Hardware flashing

From PS3 Developer wiki
Revision as of 04:58, 15 February 2012 by Euss (talk | contribs) (→‎Progskeet)
Jump to navigation Jump to search
Progskeet wired to NANDs of a COK-002 board (photo:idone)

Typical NOR flashing requires 16 Data wires, 23 Address wires and 3-4 control wires to the NOR pads (photo:defyboy)

Hardware Flashers

Both early launch consoles which feature NAND flash memory (block devices, that interleave their data unlike NOR flash) and later consoles which feature NOR flash memory are able to be flashed.

Different Flashers

Infectus

...

Noraliser

Marcan has made a NOR flasher / address sniffer for his PS3 slim by re-purposing a FPGA board (Xilinx Spartan3E XC3S500E) made for Wii hacking. Noraliser is a git repo that contains the HDL (verilog) and associated host computer tools for flashing/sniffing. There are ~50 signals to solder.

NORway

Work has been underway to brink a low cost AVR (Atmel 90USB1286) based NOR flasher that is capable of reading and writing on all consoles by defyboy. This was opensourced and further enhanced, now known as NORway for Teensy 2.0++ boards.

Progskeet

Other people havent been sitting idle either: uf6667 and **** have developed Progskeet, based on a Actel A3P125 MCU for NAND ánd NOR based consoles (not only PS3, but also useable for Wii and Xbox360).

PNM

"No_One" has developed PNM - The PS3 NOR Manager is a custom board based on a FPGA (Altera Cyclone3 EP3C25) and 2 flash sockets. PNM is capable to handle the basic features like read/dump/update/copy but also to swap (hot swap or cold swap) the NOR used. It also enbles features to sniff bus activities, emulate NOR flash etc.

PIC32MX

PIC32MX is an opensource PIC based NOR flasher.

E3

The E3 is a China commercial developped PS3 only 'flasher'.

Comparison

Flasher FAT SLIM Notes
CECHA
CECHB
CECHC
CECHE
CECHE CECHG CECHH CECHK CECHL
CECHM
CECHP
CECHQ
CECH-20.. CECH-21.. CECH-25.. CECH-25.. CECH-30..
COK
001
COK
002
COK
002W
SEM
001
DIA
001
DIA
002
VER
001
DYN
001
SUR
001
JTP
001
JSD
001
KTE
001
Infectus Yes Yes Yes Yes No No No No No No No No NAND only
Progskeet Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Universal NAND + NOR + SPI
Teensy 2.0++ / NORway No No No No Yes Yes Yes Yes Yes Yes Yes Yes OpenSource / OpenHardware
PNM No No No No Yes Yes Yes Yes Yes Yes Yes Yes OpenSource / OpenHardware
Noraliser No No No No Yes Yes Yes Yes Yes Yes Yes Yes Not commercially avail.
PIC32MX No No No No Yes Yes Yes Yes Yes Yes Yes Yes OpenSource / OpenHardware
E3 No No No No Yes Yes Yes Yes Yes Yes Yes Yes 1 console only
Feature Infectus PNM Progskeet Teensy 2.0++
NORway
PIC32MX E3 Remarks
Use CFI ? Yes Yes No ? ? Common Flash Memory Interface writing strategies (Progkseet can dump CFI, but doesnt use it directly for writestrategy)
PS3 NAND Support
(see above table)
Yes No Yes No No Yes E3 supports NAND with later 'to be released' edition
PS3 NOR Support
(see above table)
No Yes Yes Yes Yes Yes
Solderless No No Yes No No Yes Solderless is optional for E3 (but still requires soldering trisate).

NOR/NAND solderless clip for Progskeet are already available now. Announced for PNM near future.

OpenSource No Yes No Yes Yes No
OpenHardware No Yes No Yes Yes No
Updateable JTAG USB JTAG USB ISP microSD
Onboard Flash No Yes No No No Yes Instant-on dual firmware for PNM using a jumper // E3 uses flash on driveboard, not internal
Dual Boot solution No Yes Yes No No Yes Real quick dualboot requires dual flash (and user to swap the harddrive)
File Transfer Protocol USB X-Modem USB USB
Mass Production No No Yes No No Yes PNM V2 might be mass produced
X360 NAND Support Yes No Yes No No No
Wii NAND Support Yes No Yes No No No

Generic Warning

Generic Warning
Make sure you have several proper dumps of your flash before even trying writing to it! Use unpacking tools (e.g. Norunpack, Flowrebuilder, Norpatch etc.) and hexeditors (e.g. HxD) and use Flash page as reference.
  • CRC/MD5 is not a method to check your flash (if it is bad, you are only comparing if the other file is equally bad).
  • Also make sure you checked the content of the flash, Flowrebuilder, Norunpack only looks for image header and unpacks without warnings and without checking the content.

See also: Validating flash dumps

You cannot recover from bad flash without proper dumps (e.g. bricking the console beyond repair).

