Talk:Downgrading with Hardware flasher

From PS3 Developer wiki
Jump to: navigation, search

Contents

[edit] Quick 'n Dirty prepatched

(MD5:533C668CDB8864442991310481BCF64A | SHA1:C7AA2637BA69C675C2F13C214888D0C42EE4CDAF | CRC16:881B | CRC32:0634A651)

(MD5:8415159C72CA4050DF8B940874C52921 | SHA1:703368087CE5BF17319676CE6166CE8CCF5877C4 | CRC16:BD6B | CRC32:549F0348)


PS3MFW Features Enabled
  • Change PUP build / version
  • Patch LV1 (downgrader) checks
  • Patch LV1 hypervisor: Allow mapping of any memory area (Needed for LV2 Poke)
  • Patch LV2 kernel: Patch to add Peek&Poke system calls to LV2
  • Patch package installer: Patch to allow installation of pseudo-retail packages + debug packages
  • Patch Application launcher: Patch to allow running of unsigned applications
  • Add new icons to the XMB Game category: Add Install Package Files + app_home + icons to the XMB Game Category

[edit] 3.41 NAND Preloaderdumps downgrader patches

Use these NAND patches only on dumps made with NAND Preloader, not regular NAND dumps and not on NOR!

Target area Patchfile NAND Offset Paste length Remarks
ROS0 coreos_341_lv1_integryty_fix.bin patch1 (7 MB) 0x080030 0x6FFFE0 CoreOS (prepatched 3.41)
ROS1 coreos_341_lv1_integryty_fix.bin patch1 (7 MB) 0x780020 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x051800)
trvk_prg1 (0x052800)
trvk_prg (8 KB) 0x051800 0x2000 double patch overlapping both program revoke area's
trvk_pkg0 (0x053800)
trvk_pkg1 (0x054800)
trvk_pkg (8 KB) 0x053800 0x2000 double patch overlapping both package revoke area's

(above patches in a single package + autopatcher file: 3.41_NAND_Preloaderdumps_downgrader_patches.rar)

[edit] 3.41 NOR downgrader patches

Use 3.41-NOR patches only on NOR consoles, not on NAND!

Target area Patchfile NOR Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0010 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0010 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x40000)
trvk_prg1 (0x60000)
trvk_pkg0 (0x80000)
trvk_pkg1 (0xA0000)
rvk-040000 (512 KB) 0x40000 0x80000 one big patch
overlapping several revoke area's

(above patches in a single package + autopatcher file: 341-NOR downgrade.rar mirror)

[edit] E3 Flasher

Use these instead (already reversed), otherwise you get into a maze of bytereversing: 341-E3 downgrade.rar

[edit] Venix Autopatcher

[edit] Warning

Warning
This tool is known and proven to give false positives on bad dumps that lead to permabricks.

Use this method: Validating flash dumps to make sure the dumps are in crisp condition.

You cannot recover from bad flash without proper dumps (e.g. bricking the console beyond repair).
note: there are 12½ million bits to permabrick a console

[edit] Intro

Some portuguese dude (somehow venix name reminds me of a fake bricker CFW and highly hyped and never released manager long time ago) apparently never found ps3devwiki guides or used flowrebuilder/winskeet autopatcher or hexeditor with autopatch scripts.

[edit] Versions

Venix Downgrade GUI v1.0.0.0\Venix Downgrade.exe
 SHA1:BED08FC1FEF623C08E84832DAB0DF428D3143BF5 | MD5:1215174ED33E599B7F23F345B01B6EF9 | CRC32:3339B7F8 | CRC16:3F31
   
Venix Downgrade GUI v1.0.0.1\Venix Downgrade.exe
 SHA1:06689D0ACB9072EE0D6BA6B9C7665A4C375F583A | MD5:F7FE9D028DC2DF6DD281E0AA90653DC4 | CRC32:0903470A | CRC16:013F

[edit] Tests

Time for some tests, like I did with E3 Nor dump checker.

