Talk:Dual Firmware
Manual dualboot 3.55 & 3.70 with 2 flashdumps and 2 harddrives
Old Guide
original italian and english guide posted by digitalangel
Today I will write a tutorial to “fast-swap” between CFW 3.55 and OFW 3.70, using 2 HDDs… at the end of the tutorial, you will be able to swap between the firmware just flashing a dump on your PS3 using Progskeet. (instead of downgrading and losing all data).
The first steps are not so easy, so take your time and go on, by the way, you must have some skill with Progskeet, and it must be 100% working on your console.
What we need:
- PS3 Slim running with FW 3.70
- 2 Hard Disks
- Progskeet installed and working on your PS3 Slim
- Downgrade.bin edited with your personal data (there are tons of tutorials for do this)
- 3.55 Downgrade Dongle to do the downgrade process.
- Sony OFW 3.70 UPDATE.(DOWNLOAD)
- CFW 3.55 KMEAW “NO CHECK” by dospiedra.(DOWNLOAD)
- Lv2Diag By Jaicrab. (DOWNLOAD)
- Lv2Diag “FILE 2″ to go out of Service/Factory Mode. (DOWNLOAD)
We need 2 harddrives because the firmware is partial on NOR (CoreOS) and the rest is on the harddrive. so we will need 2 HDDs, one for 3.55, and one for 3.70..
We will call those HDD “A” (for 3.70) and “B” (for 3.55) dont mix them up!
Starting with a PS3 Slim with OFW 3.70.
- Plug in HDD “B”, format and prepare it if it’s required by the PS3 and you should have your 3.70 up and running.
- DUMP your actual NOR and call it “original dump 3.70.bin”
- Now flash your “downgrade.bin” (edited with the personal data found in “original dump 3.70.bin”)
- Turn on your PS3 and be sure that the PS3 is asking you to press the PS button (downgrade.bin flashed correctly :D )
- Insert a 3.55 Downgrade dongle and enter factory/service mode.
- Copy Lv2Diag.self by Jaicrab and the 3.55 NO CHECK UPDATE renamed as “PS3UPDAT.PUP” in the root of your USB Stick.
- Plug in the USB Stick in the most-right USB port of your PS3 and wait for it to turn OFF.
- Leave the factory mode using the other Lv2Diag.self
- After the reboot, you need to configure and set up your system… now you have a fully working 3.55 CFW based on KMEAW “NO CHECK”.
- DUMP your actual NOR and call it “swap dump 3.55.bin”
- Unplug HDD B and Plug in HDD A.
- Turn on your PS3, plug in your USB Stick containing official 3.70 update and press start+select when asked.
- When the PS3 reboots, check that the system is fully working and DUMP your actual NOR and call it “swap dump 3.70.bin”.
NOW IT’S FINISHED! You should have “swap dump 3.55.bin” and “swap dump 3.70.bin” … Now you just have to swap HDD and flash the correspondening dump:
- HDD A = swap dump 3.70.bin
- HDD B = swap dump 3.55.bin
WARNING: Do not install other CFW than the “NO CHECK” one… because it’s used to make the “fast-swap” working… if you flash something different you will not be able to go between the 2 FWs. This patch disables the LV1 for checking the Syscon hashes at startup… so it will not freeze or complain when the syscon hashes says “3.70″ and your FW is 3.55 ;)
WARNING: In case you wanna update your console with a future “3.80″ or-so firmware. Do not update your console when you are running 3.55 firmware! You have to go to “swap dump 3.70.bin” and then update as usual (XMB or recovery)… -By the way, the downgrade is confirmed working only on 3.70… we haven’t tested it on other FWs, you could loose the possibility to go back to 3.55!-
Editoral warning: The "NoCheck.pup" is known to cause trophy errors, use the RogeroV2.pup instead or build one yourself with PS3MFW Builder and the TCL from the NOR downgrader talkpage.