NAND Wiring

Flashers for NAND based consoles (CECHA/COK-001, CECHB/COK-001, CECHC/COK-002, CECHD/unreleased, CECHE/COK-002W, CECHF/unreleased, CECHG/SEM-001) are generaly wired directly to the pins of the NAND (you cannot use the testpoints!), plus ground and Vcc. For NAND pinouts see: Flash (Hardware) #NAND

There are 2 nands interleaved at the 512byte sectors level, giving a 1024 byte "interleaved sector". pages are 2kb on each nand.

Which NAND is low/high?

  • COK-001 :
    • IC3802 LOW (main componentside next to Starship2)
    • IC3803 HIGH (backside next to 60-pin BD ATA connector)
  • COK-002 + COK-002W :
    • IC3802 LOW (main componentside between SATA connector and South Bridge)
    • IC3803 HIGH (main componentside between SATA connector and AV Multi connector)
  • SEM-001 :
    • IC3802 LOW (backside)
    • IC3803 HIGH (main componentside)

Pinout Table

Dual NAND connection to Progskeet diagram, see http://progskeet.com/

Dual NAND connection to Infectus diagram

NAND 360Clip pinout
Chip/PIN Description Progskeet Infectus 360clip Description
NAND 0
0/1-6 NC NC NC NC No Connection
0/7 R/B 3 / gp13 A9 FRB1 Read/Busy Output
0/8 RE 98 / gp15 A15 RE Read Enable
0/9 CE 7 / gp9 A14 FCE1 Chip Enable
0/10+11 NC NC NC NC No Connection
0/12 Vcc +3.3 not used / not connected Vcc Vcc (min 2.7V-max 3.6V / typ 3.3V)
0/13 Vss GND not used / not connected GND VSS - Ground
0/14+15 NC NC NC NC No Connection
0/16 CLE 4 / gp12 A13 CLE Command Latch Enable
0/17 ALE 5 / gp11 A12 ALE Address Latch Enable
0/18 WE 2 / gp14 A11 WE Write Enable
0/19 WP 6 / gp10 A10 WP Write Protect
0/20-28 NC NC NC NC No Connection
0/29 I/O-0 90 / dq8 A0 I/O0
0/30 I/O-1 91 / dq9 A1 I/O1
0/31 I/O-2 92 / dq10 A2 I/O2
0/32 I/O-3 93 / dq11 A3 I/O3
0/33-35 NC NC NC NC No Connection
0/36 Vss GND not used / not connected GND VSS - Ground
0/37 Vcc +3.3 not used / not connected Vcc Vcc (min 2.7V-max 3.6V / typ 3.3V)
0/38-40 NC NC NC NC No Connection
0/41 I/O-4 94 / dq12 A4 I/O4
0/42 I/O-5 95 / dq13 A5 I/O5
0/43 I/O-6 96 / dq14 A6 I/O6
0/44 I/O-7 97 / dq15 A7 I/O7
0/45-48 NC NC NC NC No Connection
Chip/PIN Description Progskeet Infectus Description
NAND 1
1/1-6 NC NC NC NC No Connection
1/7 R/B 64 / rdy U FRB1 Read/Busy Output
1/8 RE 69 / oe M RE Read Enable
1/9 CE 60 / gp3 N FCE1 Chip Enable
1/10+11 NC NC NC NC No Connection
1/12 Vcc +3.3 not used / not connected Vcc Vcc (min 2.7V-max 3.6V / typ 3.3V)
1/13 Vss GND not used / not connected GND VSS - Ground
1/14+15 NC NC NC NC No Connection
1/16 CLE 63 / gp0 O CLE Command Latch Enable
1/17 ALE 62 / gp1 P ALE Address Latch Enable
1/18 WE 65 / we Q WE Write Enable
1/19 WP 61 / gp2 T WP Write Protect
1/20-28 NC NC NC NC No Connection
1/29 I/O-0 79 / dq0 D0 I/O0
1/30 I/O-1 80 / dq1 D1 I/O1
1/31 I/O-2 81 / dq2 D2 I/O2
1/32 I/O-3 82 / dq3 D3 I/O3
1/33-35 NC NC NC NC No Connection
1/36 Vss GND not used / not connected GND VSS - Ground
1/37 Vcc +3.3 not used / not connected Vcc Vcc (min 2.7V-max 3.6V / typ 3.3V)
1/38-40 NC NC NC NC No Connection
1/41 I/O-4 83 / dq4 D4 I/O4
1/42 I/O-5 84 / dq5 D5 I/O5
1/43 I/O-6 85 / dq6 D6 I/O6
1/44 I/O-7 86 / dq7 D7 I/O7
1/45-48 NC NC NC NC No Connection
Board trace
GND Vss not used / not connected GND not used / not connected VSS - Ground
+5VDC Vcc not used / not connected 5V not used / not connected Vcc from TH3401 (CECHA+CECHB/COK-001)
Vcc from TH3401 (CECHC+CECHE/COK-002)
Vcc from TH3280 (CECHG/SEM-001)

Remarks:

  • Progskeet is feeded from NAND 3.3V
  • Infectus is feeded from +5V board trace.
  • NAND's are feeded in both cases by the console itself.

