Downgrading with Hardware flasher

From PS3 Developer wiki
Jump to navigation Jump to search

Dump

Connect your Hardware flashing device and make sure you are getting 100% correct, valid, verified dumps.

Checking console capability of running 3.55

Compare the values found in your dump with those in the table below

metldr+bootldr sizes

IDPS SKU - Datecode / Manufacturing date metldr offset bootldr offset Notes
0x2F077 (NOR)
0x80877 (NAND)
0x81E (NOR)
0x4081E (NAND)
0x842 (NOR)
0x40842 (NAND)
0xFC0002 (NOR)
0x0 (NAND)
0xFC0012 (NOR)
0x12 (NAND)
CECHA01 (COK-001) with 1.00 from factory ED A0 0E D6 - - incomplete dump
CECHA06 (COK-001) EE 10 0E DD 2A 3F 2A 3F OK
CECHC04 (COK-002) with 1.00 from factory EB F0 0E BB 30 44 30 44 OK
06 CECHH04 (DIA-001) E8 E0 0E 8A 2E F4 2E F4 OK
07 CECHJ (DIA-002) EA 60 0E A2 2E E3 2E E3 OK
E7 B0 0E 77 2E 8C 2E 8C unsure if valid dump
08
09
CECHL (VER-001) with 2.30 from factory - datecode unknown
CECH20.. (DYN-001)
E8 90 0E 85 2F 13 2F 13 OK
08 CECHL (VER-001) E8 D0 0E 89 2E AB 2E AB OK
08 E8 D0 0E 89 2E B3 2E B3 OK
03
0A
0B
CECHE04 (COK-002W) refurbished
?
CECH-2504B (JTP-001) with 3.40 from factory - datecode 0C
E9 20 0E 8E 2F 4B 2F 4B OK
0B CECH-250.B (JTP-001) with 3.56 from factory - datecode 1A E9 60 0E 92 2F 53 2F 53 OK
0B CECH2504A (JTP-001) with 3.56 from factory - datecode 1B E9 60 0E 92 2F 5B 2F 5B (RLOD+)poweroff @ downgrade 355
CECH2504B (JSD-001) with 3.60 from factory - datecode 1B
CECH3012A (KTE-001) with 3.65 from factory - datecode [N.A.]
F9 20 0F 8E 2F FB 2F FB "metldr.2"
(RLOD+)poweroff @ downgrade 355

See also: SKU Models: Datecode / Manufacturing Date

Patch the dump & Reflash it to the console

You can use Hexeditor for patching (e.g. HxD).

NAND

Use NAND patches only on NAND consoles, not on NOR!

Target area Patchfile NAND Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0030 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0020 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x91800)
trvk_prg1 (0x92810)
trvk_pkg (0x93800)
patch2 (16 KB) 0x91800 0x4000 one big patch overlapping several revoke area's

NOR

Use NOR patches only on NOR consoles, not on NAND!

Target area Patchfile NOR Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0010 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0010 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x40000)
trvk_prg1 (0x60000)
trvk_pkg0 (0x80000)
trvk_pkg1 (0xA0000)
rvk-040000 (512 KB) 0x40000 0x80000 one big patch
overlapping several revoke area's

Reinstall firmware in Factory Service Mode

  1. Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port).
  2. Turn PS3 on, it will trigger Factory Service Mode and turn off the console.
  3. After triggering Factory Service Mode, put the Lv2diag.self (see below) and prepatched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
  4. Turn PS3 on, it will install the firmware you had put there (even though you have no screenoutput, you can see it is busy by looking at the activity led of the harddrive and of your USB Mass Storage Device).
  5. PS3 will turn itself off after finishing the firmware installation.

See also Downgrading with PSgrade Dongle, which also contains alot of ready to use PSgrade HEX files for several dongles.

PUP to use

Rogero V2 or any firmware with prepatched lv1 (no syscon hash checks)

Different Factory Service Mode SELFs

NAND

For factory Service Mode install:

  • if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP

NOR

Use the normal lv2diag and use the Rogero normal PUP

Only when having a console with a broken bluraydrive, you either:

  • use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • use the jaicrab NoBD lv2diag : Use the Rogero normal PUP
Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (227.38 KB) 232832 jaicrab noBD patched 180823003B086D9D49BC7F83BEA9C769BF73A5EA 3615770407C0C3FA00D8CA49C8ADB362 25E85CFB EDD0
Lv2diag.self (365.5 KB) 374272 3.55 get in FSM 1ED037740D67FEBACA6449CABFF4E95400C9E2EE 099F33A7967F99E91C07E870FD78B3DB 9338ABF2 4FCC

Check the logfile

After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains errors (pastie the log if you want to ask for help online on IRC)

Getting out of Factory Service Mode

If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)

  1. Put the Lv2diag.self (see below) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
  2. Turn PS3 on, it will trigger Factory Service Mode off and shutdown.
Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (201.42 KB) 206256 get out FSM 329877CBD47B994EC0AFCEA6AF98114FD9E5128B 7A20BFDAE65EEFB47A4425DB1B52DCDE 72740080 502A