Patches 3.41
Once this patches are tested and confirmed to be safe, they will be commited to the MFW project
Debug info patch tlc - patch_lv1debinfo
Warning try these patches only if you have nor/nand flasher to recover These patches allow the output of the debug printfs on startup, the main problem right now is that the buffer is only 0xFE0 bytes long so it gets overwritten. If anyone figures out how to solve this feel free to improve it
- To see the debug console one should read 0xFEO bytes starting from these offsets
'Debug Console'
| Type | Address | Console type |
|---|---|---|
| ra | 0x655040 | fat |
| ra | 0x66EF00 | slim |
Please inform your success or failure using these scripts
Basic Hash checks patches - patch_lv1bscheck
Warning try these patches only if you have nor/nand flasher to recover
Please inform your success or failure using these scripts
Basic Hash checks patches for linux ENABLE/DISABLE/FORCE hash checks
http://pastie.org/2070649
These have already been tested
PreAlpha v3 smoketest - offsets
patch_lv1sccheck (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
| a | ss_server1.fself | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Patch core OS Hash check //product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
| 2 | Patch check_revoke_list_hash check //product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
| 3 | Patch get secure product mode on | 2954260 | 2954080 | 2954080 | 2954612 | 2954612 | 2954700 | 2887260 | 2887184 | 2887224 | 2887224 | 2887224 | 2887224 | 2887312 | 2887312 |
| 4 | Patch Valid acces for TOOL - manufacturing | 2970228 | 2970048 | 2970048 | 2970568 | 2970568 | 2970656 | 2903216 | 2903140 | 2903180 | 2903180 | 2903180 | 2903180 | no pattern | no pattern |
| 5 | Patch Same version (OK) (TOOL/DEX/ARCADE or manufacturing) | no pattern | no pattern | no pattern | no pattern | no pattern | 3029516 | 2962076 | 2961372 | 2961412 | 2961412 | 2961412 | 2961412 | - | - |
| 6 | Patch Older version CEX (OK) | - | - | - | - | - | 3029420 | 2961980 | 2961276 | 2961316 | 2961316 | 2961316 | 2961316 | - | - |
| 7 | Patch Chasis mismatched | - | - | - | - | - | 3030148 | 2962708 | 2962004 | 2962044 | 2962044 | 2962044 | 2962044 | - | - |
| 8 | Patch Not revoked | - | - | - | - | - | 3030080 | 2962640 | 2961936 | 2961976 | 2961976 | 2961976 | 2961976 | - | - |
| 9 | Patch Manufacturing Image in normal mode | - | - | - | - | - | 3030000 | 2962560 | 2961856 | 2961896 | 2961896 | 2961896 | 2961896 | - | - |
| 10 | Patch Unknown direction | - | - | - | - | - | 3029832 | 2962436 | 2961688 | 2961728 | 2961728 | 2961728 | 2961728 | - | - |
| 11 | Patch Inapropiate direction | - | - | - | - | - | 3029876 | 2962436 | 2961732 | 2961772 | 2961772 | 2961772 | 2961772 | - | - |
| 12 | Patch Skip package direction check | - | - | - | - | - | 3029692 | 2962252 | 2961548 | 2961588 | 2961588 | 2961588 | 2961588 | - | - |
| 13 | Patch Capability check product mode | - | - | - | - | - | no pattern | no pattern | 3104064 | 3104104 | 3104104 | 3104104 | 3104104 | - | - |
| 14 | Patch fix2pc Root hash match OK | - | - | - | - | - | - | - | 3050140 | 3050180 | 3050180 | 3050180 | 3050180 | - | - |
| 15 | Patch raw image overlap success | - | - | - | - | - | - | - | 2899420 | 2899460 | 2899460 | 2899460 | 2899460 | - | - |
| 16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | no pattern | no pattern |
| 17 | Patch Flash version check Older version OK | - | - | - | - | - | - | - | 2963136 | 2963176 | 2963176 | 2963176 | 2963176 | - | - |
| 18 | Patch Flash version check Same version (OK) (TOOL/DEX/ARCADE or manufacturing) | - | - | - | - | - | - | - | 2963232 | 2963272 | 2963272 | 2963272 | 2963272 | - | - |
| b | sys_mgr.self | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
| 19 | Patch Patch sys_mgr integrity lv1 and lv0 integrity check | - | - | - | - | - | - | - | no pattern | 2216084 | 2216084 | 2216084 | 2216084 | - | - |
| c | lv1.self main | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
| 20 | Patch SC header not correct | - | - | - | - | - | - | - | - | 172784 | 172784 | 172784 | 172784 | - | - |
| 21 | Patch SC checksum error | - | - | - | - | - | - | - | - | 173112 | 173112 | 173112 | 173112 | - | - |
| d | ss_server2.fself | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
| 22 | Patch Capability check | - | - | - | - | - | - | - | - | 3524212 | 3524212 | 3524212 | 3524212 | - | - |
PreAlpha v4 smoketest - offsets
patch_lv1bscheck (Modifying CORE_OS file lv1.self - Disables basic hash checks in lv1)
| a | ss_server1.fself | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Patch core OS Hash check //product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
