Editing Talk:Downgrading with NOR flasher

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
WARNING
this page is very old and archaic
only kept up for historic reference
=NOR patches=
=NOR patches=


== V1 ==
== 355checkoff.PUP ==
 
=== Tasks ===
[http://git.gitbrew.org/repos/?p=ps3/ps3mfw/tasks.git;a=blob;f=patch_lv1.tcl MFW Task::patch_lv1.tcl] with the following patches selected:
* --patch-lv1-storage-skip-acl-check
* --patch-lv1-sysmgr-disable-integrity-check
 
=== Patches ===
http://pastebin.com/aNehMfGi :
 
    Downgrade patches
        
    DIFF:
        
    -------------
    patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
    
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340  54 63 06 3E                                      Tc.>
        
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340  38 60 00 01                                      8`..
        
    -----
    patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
        
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340                                      E8 01 00 70              è..p
        
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340                                      38 00 00 01              8...
        
    -----
    patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager
        
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0021D0B0              48 00 D7 15                              H.×.
        
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0021D0B0              38 60 00 00                              8`..
        
    -------------
    
    Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
 
 
----
 
 
=== Combining patches ===
There is a difference between the patches on the [[Talk:Downgrading with NOR flasher]] and [[Talk:Downgrading with NAND flasher]]
 
what if you combine those together? 1st try: selecting both patch tasks manually:
 
<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9
<keperfear> could you check if i patched everything correctly
<keperfear> anyway i really need to sleep now
<keperfear> good luck everyone
* keperfear left
<eussNL> oh dear, keperfear is already gone ...  anyhow, this was my version : [http://www.multiupload.com/3KW1IZ45E0 patched355coreos.rar (4.84 MB)] (no "Patch In product mode erase standby bank skipped" selected)
 
----
 
<keperfear> Eussnl try with this one
 
<pre>
      # In product mode erase standby bank skipped
   
      log "Patch In product mode erase standby bank skipped"
   
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
</pre>(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\'''x38''' instead of \x41\x9E\x00\x0C\xE8\xA2\x8A'''\x30''')<br />
 
 
 
==== Combined TCL ====
 
2nd try, Combined single TCL "patch-lv1checks.tcl" :
 
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)
 
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
 
# Priority: 300
# Description: Patch LV1 checks
 
# Option --patch-lv1checks: Disables many checks in lv1
 
# Type --patch-lv1checks: boolean


namespace eval ::patch_lv1checks {
    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }
    proc main { } {
        set self "lv1.self"
        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }
    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }
    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
   
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped"
     
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"
      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
     
     
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"
      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
        }
    }
}
</pre>download: [http://www.multiupload.com/H61RYAPLHQ patch_lv1checks.rar (1.29 KB)] (2.88-3.42 / 3.50-3.55)<br />
<br />
Note: if you get error "parent namespace doesn't exist" you didn't save the file as "patch_lv1checks.tcl".
==== PreAlpha v1 smoketest - offsets ====
'''patch-lv1checks''' (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
{|class="wikitable"
|-
! No. !! Description !! 2.80 !! 3.00 !! 3.01 !! 3.10 !! 3.15 !! 3.20 !! 3.21 !! 3.30 !! 3.40 !! 3.41-BAD !! 3.41-FIX !! 3.42 !! 3.50 !! 3.55
|-
| 1 || Patch core OS Hash check // product mode always on || 2958632 || 2958452 || 2958452 || 2958984 || 2958984 || 2959072 || 2891632 || 2891556 || 2891596 || 2891596 || 2891596 || 2891596 || 2891684 || 2891684
|-
| 2 || Patch check_revoke_list_hash check // product mode always on || 2961708 || 2961528 || 2961528 || 2962060 || 2962060 || 2962148 || 2894708 || 2894632 || 2894672 || 2894672 || 2894672 || 2894672 || 2894836 || 2894836
|-
| 16 || Patch In product mode erase standby bank skipped || ''2977960'' || ''2977780'' || ''2977780'' || ''2978324'' || ''2978324'' || ''2978412'' || ''2910972'' || ''2910896'' || ''2910936'' || ''2910936'' || ''2910936'' || ''2910936'' || 2911100 || 2911100
|-
| 23 || Patching System Manager to disable integrity check || 2211164 || 2211424 || 2211424 || 2217608 || 2217608 || 2218192 || 2218120 || 2215760 || 2216052 || 2216052 || 2216052 || 2216052 || 2216096 || 2216096
|-
| 24 || Patching LV1 to enable skipping of ACL checks for all storage devices || 498208 || 500212 || 500212 || 505304 || 505420 || 506032 || 506032 || 505112 || 504568 || 504568 || 504568 || 504568 || 504640 || 504640
|-
|}
<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: [http://www.multiupload.com/4FEHWKT2ZN coreos355nandandnordowngradepatches.rosx (7 MB)]
==== Status ====
MFW patch_lv1checks.tcl seems to work fine.
Needs testing in the field by people with hardware flasher only.
Update:
    [01:43:10] <Ryd3R> RSOD x_x
    [01:44:41] <Ryd3R> i hate when it show up
    [01:45:20] <Ryd3R> @eussNL: are you there ?
    [01:46:41] <eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden
                          and what did you do to  make it bitch like that?
    [01:47:36] <Ryd3R> i did the 3.70 downgrade using a teensy++
    [01:48:42] <Ryd3R> it works well when i revert back to 3.70
    [01:49:23] <Ryd3R> i think it have something to do whith the fuckin syscon
    [01:49:37] <eussNL> ok, did you patch lv1 ?
    [01:49:43] <Ryd3R> yeah
    [01:50:09] <Ryd3R> the No hash check patch right ?
    [01:51:50] <Ryd3R> for some fuckin reason any version perior 3.70 gave me an rsod
    [01:52:41] <Ryd3R> i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod
    [01:53:15] <eussNL> yes and then some... Ryd3R> the No hash check patch right ?
    [01:53:46] <eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL
    [01:55:47] <Ryd3R> i'll give it a try
   
