/metldr validations to suit unique metldr.2 revision, changed corruption output (again).
  • 1.17 - 08/04/2013 : changed repetition check, changed corruption output, bugfix
  • 1.16 - 02/04/2013 : added rogero's 4.40 patch, changed options, added 25+ md5's, changed stats range and id check
  • 1.15 - 25/03/2013 : added 4.40 ofw information and optimised some code
  • 1.14 - 19/03/2013 : improved validation of the flash-region table
  • 1.13 - 18/03/2013 : better handling for metldr.2, more id detections and md5s, added byte reversal option for experimenting with E3.
  • 1.12 - 16/03/2013 : md5 bug fix, changed id detections and general improvements
  • 1.11 - 08/03/2013 : improved patching structure, added 3 musketeers patch (3.56 patching), code optimisation
  • 1.10 - 04/03/2013 : added 25+ validations + changed results & outputs + bugfix
  • 1.09 - 02/03/2013 : improved corruption checks for metldr/bootldr + more validations + old coreos bug fix (again) + changed some results
  • 1.08 - 29/02/2013 : added timeout for version check + added 16bit corrupt sequence check + fixed long outputs + fixed metldr ident bug + changed some warning/danger results + changed 00/ff results
  • 1.06 - 27/02/2013 : fixed bug when handling old coreos versions + fixed .self md5 list
  • 1.05 - 25/02/2013 : added approx 220 more validations + changed statistic ranges + latest version check + fixes to metldr/bootldr
  • 1.02 - 22/02/2013 : more md5's & authid checks + changed some results.
  • 1.01 - 16/02/2013 : authid check bugfix
  • 1.00 - 15/02/2013 : first public release

Warning

Warning
Using this program is NOT a 100% way of validating your dumps (because nothing is), but it is a good way of quickly seeing if it is worth checking further. This program will NOT work with NAND and will not check anything other than what is stated. ALWAYS CHECK MANUALLY!

Use at own risk! Valid dumps may be invalid - Invalid dumps may be valid.
There are almost infinite variations of each dump! Have fun and good luck!

If you do not validate your flash, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).


Notes

Report any bugs or issues to [email protected] or directly to BwE @ irc.efnet.org #ps3downgrade or irc.ps3sanctuary.com #ps3hax

Give credit if you are using this for other people!

Made in Australia!

LT 4 AM <3


Gallery

BwE NAND Validator

Created/Started by BwE on the 3rd March 2013 (Because I was pressured to).

Greetz/Credit: EussNL, Judges, No0bZiLLa, Rogero, Rebug, deank, 3absiso, AFP, SCE & PS3 Dev Wiki (+ Its Contributers).

This all in one validator/patcher will patch for 3.55 and will output the results of 2799+ validations via HTML.

Output Example

How?

1 - Place your .bin/s in the same folder as the validator.
2 - Run the validator and press Start.
3 - A console will appear asking you to select your dump (if you have more than one in the folder).
4 - Make your selection and or select if you watch to patch it.
5 - Wait patiently.
6 - Press Enter at the end to launch the output.

Explanation

After selecting your dump and choosing which patch you want it will begin to process the validation. Once it is finished it will give you a brief count of the results, after this you simply press enter to exit.

The program will then open a html output illustrating everything that has been validated. Scroll through or use the menu at the top and read each section.

If a validation says 'warning' or 'danger' investigate it yourself manually using a hex editor, or contact somebody knowledgeable. Only corruption messages will show you the exact offset to look at, everything else won't so this is where you have to read/learn about it on the ps3devwiki.

Some validations will tell you that you need to patch it (e.g. ROS0 / ROS1 errors or warnings), if this is the case then do so (don't forget to rename the patched dump) and re-validate the patched dump (you can move the original unpatched dump to make sure it is checking the patched one).

If your dump has any 'danger' messages in the per console sections (find them in the menu) then there is a good chance its completely ruined and unfixable. Also, if your dump has a large amount of 'danger' messages then there is a serious issue - bad wiring can be discovered if you have any repetition in the dump.

Areas Of Validation

* Lv0ldr/Bootldr
* Lv0ldr/Bootldr Corrupt Sequences
* Lv0ldr/Bootldr Statistics/Entropy
* First Region Header
* Flash Format
* Flash Region
* Asecure_Loader/Metldr
* Asecure_Loader/Metldr Corrupt Sequences
* Asecure_Loader/Metldr Encrypted Statistics/Entropy
* EID
* EID0
* EID1
* EID2
* EID3
* EID4
* EID5
* IDPS
* CISD
* CISD0
* CISD1
* CISD2
* CCSD
* CCSD0
* TRVK_PRG0
* TRVK_PRG1
* TRVK_PKG0
* TRVK_PKG1
* ROS0
* ROS1
* ROS0/1 AuthID's/MD5's
* CoreOS MD5's
* CVTRM/VTRM0
* VTRM 1
* CELL_EXT_OS_AREA
* OtherOS
* Lv0ldr/Bootldr
* Lv0ldr/Bootldr Corrupt Sequences
* Lv0ldr/Bootldr Statistics/Entropy
* Minimum Version
* File Digest Keys
* PerConsole Nonce
* Corrupt Sequences
* Repetition
* Authenticiation IDs

Download

BwE NAND Validator v1.02

Application MD5: F874983FABA32EA520A4A06057A3691C

Changelog

  • 1.02 - 09/06/2013 : bugfix for patcher (did not fix enough) + added some more MD5's (CFW)
  • 1.01 - 28/05/2013 : bugfix for patcher (mistake from using old nor code)
  • 1.00 - 27/05/2013 : first proper/public release (because I am lazy there will be no loader!)