| 2 | Patch check_revoke_list_hash check //product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
| 16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | no pattern | no pattern |
PreAlpha v5 smoketest - offsets
patch_lv1debinfo (Modifying CORE_OS file lv1.self - Enables output of debug info)
| a | ss_server1.fself | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Patch UM debug level return value #8000b04 | 2953044 | 2952864 | 2952864 | 2953396 | 2953396 | 2953484 | 2886044 | 2885968 | 2886008 | 2886008 | 2886008 | 2886008 | 2886096 | 2886096 |
| 2 | Patch COMMON debug level return value #80035b78 | No pattern | No pattern | No pattern | No pattern | No pattern | No pattern | No pattern | 3090884 | 3090924 | 3090924 | 3090924 | 3090924 | No pattern | No pattern |
| 3 | Patch SM debug level return value #8001f954 | - | - | - | - | - | - | - | 3000224 | 3000264 | 3000264 | 3000264 | 3000264 | - | - |
| 4 | Patch PRINTK enable return value #80035abc | - | - | - | - | - | - | - | 3090696 | 3090736 | 3090736 | 3090736 | 3090736 | - | - |
| 5 | Patch SB_MGR debug level return value #80030c2c | - | - | - | - | - | - | - | 3070584 | 3070624 | 3070624 | 3070624 | 3070624 | - | - |
| 6 | Patch DEBUG PRINTF function #80035cac | - | - | - | - | - | - | - | 3091192 | 3091232 | 3091232 | 3091232 | 3091232 | - | - |
| 7 | Patch PRINTF 1 function #80035bb3 | - | - | - | - | - | - | - | 3090944 | 3090984 | 3090984 | 3090984 | 3090984 | - | - |
| 8 | Patch COMMON PRINTF function #80035c2c | - | - | - | - | - | - | - | 3091064 | 3091104 | 3091104 | 3091104 | 3091104 | - | - |
E3 Fast Dual Boot- OFW 4.xx and CFW 4.xx
please do come crying in #ps3downgrade
Just base info, someone please work on, :) or delete....
Please Read
Thanks and credits pu6pu6 - ps3hax.net, original brief tutorial kman28 - ps3hax.net , original fast dual boot guide everyone in this thread for testing and what not - http://www.ps3hax.net/showthread.php?t=44955 PSdevwiki-especially eussNL
What is needed: 1. If you brick or otherwise damage your PS3, no one but yourself is liable. 2. You will need an E3 flasher. 3. The tristate on the motherboard must be soldered to the SBE point on the e3 flasher with a cable 4. The track between points A and B must be scratched out and a cable soldered between points A and the SBCE point on the E3 flasher. Diagrams 5. You must be in a position to install a 3.55 firmware.
CFW Setup Plug in your CFW hard drive. Put switch 2 up on the E3, rest down. Install Rogero 3.55 V7. Preferably via recovery menu. link Install multiman 4.13 or later. Link toggle qa-verify, link Install 4.xx CFW via recovery mode links Power on ps3 make sure 4.xx CFW is working Put PS3 off Change E3 switches as follows: ---SW:FLASHFUN/CFW/BACKUP/MICROSD/OBFLASH---
Click start this will backup the E3 onboard NOR to the microSD
Bytereverse the backup using Flowrebuilder
Apply ONE of the following no-check patches depending on your 4.xx CFW:
4.21 CFW - link 4.30 CFW - link
Link to patchfile
Open win skeet select patcher then select the patch file and input dump.
Once again byte reverse the dump so it can be used with E3 Flasher.
Put the patched and byte reversed dump on the sd card - rename to bkpe3.bin
Before turning ps3 on, set switch to:
---SW:FLASHFUN/CFW/PROG/MICROSD/OBFLASH---
Press start on e3 flasher Power off ps3
Put only switch 2 up rest down, and turn on. If you receive an error just press the PS button on the controller. Make sure 4.xx CFW is working fine.
Turn ps3 off-unplug the power
OFW SETUP
PS3 is off Take microSD out of E3 put in your OFW HDD set switches to: ---SW:FLASHFUN/OFW/PROG/OBFLASH/PS3FLASH---
Turn PS3 on Press start on E3 Once done turn off
Put all switches on e3 down
Boot, u will get an error. This is good. Follow prompts and install OFW 4.31
When you want to switch to OFW, put ps3 off-change switch to ofw, plug in OFW HDD, and turn on
When you want to switch to CFW put ps3 off-change switch to cfw, plug in CFW HDD, and turn on
Software Talk
Software wise from GameOS it would be possible to switch OS Bank, booting into a different Lv0->Lv1->Lv2.
Theory:
To switch back it is required being the other Bank modified not being original firmware files for getting access to Lv2 Syscalls, specifically accessing EEPROM.
Newer (patched) CoreOS theoretically could run older dev_flash version - to a certain degree.
EEPROM
| Offset | size | Notes |
|---|---|---|
| 0x48C24 | 1 | Bank #0 OS-Flag (ros0 if 0xFF else ros1) |
| 0x48C25 | 1 | Bank #0 rvkprg-Flag |
| 0x48C26 | 1 | Bank #0 rvkpkg-Flag |
| 0x48C27 | 1 | Bank #1 OS-Flag |
| 0x48C28 | 1 | Bank #1 rvkprg-Flag |
| 0x48C29 | 1 | Bank #1 rvkpkg-Flag |