Progskeet Note: Some modification is needed for Progskeet to unbrick:

  • desolder R8 from the Progskeet PCB (to disable the connection from pad R8 to left pad R7)
  • left pin of toggle switch to left lead of R7, middle pin of toggle switch to right lead of R7
  • Vcc to +3.3 // put toggle switch in "OFF" (right) postion, power on the ps3, put the toggle switch in the "ON"/left position, it will be recognized by the PC, NAND is always on now, do everything as usual.

NAND + clips

First make sure everything is correct:

  • Connect the flasher to the "Y" NAND adapterboard and from there connect the NAND clips to the "Y" NAND adapterboard.
  • Install flasher application
  • Connect flasher to PC
  • Install drivers with zadig.exe (select winusb for latest Winskeet, libusb0 is only for older versions)
  • Use the "Check for Shorts" option in the flasherapplication.

Make sure the clips are fitted correctly over the NANDs:

  • note the markerdot for pin1 (both on clip and NAND package)
  • make sure all pins make contact
  • check if it is all the way down to the PCB evenly and no components surrounding the NAND are preventing it from going down proper (might need some filing to make room).
  • You can take the topcap off the clip if you need, and can use hotglue on the outsides to further fixate it.

Preparing console further:

  • Replace the thermalcompound (e.g. Arctic Cooling MX-4) for the heatsink : CELL BE and RSX and reassemble the heatsink+fan.
  • Connect the Power Supply, Harddrive and the power/resetbutton subboard
  • For dumping/reflashing it is not needed to connect the Bluray Drive or the Bluetooth+Wifi board (ofcourse you are going to need them when installing a firmware)

Usage after all is connected:

  • First connect flasher to pc
  • Use the PS3 to power the NANDs.

Progskeet specific:

  • On NAND tab, you click NAND 1 and select 'auto'
  • On NAND tab, you click NAND 2 and select 'auto'
  • If it fails, it means it is not connected correctly

Using NAND flashers

Progskeet

put switch in "OFF" (R7 is open) position so that progskeet is not powered.
power on the ps3 and wait for 20-25 seconds,
put the switch in the "ON" (R7 closed) position, so progskeet is powered and will be recognized by the PC.
NAND is always on now, do everything as usual
    
select Big Block
select Raw
Pages per block: 64
blocks: 1024
    
That will give you 132MB (138,412,032 bytes) per NAND (dump time ~ 00:02:40 per NAND)
For normal console operation (e.g. after you dumped, flashed/downgraded it):
you need switch to "on" (R7 closed) and progskeet USB disconnected.


downloads

All current downloads are available here

Infectus

For Infectus don't use 3.9.9.0, as it removes dual NAND PS3 support :S If your board already came with this version or higher, use this: prepare_infectus_for_ps3.rar (5.53 MB) If it is done, it will show up as "2 NAND Programmer" in the bottom left. Dual NAND PS3 compatible version: Infectus_programmer_3.8_Beta_2.zip (4.02 MB)

Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode. Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.

Dumping of single NAND should take about 15 minutes, 30 minutes for both.

Needed NAND tools

In case the flasher program doesnt understand dual NAND de/interleaving you'll need  : FlowRebuilder v.4.2.0.1.rar (379.34 KB)

Flowrebuilder options
  • (NAND only) Unscramble then interleave flashes into one unified dump : Makes a single dump.bin from 2 seperate NAND flash dumps.
    • In the second step it also extract the content of the unified dump. Make sure it extracts correctly (it will give no warning if it fails!) and all the needed files are there.
  • (NAND only) Re-scramble modified dump then de-interleave it into two new flashes : Splits the single dump.bin into 2 seperate NAND flash dumps.
  • Byte reverse and extract a NOR dump file : First byte reverse the single dump.bin then extract NOR content.
  • Extract a Byte reversed NOR dump or an interleaved and unscrambled NAND dump : Extract the single dump.bin
Extracted flash content files

(make sure they are all there, flowrebuilder will not give warning when it fails!):

  • bootloader_0
  • bootloader_1
  • cCSD
  • cISD
  • creserved_0
  • cvtrm
  • eEID
  • trvk_pkg
  • trvk_prg
  • \asecure_loader\metldr
  • \ros\[two seperate folders named to FW version]\CoreOS files (19 up to 25 files, depending the FW version)

Notes: if it only extracted bootloader_0 + bootloader_1, check that both NANDs are dumped correct (known error with flashers that has bug with second NAND channel to read),

Dump NAND from GameOS

dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
Make sure USB stick is FAT32 with enough free space (256MB per dump)

Dumping NAND from Linux

dd if=/dev/ps3flash of=NAND.BIN bs=1024

or

dd if=/dev/ps3vflasha of=NAND.BIN bs=1024

(needs unmasking first, see below)

Difference between hardware dumps and software dumps

ps3vflasha

hardware dumps

256 MB (268,435,456 bytes) bootldr is at 0x000000 on NAND (0xFC0000 on NOR)

software dumps

dump size = 239 MB (251,396,096 bytes)
bootldr not at 0x000000 on NAND :

