Editing Downgrading with Hardware flasher

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
<div style="float:right">[[File:NAND-downgrading-steps.png|200px|thumb|left|NAND flasher downgrader steps]]<br />[[File:NOR-downgrading-steps.png|200px|thumb|left|NOR flasher downgrader steps]]<br />[[File:Downgrading-installation-steps.png|200px|thumb|left|Downgrading installation steps ]]</div>
[[Category:Software]][[Category:Hardware]]
 
== Dump ==
== Dump ==
Connect your [[Hardware flashing]] device and '''[[Validating_flash_dumps|make sure you are getting 100% correct, valid, verified dumps]].'''
Connect your [[Hardware flashing]] device and '''[[Validating_flash_dumps|make sure you are getting 100% correct, valid, verified dumps]].'''
 
== Checking console capability of running 3.55 ==
== Checking console capability of running 3.55 ==
Compare the values found in your dump with those in the [[Downgrading_with_Hardware_flasher#metldr.2Bbootldr_sizes|'''metldr+bootldr sizes''']] table
Compare the values found in your dump with those in the table below
If not having a dump, use the [[Talk:Playstation_Update_Package_(PUP)#Using_fake_upgrade_to_get_lowest_firmware_version_info|MinVer PUP method]]
'''Note:'''
: The mention of minimal version praxis on several other wikipages is only a rough indication.
: The two most accurate ways are to look at the actual dump and the [[Talk:Playstation_Update_Package_(PUP)#Using_fake_upgrade_to_get_lowest_firmware_version_info|MinVer PUP method]] itself, instead of flying blind on [[SKU_Models#Retail_Models|SKU tables]] and [[SKU_Models#Datecode_.2F_Manufacturing_Date|datecodes]]
=== metldr+bootldr sizes ===
=== metldr+bootldr sizes ===
{{metbootldr}}
{{metbootldr}}


==Patch the dump & Reflash it to the console ==
==Patch the dump & Reflash it to the console ==
<div style="float:right">[[File:Flowrebuilder-Autopatcher.png|200px|thumb|left|Flowrebuilder : Autopatcher]][[File:Flowrebuilder-Autopatcher-completed.png|200px|thumb|right|Flowrebuilder : Autopatcher - completed]]</div>
For patching you can use:
* Hexeditor (e.g. HxD)
* Flowrebuilder
* in case of Progskeet, latest Winskeet/iSkeet/YASkeet


For patching you can use:
* Hexeditor (e.g. [http://mh-nexus.de/en/hxd/ HxD])
* [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/Tools/Flowrebuilder/ Flowrebuilder] (both NOR + unified NAND)
* in case of Progskeet, latest Winskeet/iSkeet/YASkeet (both NOR + unified NAND)
* [http://www.betterwayelectronics.com/files/BwE_NOR-NAND_Patcher.rar BwE NOR/NAND Patcher]
[http://pastie.org/5400071 NAND + NOR patchfile.txt]
=== NAND ===
=== NAND ===
Use [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NAND%20downgrade/ NAND patches] only on NAND consoles, not on NOR!
http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/
 
Use NAND patches only on NAND consoles, not on NOR!
{|class="wikitable"
{|class="wikitable"
|-
|-
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
|-
| ROS0 || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
| ROS0 || [http://www.mediafire.com/download.php?o847apoads5ojia patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
|-
| ROS1 || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
| ROS1 || [http://www.mediafire.com/download.php?o847apoads5ojia patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
|-
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch2-0x91800.bin patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [http://www.mediafire.com/download.php?dkdvc7ecfdwqnpo patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
|-
|-
|}
|}
(above patches in a single package + autopatcher file: [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NAND%20downgrade.rar NAND downgrade.rar] [https://www.mirrorcreator.com/files/1XYAWMUJ/NAND_downgrade.rar_links])
(above patches in a single package + autopatcher file: http://www.mirrorcreator.com/files/JZWYQVOH/NAND-downgraderpatches.rar_links)


=== NOR ===
=== NOR ===
Use [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NOR%20downgrade/ NOR patches] only on NOR consoles, not on NAND!
http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/
 
Use NOR patches only on NOR consoles, not on NAND!
{|class="wikitable"
{|class="wikitable"
|-
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
|-
|-
| ROS0 || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55)
| ROS0 || [http://www.mirrorcreator.com/files/IFUWRKWE/patch1._links patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
|-
| ROS1 || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0)
| ROS1 || [http://www.mirrorcreator.com/files/IFUWRKWE/patch1._links patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
|-
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NOR%20downgrade/rvk-040000 rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.mirrorcreator.com/files/XB1XFMMF/rvk-040000._links rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
|-
|-
|}
|}
(above patches in a single package + autopatcher file: [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/patches/NOR%20downgrade.rar NOR downgrade.rar] [https://www.mirrorcreator.com/files/J9ETURMM/NOR_downgrade.rar_links])
(above patches in a single package + autopatcher file: http://www.mirrorcreator.com/files/1OFSRT0E/NOR-downgradepatches.rar_links)
 