[edit] Quick bulletproof test

does not test:

  • bad region - not detected, user not warned -> result = brick file
  • bad A9 wire - not detected, patch file created -> result = brick file
  • bad A10 wire - not detected, patch file created -> result = brick file
  • bad A11 wire - not detected, patch file created -> result = brick file
  • bad A12 wire - not detected, patch file created -> result = brick file
  • bad A13 wire - not detected, patch file created -> result = brick file
  • bad A14 wire - not detected, patch file created -> result = brick file
  • bad A15 wire - not detected, patch file created -> result = brick file
  • bad A16 wire - not detected, patch file created -> result = brick file
  • bad A17 wire - not detected, patch file created -> result = brick file
  • bad A18 wire - not detected, patch file created -> result = brick file
  • bad A19 wire - not detected, patch file created -> result = brick file
  • bad A20 wire - not detected, patch file created -> result = brick file
  • bad A21 wire - not detected, patch file created -> result = brick file
  • bad A22 wire - not detected, patch file created -> result = brick file
  • bad boardID - not detected, patch file created -> result = brick file
  • bad bootldr - not detected, patch file created -> result = brick file
  • bad cCSD unreferenced area - not detected, patch file created -> result = brick file
  • bad cISD unreferenced area - not detected, patch file created -> result = brick file
  • bad EID unreferenced area - not detected, patch file created -> result = brick file
  • bad header - not detected, patch file created -> result = brick file
  • bad header asecure loader - not detected, patch file created -> result = brick file
  • bad header cISD - not detected, patch file created -> result = brick file
  • bad header cvtrm - not detected, patch file created -> result = brick file
  • bad header eEID - not detected, patch file created -> result = brick file
  • bad header metldr - not detected, patch file created -> result = brick file
  • bad metldr - not detected, patch file created -> result = brick file
  • bad/missing bootldr - not detected, patch file created -> result = brick file
  • bad/missing cCSD - not detected, patch file created -> result = brick file
  • bad/missing cISD0 - not detected, patch file created -> result = brick file
  • bad/missing cISD1 - not detected, patch file created -> result = brick file
  • bad/missing cISD2 - not detected, patch file created -> result = brick file
  • bad/missing EID0 - not detected, patch file created -> result = brick file
  • bad/missing EID1 - not detected, patch file created -> result = brick file
  • bad/missing EID2 - not detected, patch file created -> result = brick file
  • bad/missing EID3 - not detected, patch file created -> result = brick file
  • bad/missing EID4 - not detected, patch file created -> result = brick file
  • bad/missing EID5 - not detected, patch file created -> result = brick file
  • bad/missing metldr - not detected, patch file created -> result = brick file
  • bad/missing PerConsoleNonce - not detected, patch file created -> result = brick file
  • bad patterned non 00's - not detected, patch file created -> result = brick file
  • bad patterned non FF's - not detected, patch file created -> result = brick file
  • bad region - not detected, patch file created -> result = brick file

partly test (if user flashes that, it will permabrick):

  • bad A0 wire - detected, 00 filled file created -> result = brick file
  • bad A1 wire - detected, 00 filled file created -> result = brick file
  • bad A2 wire - detected, 00 filled file created -> result = brick file
  • bad A3 wire - detected, 00 filled file created -> result = brick file
  • bad A4 wire - detected, 00 filled file created -> result = brick file
  • bad A5 wire - detected, 00 filled file created -> result = brick file
  • bad A6 wire - detected, 00 filled file created -> result = brick file
  • bad A7 wire - detected, 00 filled file created -> result = brick file
  • bad A8 wire - detected, 00 filled file created -> result = brick file
  • bad header IFI - detected, patch file created -> result = brick file

does test:

  • circulair reference - errors out: "The process cannot access the file '\nor-validationtest\venix.bin' because it is being used by another process." -> result = OK

[edit] Conclusion

Conclusion : USELESS, brickdumps will still show as 'valid' and corrupt patch files will be generated, not preventing the user from permabricking.