00000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00000010   00 00 00 00 0F AC E0 FF  00 00 00 00 DE AD BE EF   .....¬à ÿ....Þ­¾ï

reason:

addi    %r12, %r4, 0x200 # r4 = start sector

256MB NAND consoles have a hidden section of size 0x40000 (0x200 * 512 byte sector = 0x40000) hidden by the hv. The hv hides it at address 002786E8

Original code : 0x39840200f8010090
Change to : 0x39840000f8010090

as seen in unself'ed LV1.self (Hypervisor)
3.15:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    00098D20                                      39 84 02 00              9„..
    00098D30  F8 01 00 90                                      ø...
3.41:
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    000986A0  39 84 02 00 F8 01 00 90                          9„..ø...
Brick warning - Peek/Poke only
#Brick warning

TCL: http://pastebin.com/Snh4ERQ6 (Don't use, BRICK RISK, see below)

Too dangerous to patch unless you peek/poke because obviously it messes with all the offsets

Guide to unbrick from above situation

Here's my guide http://www.mediafire.com/?76bw1vd1m65bkk4 . I haven't tested it yet, but it should work on COK-001

'NOR' Interface Testpoints on NAND consoles

Simular as on the NOR based consoles testpoints can be found on the back of the PCB. It seems these are from the bus between the South Bridge and the Starship2. Attempts have been made to document/trace these. Addresslines 0-17 and Datalines 0-15 as well as some controllines are documented but so far these could not be used to read/flash the console in a NOR fashion.

TriState on NAND consoles

using Starship2 to southbridge /SB_EBUS_ACK @ SB_MAIN(P30) (numbered 52 in File:SS2_NOR.JPG)

  • CECHA (COK-001): IC3801:CXD4302GB-T6 pin:C1/ ebus jl:9308 (page 20 of servicemanual)
  • CECHC + CECHE (COK-002): IC3801:CXD4302GB-T6 pin:C1/ ebus jl:9308 (page 20 of servicemanual)
  • CECHG (SEM001): IC3801:CXD9909GB pin:C1/ ebus jl:9308 (page 21 of servicemanual)

NOR Interface Testpoints

Probably to aid in factory programming, Sony provides NOR testpoints on the bottomside of the motherboard. There are 16 data lines (Word access) and generally 23 Address lines. You will also need to control Chip Enable (#CE), Write Enable (#WE), Tristate (SB_DISABLE) and for some boards Write Protect (#WP)

Tristate

Tristate, or as it is referred to in the service manuals SB_DISABLE exists solely for the purpose of placing the South Bridge pins into high-impedance (the third state) so that we can access the flash without the South Bridge interfering.

Because the tristate pin is not connected to the NOR flash TSOP package, but to the South Bridge BGA package, this makes tracing the pin quite difficult. One should be able to locate it by having the running you could ground out the unknown pins whilst checking the continuity of a known address or data line against ground. These should enter high-impedance or no-continuity when you ground out SB_DISABLE.

Connecting NOR pads to flasher

Teensy 2.0 ++ connection diagram for PS3 NOR pads))

Progskeet NAND/NOR flasher board, based on Actel MCU, see http://progskeet.com/)

Progskeet 1.1 NAND/NOR flasher board, with ZIF and dual voltage, see http://progskeet.com/)