    [02:16:19] <Ryd3R> thanks eussNL you'r the man, the patch works like charm
    [02:22:53] <eussNL> good to hear, hope it stays flawless now :)
== V2 ==
http://darkconsoles.com/foro/viewtopic.php?f=7&t=16
=== NOR offsets used ===
{|class="wikitable sortable"
|-
! target area !! patch no. !! NOR Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.multiupload.com/RJVZP6CKZ5 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || version string not changed?
|-
| ROS1 || [http://www.multiupload.com/DGVUPMNDQU patch2 (7 MB)] || 0x7C0010 || 0x6FFFE0 || same as patch1?
|-
| trvk_pkg0 || [http://www.multiupload.com/Z7424DXPLJ patch3 (128 KB)] || 0x80000 || 0x20000 ||
|-
| trvk_pkg1 || [http://www.multiupload.com/74GLX7XFDG patch4 (128 KB)] || 0xA0000 || 0x20000 ||
|-
| trvk_prg0 || [http://www.multiupload.com/HHJ3GDGL7X patch5 (128 KB)] || 0x40000 || 0x20000 ||
|-
| trvk_prg1 || [http://www.multiupload.com/4SP4DIK1ZM patch6 (128 KB)] || 0x60000 || 0x20000 ||
|-
|}
=== LV1 patches used ===
  Downgrade patches v2
         
  http://www.multiupload.com/DVFD9AZGO5
         
  DIFF:
         
  -------------
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
     
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  54 63 06 3E                                      Tc.>
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  38 60 00 01                                      8`..
         
  -----
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      E8 01 00 70              è..p
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      38 00 00 01              8...
         
  -----
  ???? Patch sys_mgr integrity lv1 and lv0 integrity check ????
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              48 00 D7 15                              H.×.
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              38 60 00 00                              8`..
         
  -----
==== PPU ASM:: last ???? marked patch ====
44d0ac:      2f 80 00 00    cmpwi  cr7,r0,0      # Compare r0 with word immediate value 0 and place result in cr7
44d0b0:      40 9e 00 48    bne-    cr7,0x44d0f8  # Branch if cr7 not equals 0x44d0f8
44d0b4:      48 00 d7 15    bl      0x45a7c8      # Branch and link to target address 0x45a7c8
44d0b8:      2f 83 00 00    cmpwi  cr7,r3,0      # Compare r3 with word immediate value 0 and place result in cr7
44d0bc:      38 60 00 01    li      r3,1          # Load Immediate r3 with value 1
==== Combined TCL V2====
Combined single TCL "patch-lv1checks.tcl" with added new patch :
 
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
# Priority: 300
# Description: Patch LV1 checks
# Option --patch-lv1checks: Disables many checks in lv1
# Type --patch-lv1checks: boolean
namespace eval ::patch_lv1checks {
    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }
    proc main { } {
        set self "lv1.self"
        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }
    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }
    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
   
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped"
     
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
     
     
      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"
     
      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
     
     
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"
      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
     
      # LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?)
      log "?Patch sys_mgr integrity lv1 and lv0 integrity check?"
     
      set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\x01"
      set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
        }
    }
}
</pre>download: [http://www.multiupload.com/IU061G4J69 patch_lv1checks.rar (1.53 KB)] (3.40-3.42 / 3.50-3.55)<br />
<br />
==== PreAlpha v2 smoketest - offsets ====
'''patch-lv1checks''' (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
{|class="wikitable"
|-
! No. !! Description !! 2.80 !! 3.00 !! 3.01 !! 3.10 !! 3.15 !! 3.20 !! 3.21 !! 3.30 !! 3.40 !! 3.41-BAD !! 3.41-FIX !! 3.42 !! 3.50 !! 3.55
|-
| 1 || Patch core OS Hash check // product mode always on || 2958632 || 2958452 || 2958452 || 2958984 || 2958984 || 2959072 || 2891632 || 2891556 || 2891596 || 2891596 || 2891596 || 2891596 || 2891684 || 2891684
|-
| 2 || Patch check_revoke_list_hash check // product mode always on || 2961708 || 2961528 || 2961528 || 2962060 || 2962060 || 2962148 || 2894708 || 2894632 || 2894672 || 2894672 || 2894672 || 2894672 || 2894836 || 2894836
|-
| 16 || Patch In product mode erase standby bank skipped || ''2977960'' || ''2977780'' || ''2977780'' || ''2978324'' || ''2978324'' || ''2978412'' || ''2910972'' || ''2910896'' || ''2910936'' || ''2910936'' || ''2910936'' || ''2910936'' || 2911100 || 2911100
|-
| 23 || Patching System Manager to disable integrity check || 2211164 || 2211424 || 2211424 || 2217608 || 2217608 || 2218192 || 2218120 || 2215760 || 2216052 || 2216052 || 2216052 || 2216052 || 2216096 || 2216096
|-
| 24 || Patching LV1 to enable skipping of ACL checks for all storage devices || 498208 || 500212 || 500212 || 505304 || 505420 || 506032 || 506032 || 505112 || 504568 || 504568 || 504568 || 504568 || 504640 || 504640
|-
| 25 || ?Patch sys_mgr integrity lv1 and lv0 integrity check? || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern<br />''2215780''? || ''2216072'' || ''2216072'' || ''2216072'' || ''2216072'' || 2216088 || 2216116
|-
|}
==== Status ====
MFW patch_lv1checks.tcl seems to work fine.
Needs testing in the field by people with hardware flasher only.
Rogero and VAL_ tested, no problems with games/trophy's and bluray movies
==== Premade MFW Rogero V1 ====
Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB) (archaic, use V2 or 3.1 instead)
<!--//http://www.multiupload.com/IAGZEX5Q75 Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB)//-->
(contains also the V2 TCL'ed patches - first install 355nocheck.pup in Factory Service Mode then after getting back in normal mode install Rogero MFW V1 in Recovery)
==== Premade CFW Rogero V2 ====
[http://www.mediafire.com/?xxm6ejfm2bd2pox Rogero_CFW_V2_Kmeaw_LV1_Patched_4.00_spoof_Privacy_Patch.PUP (170 MB / 178,827,264 bytes)]
MD5: 61b1592cc3a5c008ffbeb151fc77653a
CRC32: B7A039FC
For some Refurbished PS3s the PUP installation failed on the BD firmware update, also in case of downgrading with the Blu-Ray drive not attached,use this version:
[http://www.mediafire.com/?7maaw9ijbq62ydv Rogero_CFW_V2_Kmeaw_LV1_Patched_4.00_spoof_Privacy_Patch_NoBD_Update.PUP]
MD5: 7be79e1d314869e5031a1de78f8e8b7c
CRC32: 30E25A76
===== Usage / Compatibility =====
* Can be used for Downgrade directly as a replacement of the no_check.PUP to avoid the "Trophies error".
* Can be used for normal system update like any other CFW/MFW from XMB or from Recovery Menu.
===== Internal Structure /changes =====
* Kmeaw patched Lv2 with necessary patches to allow Peek/Poke support (same games compatibility as Kmeaw CFW)
* Dospiedra's LV1 patches necessary to bypass the Syscon checks for downgraded consoles. (same as no_check.PUP)
* Built-in system version spoof to 3.70 to prevent accidental system updates (won't allow going online in any way)
* Privacy Patch was not applied like previous version to allow Game updates (can be added easily using MFW builder)
* Custom Boot Logo.
* built-in "Heavy Rain" dynamic theme.
=====Extracting pup and comparing=====
to see the actual patches/changes done:
*EULA.xml (custom licence text)
*Update_Files.tar