[edit] Recomendation

Recommendation: Validate flash dumps first and use Flowrebuilder or Winskeet with autopatcher instead.

[edit] Newssites that news'ed the 'tool'

[edit] Newssite that refused to news it

[edit] Patches contained inside binairy

[edit] trvk_prg

[edit] 1
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00701BB0                                   00 00 00 00 00             .....
00701BC0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00701BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00701BE0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00701BF0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00701C00  F4 DC E3 9B 64 56 A1 0C 11 98 79                 ôÜã›dV¡..˜y
...
[edit] 2

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00702BA0                                   00 00 00 00 00             .....
00702BB0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00702BC0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00702BD0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00702BE0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00702BF0  F4 DC E3 9B 64 56 A1 0C 11 98 79                 ôÜã›dV¡..˜y
...
[edit] 3

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01545B90                                            00 00                ..
01545BA0  00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 53  ..............àS
01545BB0  43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 00  CE..............
01545BC0  00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 11  ..............à.
01545BD0  07 9A A0 E5 A2 D4 48 DE 06 9C E7 E3 74 A8 67 33  .š å¢ÔHÞ.œçãt¨g3
01545BE0  E5 95 F4 56 F4 DC E3 9B 64 56 A1 0C 11 98 79     å•ôVôÜã›dV¡..˜y
...

[edit] trvk_pkg

[edit] 4
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00703BB0                                   00 00 00 00 00             .....
00703BC0  00 00 00 00 00 00 00 00 00 02 60 53 43 45 00 00  ..........`SCE..
00703BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00703BE0  00 02 00 00 00 00 00 00 00 00 60 BD 25 0F C3 46  ..........`½%.ÃF
00703BF0  1C ED 7C A9 0D 0B 63 31 C5 10 FD 5C A0 CA 58 D3  .í|©..c1Å.ý\ ÊXÓ
00703C00  F1 A9 DB B7 03 C5 94 66 83 C1 96                 ñ©Û·.Å”fƒÁ–
...
[edit] 5

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01505B80                 00 00 00 00 00 00 00 00 00 00 00       ...........
01505B90  00 00 00 02 60 53 43 45 00 00 00 00 02 00 00 00  ....`SCE........
01505BA0  02 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00  ................
01505BB0  00 00 00 00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B  ....`½%.ÃF.í|©..
01505BC0  63 31 C5 10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5  c1Å.ý\ ÊXÓñ©Û·.Å
01505BD0  94 66 83 C1 96                                   ”fƒÁ–
...
[edit] 6

(same as 4)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01525B90        00 00 00 00 00 00 00 00 00 00 00 00 00 00    ..............
01525BA0  02 60 53 43 45 00 00 00 00 02 00 00 00 02 00 00  .`SCE...........
01525BB0  00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
01525BC0  00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B 63 31 C5  .`½%.ÃF.í|©..c1Å
01525BD0  10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5 94 66 83  .ý\ ÊXÓñ©Û·.Å”fƒ
01525BE0  C1 96                                            Á–
...

[edit] ros

[edit] 7
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001BA0                    00 00 00 01 00 00 00 18 00 00        ..........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........
00001BC0  00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F 6D 6F  ....B˜aim_spu_mo
00001BD0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
00001BE0  00 00 00 00 00 00 00 00 00 00 00 00 47 30 00 00  ............G0..
00001BF0  00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00 00 00  ....öØappldr....
00001C00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[edit] 8
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00705BA0                                   00 00 00 01 00             .....
00705BB0  00 00 18 00 00 00 00 00 6F FF E0 00 00 00 00 00  ........oÿà.....
00705BC0  00 04 90 00 00 00 00 00 00 42 98 61 69 6D 5F 73  .........B˜aim_s
00705BD0  70 75 5F 6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00  pu_module.self..
00705BE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00705BF0  00 47 30 00 00 00 00 00 01 F6 D8 61 70 70 6C 64  .G0......öØappld
00705C00  72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  r...............
[edit] 9
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00E05B90                          00 00 00 01 00 00 00 18          ........
00E05BA0  00 00 00 00 00 6F FF E0 00 00 00 00 00 00 04 90  .....oÿà........
00E05BB0  00 00 00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F  ......B˜aim_spu_
00E05BC0  6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00  module.self.....
00E05BD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 30  ..............G0
00E05BE0  00 00 00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00  ......öØappldr..
00E05BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

[edit] Note

ps3devwiki v2 downgrader contains 2 patchsets, used on 3 offsets. Having 9 sounds like a bit of overkill to bloat the binairy.