==== E3 Flasher ====
Use these instead, otherwise you get into a maze of bytereversing: [[E3#Manual_E3_downgrade_v2|E3 Manual downgrade patches]] or use [http://www.betterwayelectronics.com/files/BwE_NOR-NAND_Patcher.rar BwE NOR/NAND Patcher]


==Reinstall firmware in Factory Service Mode==
==Reinstall firmware in Factory Service Mode==
<div style="float:right">
For this step it is required to have the console assembled (connected PSU, harddrive, wifi/bt board etc)
[[File:Eclipse-inserted-in-FAT-PS3-green-led-lit.png|200px|thumb|left|PSGrade/JIG - in rightmost USB Port - for triggering factory service mode]]<br />[[File:USBSTICK-content-for-factory-service-mode-downgrading.png|200px|thumb|left|USBSTICK - content for factory service mode - downgrading]]<br />[[File:Sandisk-Cruzer-4GB-nonU3-inserted-in-Fat-PS3.png|200px|thumb|left|USBSTICK - in rightmost USB Port - for installing in factory service mode]]</div>
 
For this step it is required to have the console fully assembled (connected PSU, coolingblock+fan, harddrive, wifi/bt board, blu-ray drive etc).


<ol>
# Use the PSGrade dongle to trigger Factory Service Mode (in the rightmost USB port).
<li>Use the PSGrade/JIG dongle to trigger Factory Service Mode
# Turn PS3 on, it will trigger Factory Service Mode and turn off the console.
<ul>
# After triggering Factory Service Mode, put the Lv2diag.self (see below) and prepatched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
<li>Remove power from the console (rear power switch or remove powercord)</li>
# Turn PS3 on, it will install the firmware you had put there (even though you have no screenoutput, you can see it is busy by looking at the activity led of the harddrive and of your USB Mass Storage Device).
<li>Put PSGrade/JIG dongle in the rightmost USB port (closest to the Blu-Ray drive)</li>
# PS3 will turn itself off after finishing the firmware installation.
<li>Power the console so it is in standby (rear power switch or attach powercord)</li>
<li>Press power button on front of the PS3 then immediately press eject within ~100ms</li>
<li>If powered on correctly your dongle will light up (usually green) and trigger Factory Service Mode. The PSGrade will then power off the console. If it boots into the XMB with a red FSM logo in the corner you are using an old PSGrade.</li>
</ul>
<li> Put the Lv2diag.self (see below) and a [[Downgrading with Hardware flasher#PUP_to_use|pre-patched firmware]] to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (in the same port as the PSGrade).</li>
<li> Turn PS3 on and it will automatically install the firmware you had put there. You will not have anything on the screen, you can only tell it is installing by the flashing USB and PS3's HDD light</li>
<li> PS3 will turn itself off after finishing the firmware installation (If it flashes red the firmware did not install correctly).<br />A logfile should be present in root of the USB Mass Storage Device with no errors</li>
</ol>


See also [[Downgrading with PSgrade Dongle]], which also contains alot of ready to use PSgrade HEX files for several dongles.
See also [[Downgrading with PSgrade Dongle]], which also contains alot of ready to use PSgrade HEX files for several dongles.


=== PUP to use ===
=== PUP to use ===
{{RogeroFirmware}} or any firmware with prepatched lv1 (no syscon hash checks)
[[Talk:Downgrading_with_NOR_flasher#Premade_CFW_Rogero_V2| Rogero V2]] or any firmware with prepatched lv1 (no syscon hash checks)
 
'''Note:''' if your end-goal is a 3.56+ MFW, then it is safer to downgrade ''first'' to 3.55. Upgrading in service mode (mostly [[Error Codes|errors out]] [http://pastie.org/1358201 0x8002f14e]) is never recommended (only lower or same version).