**CORE_OS_PACKAGE.pkg
***lv1.self
***lv2_kernel.self
**dev_flash_005.tar.aa.2010_11_27_051337
***dev_flash\vsh\etc\version.txt (spoof 03.7000:51968,20110805)
***dev_flash\vsh\etc\index.dat (spoof 03.7000:51968,20110805)
**dev_flash_010.tar.aa.2010_11_27_051337
***dev_flash\vsh\module\nas_plugin.sprx
**dev_flash_011.tar.aa.2010_11_27_051337
***dev_flash\vsh\module\vsh.self
**dev_flash_013.tar.aa.2010_11_27_051337
***dev_flash\vsh\resource\coldboot.raf (custom bootlogo)
**dev_flash_014.tar.aa.2010_11_27_051337
***dev_flash\vsh\resource\theme\01.p3t (heavy rain dynamic theme)
**dev_flash_016.tar.aa.2010_11_27_051337
***dev_flash\vsh\resource\explore\xmb\category_game.xml (add "Install Package Files" & "/app_home" icons to the XMB Game Category)
*Version.txt (suffix -Rogero_V2 added)
first glance/impressions: looks alot cleaner than 355checkoff.PUP ([[User:Euss|Euss]])
======lv1.elf======
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  '''54''' '''63''' '''06''' '''3E''' 2F 83 00 00 41 9E 00 14 '''E8''' '''01''' 00 '''70'''  Tc.>/ƒ..Až..è..p
ROGv2 (patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  '''38''' '''60''' '''00''' '''01''' 2F 83 00 00 41 9E 00 14 '''38''' '''00''' 00 '''01'''  8`../ƒ..Až..8...
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  000F5A40  39 08 05 48 39 20 00 '''00''' 38 60 00 00 4B FF FC 45  9..H9 ..8`..KÿüE
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  000F5A40  39 08 05 48 39 20 00 '''01''' 38 60 00 00 4B FF FC 45  9..H9 ..8`..KÿüE
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00136BC0                      00 72 73 '''78''' 20 64 72              .rsx dr
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00136BC0                      00 72 73 '''73''' 20 64 72              .rss dr
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00136BE0          6F 72 65 '''2F''' 63 6F 6E                      ore/con
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00136BE0          6F 72 65 '''20''' 63 6F 6E                      ore con
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0A0  38 60 00 '''01''' F8 01 00 90 88 1F 00 00 2F 80 00 00  8`..ø...ˆ.../€..
  0021D0B0  40 9E 00 48 '''48''' '''00''' '''D7''' '''15''' 2F 83 00                @ž.HH.×./ƒ.
ROGv2 (??Patch sys_mgr integrity lv1 and lv0 integrity check??):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0A0  38 60 00 '''00''' F8 01 00 90 88 1F 00 00 2F 80 00 00  8`..ø...ˆ.../€..
  0021D0B0  40 9E 00 48 '''38''' '''60''' '''00''' '''00''' 2F 83 00                @ž.H8`../ƒ.
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C1FA0    80 00 FF '''41''' '''9E''' 00 '''1C''' 7F 63 DB                  €.ÿAž...cÛ
ROGv2:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C1FA0    80 00 FF '''60''' '''00''' 00 '''00''' 7F 63 DB                  €.ÿ`....cÛ
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C2BF0    80 00 FF '''41''' '''9E''' 00 '''1C''' 7F A3 EB                  €.ÿAž...£ë
ROGv2:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C2BF0    80 00 FF '''60''' '''00''' 00 '''00''' 7F A3 EB                  €.ÿ`....£ë
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C6B70                          38 80 00 01 '''41''' '''9E''' 00 '''0C'''          8€..Až..
  002C6B80  E8 A2 8A                                        袊
ROGv2:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002C6B70                          38 80 00 01 '''60''' '''00''' 00 '''00'''          8€..`...
  002C6B80  E8 A2 8A                                        袊
======lv2_kernel.elf======
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00029330                            80 00 20 3C 60 80 01          €. <`€.
  00029340  60 63 00 03 4E 80 00 20 3C 60 80 01 60 63 00 03  `c..N€. <`€.`c..
  00029350  4E 80 00                                        N€.
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00029330                            80 00 20 E8 63 00 00          €. èc..
  00029340  60 00 00 00 4E 80 00 20 F8 83 00 00 60 00 00 00  `...N€. øƒ..`...
  00029350  4E 80 00                                        N€.
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002D6E00                6E 6F 74 20 67 65 74 20 50 50 50      not get PPP
  002D6E10  6F 45 20 68 65 61 64 65 72 0A 00 00 00 00 00 00  oE header.......
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  002D6E00                6E 6F 74 20 6E 6F 74 20 6E 6F 74      not not not
  002D6E10  20 6E 6F 74 20 6E 6F 74 20 6E 6F 74 20 6E 00 00  not not not n..
   