PNM, based on Altera FPGA and 2x NOR sockets

NOR TSOP56 ZIF 360clip and solderboard
NORpin PAD Progskeet Teensy 2.0++
NORway
PNM E3 NOR56 360clip Remark
31 A0 adr0 F0 A0 clip FA0
26 A1 adr1 F1 A1 clip FA1
25 A2 adr2 F2 A2 clip FA2
24 A3 adr3 F3 A3 clip FA3
23 A4 adr4 F4 A4 clip FA4
22 A5 adr5 F5 A5 clip FA5
21 A6 adr6 F6 A6 clip FA6
20 A7 adr7 F7 A7 clip FA7
10 A8 adr8 PA0 A8 clip FA8
9 A9 adr9 PA1 A9 clip FA9
8 A10 adr10 PA2 A10 clip FA10
7 A11 adr11 PA3 A11 clip FA11
6 A12 adr12 PA4 A12 clip FA12
5 A13 adr13 PA5 A13 clip FA13
4 A14 adr14 PA6 A14 clip FA14
3 A15 adr15 PA7 A15 clip FA15
54 A16 adr16 B0 A16 clip FA16
19 A17 adr17 B1 A17 clip FA17
18 A18 adr18 B2 A18 clip FA18
11 A19 adr19 B3 A19 clip FA19
12 A20 adr20 B4 A20 clip FA20
15 A21 adr21 B5 A21 clip FA21
1 A23 Not Used Not Used Not Used clip FA23 pin unused for 128mbit and below
56 A24 Not Used Not Used Not Used clip FA24 pin unused for 256mbit and below
2 A22 adr22 B6 A22 clip FA22
35 DQ0 dq0 D0 DQ0 clip AD0
37 DQ1 dq1 D1 DQ1 clip AD1
39 DQ2 dq2 D2 DQ2 clip AD2
41 DQ3 dq3 D3 DQ3 clip AD3
44 DQ4 dq4 D4 DQ4 clip AD4
46 DQ5 dq5 D5 DQ5 clip AD5
48 DQ6 dq6 D6 DQ6 clip AD6
50 DQ7 dq7 D7 DQ7 clip AD7
36 DQ8 dq8 C0 DQ8 clip AD8
38 DQ9 dq9 C1 DQ9 clip AD9
40 DQ10 dq10 C2 DQ10 clip AD10
42 DQ11 dq11 C3 DQ11 clip AD11
45 DQ12 dq12 C4 DQ12 clip AD12
47 DQ13 dq13 C5 DQ13 clip AD13
49 DQ14 dq14 C6 DQ14 clip AD14
51 DQ15 dq15 C7 DQ15 clip AD15
13 #WE we E5 NWE clip WE
32 CE# gp0 E0 NCE clip CE#
14 RESET gp1 E4 NRESET clip RESET
N/A TRISTATE gp2 E7 GPIO0 SBE N/A
16 WP# gp3 Not Used NWPACC clip WP# Is tied to Vcc by mobo
53 BYTE# Not Used Not used Not used clip ? Is tied to Vcc by mobo
34 OE# oe E1 NOE clip OE
17 RY/BY# rdy (ánd gp4 for old bitstream) E6 RYNBY clip RDY JTAG updated progskeet can do without the progskeet:gp4 to progskeet:rdy bridge and use the PS3:RY/BY# to progskeet:rdy alone.
33, 52 VSS GND GND GND clip GND
29, 43 VCC Not Used Not used Not used clip ?
27, 28, 30, 55 NC Not Used Not Used Not Used clip Not Used pins unused / Not Connected

Progskeet notes

Some modification is needed for Progskeet to unbrick:

  • desolder R8 from the Progskeet PCB
  • left pin of switch to left lead of R7, middle pin of switch to right lead of R7
  • Vcc to +3.3 // put switch in "OFF" (right) postion, power on the ps3, put the switch in the "ON"/left position, it will be recognized by the PC, NOR is always on now, do everything as usual.

PNM notes

  • PNM requires a +5V_EVER from the PS3 motherboard in "PS3 mode"
  • PNM requires a +5V from a USB port in "standalone mode". It then provides a +3.3V to the embedded NOR.

Teensy notes

E3 debricking notes

  • Requires soldering wire from SBE (solderpad on NOR flatcable) to TRISTATE (NORpoint on PS3 motherboard)
  • Make sure you have correct firmware on SD/TF card
  • E3 switches set as 1:Flash fun, 2: OFW, 3: Prog, 4: microSD, 5: PS3 Flash, 6: Lock with the console power disconnected.
  • Turn on console to restore (progress LEDs will light up one by one and blink if successfully).
  • Unplug powercable and set 1:Flash fun down to PS3 Mode and turn on the PS3, if everything went fine, it will now be debricked (remember: in case syscon has 3.56+ hashes, you need prepatched LV1, see downgrader guides).

English-E3 FLASHER repair method if console bricked.pdf (424.95 KB)

Speed comparison NOR flashers

Speed comparison NOR flashers
Teensy 2.0++
(NORway 0.1)
Teensy 2.0++
(NORway 0.3)
Progskeet PNM
(X-Modem - 460800 baud)
 time (h:mm:ss)   speed (KB/sec)   time (h:mm:ss)   speed (KB/sec)   time (h:mm:ss)   speed (KB/sec)   time (h:mm:ss)   speed (KB/sec) 
Full dump/read (16 MB)    0:05:11   52,68 KB/s   0:00:45   364,08 KB/s   0:00:16   1024 KB/s   0:45:43   6,1 KB/s 
Per sector write(128 KB)    0:01:35   1,35 KB/s   0:00:05.351   23,92 KB/s   0:00:00.365   350,69 KB/s   0:00:16.12   7,90 KB/s 
Full dump/write (16 MB)    2:08:19   2,12 KB/s   0:08:19   32,83 KB/s   0:00:46.811   350,00 KB/s   0:34:56   7,90 KB/s 
Full CRC32 (16 MB)    0:01:30   182,04 KB/s 
Full copy NOR-NOR (16 MB)    0:04:59   54,61 KB/s 

Using NOR flashers

Progskeet

Method 1 (with R7 switch and R8 closed):

1. Unplug the PS3 powercable from the back
2. Set the R7 switch to "off"
3. Plug the PS3 powercable back in and Power on the PS3
5. Wait 10 seconds and set the R7 switch to "on" to power progskeet
  
dump:
- Spansion S29GL128N90TFIR2 : 128KB sector, 128 sectors
- Spansion S29GL128P90TFIR2 : 128KB sector, 128 sectors
- Samsung K8Q2815UQB-PI4B : 4KB sector, 4096 sectors
- Samsung K8P2716UZC-QI4D : 128KB sector, 128 sectors
- Macronix MX29GL128ELT2I-90G : 128KB sector, 128 sectors
For normal console operation (e.g. after you dumped, flashed/downgraded it):
you need switch to "on" (R7 closed) and progskeet USB disconnected.