Bugreport

1.01:

  • Minver is not detected correct (on rare version) - it gives a warning, even when metldr/lv0ldr revision is correct and console was downgraded fine.

Warning

Warning
Using this program is NOT a 100% way of validating your dumps (because nothing is), but it is a good way of quickly seeing if it is worth checking further. This program will NOT work with NAND and will not check anything other than what is stated. ALWAYS CHECK MANUALLY!

Use at own risk! Valid dumps may be invalid - Invalid dumps may be valid.
There are almost infinite variations of each dump! Have fun and good luck!

If you do not validate your flash, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).

Notes

As this is the first release, give extra care to each alert and use at your own risk! This program will only as good as the NOR validator after tedious updates ;)

Report any bugs or issues to [email protected] or directly to BwE @ irc.efnet.org #ps3downgrade or irc.ps3sanctuary.com #ps3hax

Give credit if you are using this for other people!

Made in Australia!

LT 4 AM <3

Nor Inspector

Another Tool for validating your NOR Dump is "Nor Inspector".

It will display most common information about your dump and the console.

How-to use

1) start
2) drag'n'drop your dump into the app
3) on errors check out status-tab

Features

Other Features:

* Drag'n'drop CoreOS / Revokation Package to replace
* Hex-Region Viewer
* Byte reverse dumps supported
* Error Logging in Status-Tab (OK/ERR) 
  "The Tab is green, the dump is clean!"
  ...

Download

Nor Inspector 0.0.1 (Requires .NET Framework 2.0)

Notes/Warning

Warning
Using this program is NOT a 100% way of validating your dumps (because nothing is), but it is a good way of quickly seeing if it is worth checking further. This program will NOT work with NAND and will not check anything other than what is stated. ALWAYS CHECK MANUALLY!

If you do not validate your flash, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).

Gallery


PS3 NOR/NAND Statistic

Features

  • NOR/NAND statistics
  • NOR/NAND patching
  • NOR/NAND byte swapping
  • NOR/NAND infos
  • NOR/NAND validation
  • NOR/NAND extraction
  • DATECODE check

How-to use

This tool works different than other validators. Instead of outputing a full log, it will output an error.log, if validate is checked. But see for yourself.

Always patching 3.55 is recommended to see if the patched statistic is right/green

ckp_management_ID values have to be equal as well as per_console_nonce. (should be stated in error.log if not)

There is one easy rule! If the error.log contains an entry, your dump is definetly broken!

Ros section is excluded from validation. Why? It´s easy to repair, the hole section gets patched anyway and it leads to the rule above.

For NAND all known sections gets checked. But a big part is not or only rarely documented. So the hole part after cvtrm, cell_ext_os_area, OtherOS and unreferenced area at the end won´t be checked. It´s very important that you have look at the statistics and the "corrupt block count" of flowrebuilder when interleaving.

It´s always recommended to check dumps manually with an hexeditor, and using other tools for validation, to be as save as possible! As long as it is not possible to decrypt the full dump, it`s impossible to validate it to 100%.

Keep in mind this is only beta. :)

http://www.ps3hax.net/showthread.php?t=55019

Download

Notes/Warning

Warning
Using this program is NOT a 100% way of validating your dumps (because nothing is), but it is a good way of quickly seeing if it is worth checking further. This program will not check anything other than what is stated. ALWAYS CHECK MANUALLY!


If you do not validate your flash, and for some reason(s) the dump is invalid/bad, and you are rewriting to flash, you have no way of restoring the console hence making a perma-brick (unrecoverable brick).

Gallery

Known bad guides (with obvious faults in them that lead to permanent bricks)

E3 FLASHER INSTALLATION and DOWNGRADE TUTORIAL (Khalkedon)

What is wrong / could be better ?

  1. cutting knife VS plastic to remove the bolt protectors
  2. cellophane 3M tape in hot environment
  3. ribbon flat cable not at 90 degrees position
  4. no fixating of clip (coin/foam filler to keep the clip more pressed)
  5. no tristate wire soldered
  6. not checking clip connection, before closing console
  7. no repasting of RSX and CellBE
  8. not using torc moment screwdriver, but electric drill
  9. uneven pressure when mounting frontboard
  10. greasy fingerprints all over the motherboard (bonus fingerprint: under cellophane tape)
  11. dual sata adaptor is used (not recommended, as ps3 host does not support SATA Port Multiplier)
  12. E3 is ´wobbly´ because no cardboard filler was used to prevent movement (bracket design error)
  13. not using the 'Samsung' multiconsole update for E3 and no proper SHA1 identification of the correctness of file
  14. using 001000 for dumping, not using flashfun, thus risking busy flashbus on a multithreaded system
  15. not validate content of dumps, only size
  16. doing a restore (will permabrick console if clipped bad)
  17. when unpluging the power cord at 19:09, insuficient time to dischargue capacitors of power supply (a real reset needs more time)
  18. using e3_downgrader.bin (nicknamed e3_bricker for obvious reasons) instead of prepatching
  19. misnaming ¨2nd usb port¨ -> it's usb00000 because we count from right to left in ps3 (rightmost, closest to BD)
  20. no proper identification of lv2diag.self (there exist many!) and PS3UPDAT.PUP to be used (SHA1)
  21. after FSM reinstall, no boot to XMB to check it booting proper with FSM active
  22. not setting proper time, corrupting node database unneeded
  23. fix permission errors (archaic, not needed)

biggest error : not reading the (E3) downgrade guide on wiki

challenge: can you name another error?

Progskeets official downgrade guides

Word of Warning

When using validators and bricking your console as result, there are only 2 people to blame :

  • the one making the validator (for not properly validating, warning users and telling what is wrong and/or how it could be solved);
  • the enduser for flying blind and getting lazy/dumb with it.