=== Different Factory Service Mode SELFs ===
=== Different Factory Service Mode SELFs ===
Line 92: Line 66:
For factory Service Mode install:
For factory Service Mode install:
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* <span style="text-decoration: line-through; background-color:#FFDDDD;">if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below (and redump flash after FSM to check both ROS)
* if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP (and redump flash after FSM to check both ROS)
 
'''note:''' since V3 Rogero is only available as noBD, use that one with normal lv2diag.self


==== NOR ====
==== NOR ====
Line 101: Line 73:
Only when having a console with a broken bluraydrive, you either:
Only when having a console with a broken bluraydrive, you either:
* use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
* <span style="text-decoration: line-through; background-color:#FFDDDD;">use the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below
* use the jaicrab NoBD lv2diag : Use the Rogero normal PUP
 
'''note:''' since V3.7 Rogero is only available as noBD, use that one with normal lv2diag.self


{|class="wikitable"
{|class="wikitable"
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
|-
|-
| style="text-align:center; background-color:#DDFFDD;" | [https://archive.org/download/downgrade_files_3.55_br_safe/Get%20Into%20FSM/Lv2diag.self Lv2diag.self&nbsp;(365.5&nbsp;KB) ]|| style="text-align:center; background-color:#DDFFDD;" | 374272 || style="text-align:center; background-color:#DDFFDD;" | 3.55 in FSM * || style="text-align:center; background-color:#DDFFDD;" | <code>[https://www.google.com/#q=1ED037740D67FEBACA6449CABFF4E95400C9E2EE 1ED037740D67FEBACA6449CABFF4E95400C9E2EE]</code> || style="text-align:center; background-color:#DDFFDD;" | <code>[https://www.google.com/#q=099F33A7967F99E91C07E870FD78B3DB 099F33A7967F99E91C07E870FD78B3DB]</code> || style="text-align:center; background-color:#DDFFDD;" | <code>9338ABF2</code> || style="text-align:center; background-color:#DDFFDD;" | <code>4FCC</code>
| [http://www.multiupload.com/Y0Z8WNY009 Lv2diag.self&nbsp;(227.38&nbsp;KB)] || 232832 || jaicrab noBD patched || <code>180823003B086D9D49BC7F83BEA9C769BF73A5EA</code> || <code>3615770407C0C3FA00D8CA49C8ADB362</code> || <code>25E85CFB</code> || <code>EDD0</code>
|-
| [http://www.multiupload.com/V1YTTWGKH0 Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.55 get in FSM || <code>1ED037740D67FEBACA6449CABFF4E95400C9E2EE</code> || <code>099F33A7967F99E91C07E870FD78B3DB</code> || <code>9338ABF2</code> || <code>4FCC</code>
|-
|-
<!--//
<!--//
| [https://web.archive.org/web/*/http://ps3devwiki.com/files/lv2diag/3.50%20downgrader/FILE1/Lv2diag.self Lv2diag.self (365.5 KB)] || 374272 || 3.50- in FSM || <code>[https://www.google.com/#q=1E770010A3A6EF572AF39783A04DF792670998D3 1E770010A3A6EF572AF39783A04DF792670998D3]</code> || <code>[https://www.google.com/#q=90168C03B217CE775A7839D87BBFF2A3 90168C03B217CE775A7839D87BBFF2A3]</code> || <code>D1F0AAFC</code> || <code>CD8D</code>
| [http://www.multiupload.com/ZHJMPSMLYR Lv2diag.self&nbsp;(365.5&nbsp;KB)] || 374272 || 3.50- get in FSM || <code>1E770010A3A6EF572AF39783A04DF792670998D3</code> || <code>90168C03B217CE775A7839D87BBFF2A3</code> || <code>D1F0AAFC</code> || <code>CD8D</code>
|- //-->
|- //-->
| style="text-align:center; background-color:#FFDDDD;" | [https://archive.org/download/downgrade_files_3.55_br_safe/Lv2diag.self%20%28file%201%29%20by%20JaicraB/ Lv2diag.self&nbsp;(227.38&nbsp;KB)] || style="text-align:center; background-color:#FFDDDD;" | 232832 || style="text-align:center; background-color:#FFDDDD;" | jaicrab noBD patched || style="text-align:center; background-color:#FFDDDD;" | <code>[https://www.google.com/#q=180823003B086D9D49BC7F83BEA9C769BF73A5EA 180823003B086D9D49BC7F83BEA9C769BF73A5EA]</code> || style="text-align:center; background-color:#FFDDDD;" | <code>[https://www.google.com/#q=3615770407C0C3FA00D8CA49C8ADB362 3615770407C0C3FA00D8CA49C8ADB362]</code> || style="text-align:center; background-color:#FFDDDD;" | <code>25E85CFB</code> || style="text-align:center; background-color:#FFDDDD;" | <code>EDD0</code>
|-
|}
|}
''* recommended default choice, see above notes''
mirrors: http://mir.cr/1HRZ3M2N / http://mir.cr/060LU86N / http://mir.cr/ATL2LSGI / http://www.mediafire.com/download.php?zmcgdgj6sdh87se /


=== Check the logfile ===
=== Check the logfile ===
<div style="float:right">[[File:PS3-factory-service-mode-for-downgrade.png|200px|thumb|left|XMB red square notification - factory service mode ]]</div>
After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains [[Error Codes|errors]] ([http://pastie.org/pastes/new pastie] the log if you want to ask for help online on IRC)
 
After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains [[Error_Codes#0x8002f..._-_PUP_.2F_Update_errors|errors]] ([http://pastie.org/pastes/new pastie] the log if you want to ask for help online on IRC)
 
 
'''Tip:'''
:: You can boot console to XMB while still in FSM, if you want to be ''really'' sure it installed fine.
 