Method 2 (with R7 open / R8 closed):

1. Remove USB cable from your PC
2. Open up progskeet flashing software (use latest) + load flash type presets
3. Power on PS3 and wait 20 seconds
4. Plug in the USB cable to your PC
5. Progskeet will be recognised and you can now go ahead and dump
For normal console operation (e.g. after you dumped, flashed/downgraded it):
you need to disconnect the USB cable to your PC

NORway

Usage: %s serialport [command] [filename] [address]
    
serialport  Name of serial port to open (eg. COM1, COM2, /dev/ttyACM0, etc)
command     dump       Reads entire NOR to [filename]
            erase      Erases one sector (128KB) at [address]
            write      Flashes (read-erase-modify-write-verify) [filename]
                       at [address] to NOR
            writeimg   Same as write, but prepend a 16-byte length header
                       [address] is required
            program    Flashes (erase-write-verify) [filename]
                       at [address] to NOR
            release    Releases NOR interface, so the PS3 can boot
filename    Filename for [dump|write|writeimg|program]
address     Address for [erase|write|writeimg|program]
            Default is 0x0, address must be aligned (multiple of 0x20000)

PNM

serialport  (COM1, COM2, etc) - 460800 baud - 8N1
X-Modem protocol for file transfers
 
            copy_memory             Copies entire NOR to another NOR
            read_memory             Reads 0x80 bytes from a specified offset
            dump_memory             Reads entire NOR to a file (byte swap "on the fly")
            update_memory           Flashes entire NOR from a file (byte swap "on the fly")
            display_memory_crc      Displays NOR CRC32
            display_memory_details  Displays NOR details (size, firmware version, etc) 
 
PNM uses the Common Flash Interface standard (almost all current flash can be dumped/updated)

Needed NOR tools

If your dump starts like this: http://pastebin.com/sS69Vhvf you'll need to use the option "¨Byte reverse and extract a NOR dump file" of Flowrebuilder, which will output a inputfile.REV file

Dump NOR from GameOS

dump_flash.pkg // backup/mirror: dump_flash.pkg (70.48 KB)
Make sure USB stick is FAT32 with enough free space (16MB per dump)

Dumping NOR from Linux

dd if=/dev/ps3nflasha of=NOR.BIN bs=1024

Board Revisions

COK-001, COK-002, COK-002W, SEM-001

These are the earliest revisions of the PS3 motherboard (CECHA, CECHB, CECHC, CECHE, CECHG) and contain 2 x Samsung K9F1G08U0A-PIB0 128MB NAND Chips for a total of 256MB. These chips are interleaved which is controlled by a proprietary controller chip codenamed "Starship2" or SS2. This chip handles the interleaving and presents the NAND Chips to the South Bridge as a single large coherent flash.
Wiring: direct to NAND flash or using boardtraces to NANDs - don't use the testpoints.

DIA-001, DIA-002

These boards were the first to get the NOR flash memory from the middle revisions of the PS3 (CECHH, CECHJ, CECHK). Only a single Spansion S29GL128N90TFIR2 16MB NOR flash chip is used and the Starship2 chip has been completely removed. The 128N is JEDEC CFI compliant and organized as 8,388,608 words or 16,777,216 bytes, addressable as 16-bit words (PS3 modus operandi) and 8-bit / 1 byte when the BYTE# signal is logic zero.

DIA-002: the pinout is same as DIA-001, the only difference is that DIA-002 doesnt have a WP# testpoint but since it's connected to VCC its not needed.

VER-001

Used in the last revisions of the fatter model PS3 (CECHL, CECHM, CECHP, CECHQ), again with the single Spansion S29GL128N90TFIR2 16MB NOR flash with the exception of some CECHL which used a Samsung K8Q2815UQB-P14B 16MB NOR flash.

DYN-001

Used in CECH-20xx. The progskeet and teensy pinouts match the teensy picture provided on this page even though it states it's the pinout for progskeet. Contains mostly dual-banked Samsung NOR's, some Spansion "P" and some Macronix.