[edit] Checks

There is not much checked in the patcher: - only size is checked - and header "oÿà" (bytereversed, like with progskeet, teensy etc) versus "àÿo" (as E3).

[edit] 10

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001A30  0A 4E 00 61 00 6E 00 64 00 31 00 00 00 00 00 18  .N.a.n.d.1......
00001A40  4E 00 61 00 6E 00 64 00 31 00 52 00 65 00 70 00  N.a.n.d.1.R.e.p.
00001A50  65 00 61 00 74 00 31 00 E5 FF 6F 00 14 4E 00 61  e.a.t.1.åÿo..N.a
00001A60  00 6E 00 64 00 31 00 53 00 74 00 61 00 72 00 74  .n.d.1.S.t.a.r.t
00001A70  00 ED FF 6F 00 0A 4E 00 61 00 6E 00 64 00 32 00  .íÿo..N.a.n.d.2.
00001A80  F5 FF 6F 00 14 4E 00 61 00 6E 00 64 00 32 00 53  õÿo..N.a.n.d.2.S
00001A90  00 74 00 61 00 72 00 74 00 FA 3F 70 00 12 4E 00  .t.a.r.t.ú?p..N.
00001AA0  61 00 6E 00 64 00 43 00 6F 00 75 00 6E 00 74 00  a.n.d.C.o.u.n.t.
00001AB0  02 40 70 00 08 4E 00 6F 00 72 00 31 00 05 40 70  .@p..N.o.r.1..@p
00001AC0  00 12 4E 00 6F 00 72 00 31 00 53 00 74 00 61 00  ..N.o.r.1.S.t.a.
00001AD0  72 00 74 00 EA 3F E0 00 08 4E 00 6F 00 72 00 32  r.t.ê?à..N.o.r.2
00001AE0  00 F2 3F E0 00 12 4E 00 6F 00 72 00 32 00 53 00  .ò?à..N.o.r.2.S.
00001AF0  74 00 61 00 72 00 74 00 D7 3F 50 01 08 4E 00 6F  t.a.r.t.×?P..N.o
00001B00  00 72 00 33 00 DF 3F 50 01 12 4E 00 6F 00 72 00  .r.3.ß?P..N.o.r.
00001B10  33 00 53 00 74 00 61 00 72 00 74 00 E4 3F 52 01  3.S.t.a.r.t.ä?R.
00001B20  08 4E 00 6F 00 72 00 34 00 EC 3F 52 01 12 4E 00  .N.o.r.4.ì?R..N.
00001B30  6F 00 72 00 34 00 53 00 74 00 61 00 72 00 74 00  o.r.4.S.t.a.r.t.
00001B40  F1 3F 54 01 08 4E 00 6F 00 72 00 35 00 F9 3F 54  ñ?T..N.o.r.5.ù?T
00001B50  01 12 4E 00 6F 00 72 00 35 00 53 00 74 00 61 00  ..N.o.r.5.S.t.a.
00001B60  72 00 74 00 FE 3F 56 01 08 4E 00 6F 00 72 00 36  r.t.þ?V..N.o.r.6
00001B70  00 06 40 56 01 12 4E 00 6F 00 72 00 36 00 53 00  ..@V..N.o.r.6.S.
00001B80  74 00 61 00 72 00 74 00 0B 40 58 01 10 4E 00 6F  t.a.r.t..@X..N.o
00001B90  00 72 00 43 00 6F 00 75 00 6E 00 74 00 13 40 58  .r.C.o.u.n.t..@X
00001BA0  01 20 E0 FF 6F 00 00 00 00 01 00 00 00 18 00 00  . àÿo...........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........