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00359380  A0 40 36 6B 2D 8A 50 99 1E B3 0C 53 E5 9B 5D 6E   @6k-ŠP™.³.Så›]n
  00359390  61 2C AC B8                                      a,¬¸
ROGv2 (flukes1):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00359380  5E B8 A5 00 8C F3 BC 24 08 91 19 61 E6 DB 19 CB  ^¸¥.Œó¼$.‘.aæÛ.Ë
  00359390  0D CA FD 2F                                      .Êý/
======nas_plugin.prx======
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00003250                                      '''7C 60 1B 78'''              |`.x
ROGv2 (geohot):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00003250                                      '''38 00 00 00'''              8...
 
OFW355:
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00037350  41 9E 00 '''4C''' 38 00 00 00                          Až.L8...
ROGv2 (waninkoko):
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  00037350  41 9E 00 '''04''' 38 00 00 00                          Až..8...
== 355checkoff.PUP ==
[http://www.megaupload.com/?d=BNC7EC38 PS3 CFW Kmeaw by dospiedra - 355checkoff.PUP] <br />
[http://www.megaupload.com/?d=BNC7EC38 PS3 CFW Kmeaw by dospiedra - 355checkoff.PUP] <br />
([http://pastie.org/private/ayacg9ng3xeop78viscdya 'kmeaw'] + lv1 nocheck (see V1/V2 etc)
([http://pastie.org/private/ayacg9ng3xeop78viscdya 'kmeaw'] + lv1 nocheck (see below, V1/V2 etc)


Patches which should be included when it is a 'kmeaw'based pup (using [[PS3MFW Builder]] and [[Patches]] naming) :
Patches included (using [[PS3MFW Builder]] and [[Patches]] naming) :


* Patch LV1 hypervisor (lv1_function_114 mmap) lv1.self
* Patch LV1 hypervisor (lv1_function_114 mmap) lv1.self
Line 652: Line 27:


===Extracting pup and comparing===
===Extracting pup and comparing===
to see the actual patches/changes done reveals that there is actually alot more going on/patched and it isnt 'kmeaw' (0x00136bc0 & 0x00136be0 flukes1 lv1.self patch missing):
to see the actual patches/changes done:


====CORE_OS_PACKAGE.pkg====
====CORE_OS_PACKAGE.pkg====
Line 671: Line 46:


=====emer_init.elf=====
=====emer_init.elf=====
Patch type: OtherOS++ --patch-emer-init-gameos-hdd-region-size-quarter
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 684: Line 58:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00093490              39 20 00 4F 7C 00 F8                    9 .O|.ø
     00093490              39 20 00 4F 7C 00 F8                    9 .O|.ø
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00093490              39 20 00 5F 7C 00 F8                    9 ._|.ø
     00093490              39 20 00 5F 7C 00 F8                    9 ._|.ø
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000F5A40              39 20 00 00 38 60 00                    9 ..8`.
     000F5A40              39 20 00 00 38 60 00                    9 ..8`.
   Patched 355checkoff (flukes1):
   
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000F5A40              39 20 00 01 38 60 00                    9 ..8`.
     000F5A40              39 20 00 01 38 60 00                    9 ..8`.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000F5EB0  41 DA 00 54                                      AÚ.T
     000F5EB0  41 DA 00 54                                      AÚ.T
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000F5EB0  60 00 00 00                                      `...
     000F5EB0  60 00 00 00                                      `...
   
      
      
   Original ofw355:
   Original ofw355:
Line 707: Line 87:
     000FD5D0  E9 5E 00 20 E9 1E 00 28 E8 FE 00 30 EB EB 00 50  é^. é..(èþ.0ëë.P
     000FD5D0  E9 5E 00 20 E9 1E 00 28 E8 FE 00 30 EB EB 00 50  é^. é..(èþ.0ëë.P
     000FD5E0  F8 01 00                                        ø..
     000FD5E0  F8 01 00                                        ø..
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 712: Line 93:
     000FD5D0  E9 5E 00 28 E9 1E 00 30 E8 FE 00 38 EB FE 00 18  é^.(é..0èþ.8ëþ..
     000FD5D0  E9 5E 00 28 E9 1E 00 30 E8 FE 00 38 EB FE 00 18  é^.(é..0èþ.8ëþ..
     000FD5E0  F8 01 00                                        ø..
     000FD5E0  F8 01 00                                        ø..
   