SUR-001

Used in CECH-21xx. Contains mostly Spansion "P" and some Macronix NOR. Some difference in components but the testpoints are the same for SUR-001/JSD-001/JTP-001/KTE-001

JTP-001

Used in CECH-210x. Some difference in components but the testpoints are the same for SUR-001/JSD-001/JTP-001/KTE-001

JSD-001

This is the pinout originally supplied by Marcan for a CECH-2504A. Some difference in components but the testpoints are the same for SUR-001/JSD-001/JTP-001/KTE-001

KTE-001

Used in CECH-30xx. Some difference in components but the testpoints are the same for SUR-001/JSD-001/JTP-001/KTE-001

Pinout Gallery

Missing / requested :

  • COK-001 (NAND) boardtraces
  • COK-002W (NAND) anypic
  • SUR-001 (NOR) mapped NOR Testpoints - some difference in components of JSD-001 but the testpoints are the same as JSD-001
  • JTP-001 (NOR) mapped NOR Testpoints - visually the same as JSD-001, confirmed working with JSD-001 layout
  • KTE-001 (NOR) - mapped NOR Testpoints - visually the same as JSD-001/JTP-001/SUR-001

Generic reference

Soldering Guide(s)


Soldering Irons/Stations

Soldering tips

  • Don't use >40W iron (we are not soldering copper pipes!)
  • Don't use leadfree solder
  • Don't use silverbased solder
  • Don't use high tin alloy (e.g. 90/10: 300'C @ 97Sn 3Pb and 250'C @ 65Sn 35Pb)
  • Use 60/40 (374'F / 190'C) or 63/37 (364'F / 183'C) both have nice low melting point for PCBs


Wire reference

Wire thickness AWG/mm :

   18 AWG - 0.0403" / 1.024mm
   19 AWG - 0.0359" / 0.912mm
   20 AWG - 0.0320" / 0.812mm
   21 AWG - 0.0285" / 0.723mm
   22 AWG - 0.0253" / 0.644mm
   23 AWG - 0.0226" / 0.573mm
   24 AWG - 0.0201" / 0.511mm
   25 AWG - 0.0179" / 0.455mm
   26 AWG - 0.0159" / 0.405mm
   27 AWG - 0.0142" / 0.361mm
   28 AWG - 0.0126" / 0.321mm
   29 AWG - 0.0113" / 0.286mm
   30 AWG - 0.0100" / 0.255mm
   31 AWG - 0.00893" / 0.227mm
   32 AWG - 0.00795" / 0.202mm
   33 AWG - 0.00708" / 0.180mm
   34 AWG - 0.00631" / 0.160mm
   35 AWG - 0.00562" / 0.143mm
   36 AWG - 0.00500" / 0.127mm
   37 AWG - 0.00445" / 0.113mm
   38 AWG - 0.00397" / 0.101mm7
   39 AWG - 0.00353" / 0.0897mm
   40 AWG - 0.00314" / 0.0799mm
  
   PATA/floppy 40-conductor cable - AWG28 (0.0126" / 0.321mm) with 0.0333" pitch +/- 0.002"
   PATA/floppy 40-conductor cable - AWG30 (0.0100" / 0.255mm) with 0.0333" pitch +/- 0.002"
  
   PATA 80-conductor cable - AWG30 (0.0100" / 0.255mm) with 0.025" pitch +/- 0.0016"
   PATA 80-conductor cable - AWG30 (0.0100" / 0.255mm) with 0.025" pitch +/- 0.002"
   PATA 80-conductor cable - AWG31 (0.00893" / 0.227mm) with 0.025" pitch +/- 0.002"
   PATA 80-conductor cable - AWG32 (0.00795" / 0.202mm) with 0.025" pitch +/- 0.002"
  
   Category 6 (ANSI/TIA-568-B.2-1) network cable: 4 twisted pairs of 22AWG (0.0253" / 0.644mm)
   Category 6 (ANSI/TIA-568-B.2-1) network cable: 4 twisted pairs of 23AWG (0.0226" / 0.573mm)
   Category 6 (ANSI/TIA-568-B.2-1) network cable: 4 twisted pairs of 24AWG (0.0201" / 0.511mm)
  
   Category 5/5e (TIA/EIA 568-5-A) network cable: 4 twisted pairs of 24AWG (0.0201" / 0.511mm)
  
   Category 5e patch (TIA/EIA 568-5-A) network cable: 4 twisted pairs of 26AWG (0.0159" / 0.405mm)
  
   SATA : solid 26 AWG - 0.0159" / 0.405mm
   SATA : solid 28 AWG - 0.0126" / 0.321mm
   SATA : solid 30 AWG - 0.0100" / 0.255mm


For wiring, use 20-26 AWG. 18 can be too stiff while 28 is too fragile. 24-26 AWG works fine in most cases. The Grounds and VCC wires may ofcourse be thicker than the signal wires. Keep wires short (~20cm).

For NOR wiring the solderarea (the NORpoints) is 10x larger than the solderarea used with NAND (pitch 0.5mm, just as NOR chips btw), so for NOR you have much more headroom (and also need!) to use thicker wires (for NAND you most likely want to use 28 AWG and cannot use much thicker)

Generic unresolved issues

There is a table made on the talk page to chart dump/flashing issues (and sucesses). See: Testreport_table

Progskeet QA/problem solving

Generic advice

Updating Progskeet with Injectus

  1. connect injectus to progskeet with very short wires (see File:Injectus_jtag_pinout.jpg File:Injectus-jtag-bottompads.png)
  2. power injectus with usb
  3. power progskeet with its own usb too (do NOT power the progskeet with the injectus!)
  4. run injectus programmer software
    1. click tools
    2. open infectus (at bottom of pulldown)
    3. load dat file
    4. click program

See also Programming the Bitstream

R7 / R8 explaination

R7 / R8 explaination in a sketch: File:Progskeet-R7-R8 explaination-sketch4.jpg

Be up to date

Always make sure you used the latest diagrams, drivers and flasher software from progskeet.com

Archive of old versions

Diagrams:

Driver:

Bitstream:

Flasher:

No shorts

Before doing anything, make 100% sure you wired up everything correct (no address/data IO lines mixed? all controllines hooked up? power/ground in order? etc.) and no shorts are made where there should not.