Thus it fails miserably in the comparison of Flowrebuilder' options like un/rescramble + de-/interleave, bytereverse, unpacking and autopatching, while checking and informing the user about possible errors in the dump.


[edit] Venix Downgrade GUI v1.2 BETA

http://psx-scene.com/forums/content/venix-downgrade-gui-v1-2-beta-improved-validation-2135/

[edit] Quick bulletproof test

wrongly detected:

  • bad A0 wire -> Validation Failed00 byte count
  • bad A1 wire -> Validation Failed00 byte count
  • bad A2 wire -> Validation Failed00 byte count
  • bad A3 wire -> Validation Failed00 byte count
  • bad A4 wire -> Validation Failed00 byte count
  • bad A5 wire -> Validation Failed00 byte count
  • bad A6 wire -> Validation Failed00 byte count
  • bad A7 wire -> Validation Failed00 byte count
  • bad A8 wire -> Validation Failed00 byte count
  • bad A9 wire -> Validation Failed00 byte count
  • bad A10 wire -> Validation Failed00 byte count
  • bad A11 wire -> Validation Failed00 byte count
  • bad A12 wire -> Validation Failed00 byte count
  • bad A13 wire -> Validation Failed00 byte count
  • bad A14 wire -> Validation Failed00 byte count
  • bad A15 wire -> Validation Failed00 byte count
  • bad A16 wire -> Validation Failed00 byte count
  • bad A17 wire -> Validation Failed00 byte count
  • bad A18 wire -> Validation Failedff byte count
  • bad A19 wire -> Validation Failed00 byte count
  • bad A20 wire -> Validation Failed00 byte count
  • bad A21 wire -> Validation Failed00 byte count
  • bad A22 wire -> Validation Failedff byte count
  • bad bootldr -> Validation Failed00 byte count
  • bad bootldr -> Validation Failed00 byte count
  • bad cCSD unreferenced area -> Validation Failed00 byte count
  • bad cISD unreferenced area -> Validation Failed00 byte count
  • bad EID unreferenced area -> Validation Failed00 byte count
  • bad header -> Validation Failed00 byte count
  • bad header asecure loader -> Validation Failed00 byte count
  • bad header cISD -> Validation Failed00 byte count
  • bad header cvtrm -> Validation Failed00 byte count
  • bad header eEID -> Validation Failed00 byte count
  • bad IFI -> Validation Failed00 byte count
  • bad header trvk -> Validation Failed00 byte count
  • bad metldr -> Validation Failed00 byte count
  • bad/missing bootldr -> Validation Failedff byte count
  • bad/missing cCSD -> Validation Failed00 byte count
  • bad/missing cISD0 -> Validation Failed00 byte count
  • bad/missing cISD1 -> Validation Failed00 byte count
  • bad/missing cISD2 -> Validation Failed00 byte count
  • bad/missing EID0 -> Validation Failed00 byte count
  • bad/missing EID1 -> Validation Failed00 byte count
  • bad/missing EID2 -> Validation Failed00 byte count
  • bad/missing EID3 -> Validation Failed00 byte count
  • bad/missing EID4 -> Validation Failed00 byte count
  • bad/missing EID5 -> Validation Failed00 byte count
  • bad/missing metldr -> Validation Failed00 byte count
  • bad/missing PerConsoleNonce -> Validation Failed00 byte count
  • bad patterned non 00's -> Validation Failed00 byte count
  • bad patterned non FF's -> Validation Failed00 byte count
  • bad region -> Validation Failed00 byte count
  • bad filelength -> application hangs
  • known good reference dumps (184) -> Validation Failed00 byte count

[edit] Conclusion

USELESS, 100% valid files will be failing 00/ff check. Improper files will be failing 00/ff check too, and no detection of the root of the cause. Nothing was patched and gives the user a permanent false sense of having bad dumps without leads of what to solve.