'''Remarks:'''
::*If you are using a component cable the image might be garbled.
::*If you are using HDMI, you don't have any screenoutput at all after the "press PS-button" message. (note: conflicting reports on HDMI working or not in FSM)


=== Getting out of Factory Service Mode ===
=== Getting out of Factory Service Mode ===
<div style="float:right">[[File:USBSTICK-content-for-exit-factory-service-mode.png|200px|thumb|left|USBSTICK - content for exit factory service mode ]]</div>
If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)
If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)


Line 143: Line 99:
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
! Filename !! Size !! Remarks !! <code>SHA1</code> !! <code>MD5</code> !! <code>CRC32</code> !! <code>CRC16</code>
|-
|-
| [https://archive.org/download/lv-2diag.self.-560.v-0.1-brewology-com_202403/Lv2diag.self Lv2diag.self&nbsp;(201.42&nbsp;KB) ]|| 206256 || get out FSM || <code>[https://www.google.com/#q=329877CBD47B994EC0AFCEA6AF98114FD9E5128B 329877CBD47B994EC0AFCEA6AF98114FD9E5128B]</code> || <code>[https://www.google.com/#q=7A20BFDAE65EEFB47A4425DB1B52DCDE 7A20BFDAE65EEFB47A4425DB1B52DCDE]</code> || <code>72740080</code> || <code>502A</code>
| [http://www.multiupload.com/VGQTFV56CO Lv2diag.self&nbsp;(201.42&nbsp;KB)] || 206256 || get out FSM || <code>329877CBD47B994EC0AFCEA6AF98114FD9E5128B</code> || <code>7A20BFDAE65EEFB47A4425DB1B52DCDE</code> || <code>72740080</code> || <code>502A</code>
|-
|-
|}
|}
== Dehashing ==
{{Dehashing}}
=== QA dehashing ===
{{QA dehashing}}
=== reFSM dehashing ===
{{reFSM dehashing}}
==== Remarks ====
<!--// '''ReFSM''' way is strongly recommended over '''QA''' if you do NOT install a nonpatched firmware //-->
* FSM gets you a installer LOG (QA does not)
* FSM does not delete ACT.DAT ([[QA_Flagging#Act.dat_.28PSN_activation.29_gets_deleted|QA does]])
* FSM can be done without a BD drive with noBD patched firmware (QA needs the BD drive present)
* FSM can be done without seeing XMB or Recovery (QA needs Recovery and XMB for the QA-flagging package)
Both ways ''require'' installing nonpatched firmware to dehash syscon bank. QA-flag can be removed/reset (but it is better to keep it flagged) after succesfull dehash, without bricking.
  <domelec> dehash procedure: fsm install ofw
            after console turns off take out usb stick and look at log file,
            if log is ok then reinsert usb stick and turn on console,
            ofw will then reinstall, after console turns off again
            take out usb stick and check log, if ok then exit fsm
  <eussNL> do double FSM OFW, then get out of service mode.
  <eussNL> check everything is working
  <eussNL> THEN and only THEN, you can install whatever you want, in recovery.
  <eussNL> there is no need for factory mode after dehashing complete
  <eussNL> in fact, if everything works on OFW 3.55 after dehashing,
  <eussNL> you can install [https://web.archive.org/web/*/http://ps3devwiki.com/files/firmware/MFW-CEX/Downgrader/Rogero-V3.2/ Rogero V3.2] in recovery and [https://web.archive.org/web/*/http://ps3devwiki.com/files/flash/Tools/toggle-qa/ QA-extra] flag it 
  <eussNL> if OFW 3.55 works then you proven that you dehashed
  <eussNL> so after that you can install whatever MFW 3.55 you want
  <eussNL> If for some reason you cannot dehash because of BD or BT errors
          then you can use PS3MFW Builder and the broken Blueray / broken Bluetooth
          tasks. Do not select downgrader patches, or you will not dehash!
  <eussNL> BD error can be persistant if flasher is still attached,
          see: http://www.ps3devwiki.com/wiki/Talk:Hardware_flashing#BD_drive_not_found_problem
  <eussNL> 3 options: 1. open R7/R8  /  2. remove flasher control lines / 3. remove all flasher wiring
  <playonlcd> i  think you can update on wiki "dehashing with jaicrab is not recommended
              and will not dehash as needed and thus semibrick by syscon hash panic
{{Hardware Flashers}}<noinclude>
[[Category:Main]]
</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)