Error : libusb0.dll or libusb0.sys not found

The libusb-win32 Kernel Driver needed for the the flasher to get access to the USB port was not installed. Make sure you unpacked the drivers_xxxxxx file and installed the Progskeet driver (VendorID:1988 / ProductID:0001 in case you need it).

If problems with installing the driver, use manual mode from Device Manager and select the folder with ProgSkeet.inf ("ProgSkeet Install Disk") : http://windows.microsoft.com/en-US/windows-vista/Update-a-driver-for-hardware-that-isnt-working-properly

Error : side-by-side configuration is incorrect

In case of "the application has failed to start because its side-by-side configuration is incorrect" make sure Microsoft Visual C 9.0 runtime is installed and "Windows Installer" is not disabled (set to manual or automatic) in Services.msc

Error : incorrect parameter

Make sure you selected the correct values for your NOR/NAND device. If there is a preset, use it.

If not, e.g. :

  • NOR
    • Spansion S29GL128N90TFIR2 : 128KB sector, 128 sectors
    • Spansion S29GL128P90TFIR2 : 128KB sector, 128 sectors
    • Samsung K8Q2815UQB-PI4B : 4KB sector, 4096 sectors
    • Samsung K8P2716UZC-QI4D : 128KB sector, 128 sectors
    • Macronix MX29GL128ELT2I-90G : 128KB sector, 128 sectors
  • NAND: select Big Block, select Raw, Pages per block: 64, blocks: 1024

The application failed to initalize properly (0xc0000135)

You are missing either of these:

Error/crash on Windows 7

  • Disable Aero (known to crash on Win7 Ultimate)
    • set display color to 256 colors will enforce Aero to disable too
  • Make sure you have enough (admin) rights
  • Consider disabling UAC (or re-educate it proper)
  • Try "Compatibility Mode" (e.g. Windows 2000 or Windows XP SP2)

A/B Trick

The A/B trick is a solution found by DiGiTaLAnGeL to write his Macronix NOR (but can be tried on other NORs as well 1).
Some Sectors of his flash were "slow to write" and using the normal flashing procedure was resulting in a fail or in a freeze of the ProgSkeet Flasher.

Needed tools:

Step by step guide:

  • Shut Down your PS3 if not and be sure that the Progskeet's USB Cable is not plugged in.
  • Put your R7 Switch in OFF Position.
  • Power on your PS3.
  • Wait 20 seconds.
  • Put your R7 Switch in ON Position (now Proskeet is recognized by Windows).
  • Open Flasher "A" and flash your file (remember to set up the NOR size/sectors!)
  • When it reaches 100% , check C:\Proskeet.log, if you found some sectors failed to write... continue to the next step.
  • Without powering off your PS3, unplug Progskeet's USB Cable and Close Flasher "A"
  • Open Flasher "B" and replug your USB Cable.
  • Flash your file (remember to set up the NOR size/sectors!)
  • The Flasher will freeze on those "slow" sectors, just wait!
  • If after 1 minute your flasher is still stuck on that sector close the flasher.
  • Check again your log for sectors failed to write.

If you still have sectors that have failed to write, start again until they successfully write (Rember to check the Progskeet.log because reaching 100% doesn't mean that the sectors have successfully been written)

note: 1)
<DiGiAnGeL> if you successfully write at least one of the sectors you are having problem with, this trick work for you!
<DiGiAnGeL> (some sectors require even 5 minutes of trying before successfully writing them)

Irregular device disappering when reading/writing

<MrGBNC> I've had good dumps but sometimes when I click read progskeet disappears from the Device Manager
<eussNL> hmm, sounds like voltage drop or usb connection fail
<MrGBNC> and last week was progskeet no longer recognized by windows
<MrGBNC> unknown device
<Abkarino> you may have gnd problem
<eussNL> did you try manual removing the driver in safemode?
<Abkarino> try to remove r4 then try again
<Abkarino> i had the same problem before
<Abkarino> but uf6667 and ago told me to remove r4 and try again
<Abkarino> now ProgSkeet work fine every time i plug it to my PC
<MrGBNC> I've also talked to Ago, he said that the resistance between GND and VCC is too small for my progskeet
<Ago> well, you had voltage drops
<Ago> and a cap might be bad
<MrGBNC> that is why I try to exchange/warranty. I also couldn´t read a socket´ed NAND, only 30 in dump ;)