      
      
   Original ofw355:
   Original ofw355:
Line 717: Line 99:
     000FD850  E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 E9 1E 00 30  è...é>. é^.(é..0
     000FD850  E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 E9 1E 00 30  è...é>. é^.(é..0
     000FD860  E8 FE 00 38 E8 DE 00 40 EB EB 00 50 90 A1 00 70  èþ.8èÞ.@ëë.P.¡.p
     000FD860  E8 FE 00 38 E8 DE 00 40 EB EB 00 50 90 A1 00 70  èþ.8èÞ.@ëë.P.¡.p
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000FD850  E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 E9 1E 00 38  è.. é>.(é^.0é..8
     000FD850  E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 E9 1E 00 38  è.. é>.(é^.0é..8
     000FD860  E8 FE 00 40 E8 DE 00 48 EB FE 00 18 90 A1 00 70  èþ.@èÞ.Hëþ...¡.p
     000FD860  E8 FE 00 40 E8 DE 00 48 EB FE 00 18 90 A1 00 70  èþ.@èÞ.Hëþ...¡.p
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000FDCF0              E8 1E 00 18 E9 3E 00                    è...é>.
     000FDCF0              E8 1E 00 18 E9 3E 00                    è...é>.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     000FDCF0              E8 1E 00 20 E9 3E 00                    è.. é>.
     000FDCF0              E8 1E 00 20 E9 3E 00                    è.. é>.
   
      
      
   Original ofw355:
   Original ofw355:
Line 734: Line 120:
     000FDD00  E9 1E 00 30 E8 FE 00 38 E8 DE 00 40 EB EB 00 50  é..0èþ.8èÞ.@ëë.P
     000FDD00  E9 1E 00 30 E8 FE 00 38 E8 DE 00 40 EB EB 00 50  é..0èþ.8èÞ.@ëë.P
     000FDD10  90 A1 00                                        .¡.
     000FDD10  90 A1 00                                        .¡.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 739: Line 126:
     000FDD00  E9 1E 00 38 E8 FE 00 40 E8 DE 00 48 EB FE 00 18  é..8èþ.@èÞ.Hëþ..
     000FDD00  E9 1E 00 38 E8 FE 00 40 E8 DE 00 48 EB FE 00 18  é..8èþ.@èÞ.Hëþ..
     000FDD10  90 A1 00                                        .¡.
     000FDD10  90 A1 00                                        .¡.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00103CF0              38 00 00 0B 7F E9 00                    8....é.
     00103CF0              38 00 00 0B 7F E9 00                    8....é.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00103CF0              38 00 00 0F 7F E9 00                    8....é.
     00103CF0              38 00 00 0F 7F E9 00                    8....é.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00112670                      10 39 20 00 09 E9 43 00            .9 ..éC.
     00112670                      10 39 20 00 09 E9 43 00            .9 ..éC.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00112670                      10 39 20 FF FF E9 43 00            .9 ÿÿéC.
     00112670                      10 39 20 FF FF E9 43 00            .9 ÿÿéC.
   
      
      
   Original ofw355:
   Original ofw355:
Line 759: Line 151:
     001225F0  60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00  `.ÿìø..ÀN€. 8...
     001225F0  60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00  `.ÿìø..ÀN€. 8...
     00122600  64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00    d.ÿÿ`.ÿìø..ÀN€.
     00122600  64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00    d.ÿÿ`.ÿìø..ÀN€.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 764: Line 157:
     001225F0  E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00  è„..øƒ.ÈN€. 8...
     001225F0  E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00  è„..øƒ.ÈN€. 8...
     00122600  E8 A3 00 20 E8 83 00 18 F8 A4 00 00 4E 80 00    è£. èƒ..ø¤..N€.
     00122600  E8 A3 00 20 E8 83 00 18 F8 A4 00 00 4E 80 00    è£. èƒ..ø¤..N€.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     0021D0B0    9E 00 48 48 00 D7 15 2F 83 00                  ž.HH.×./ƒ.
     0021D0B0    9E 00 48 48 00 D7 15 2F 83 00                  ž.HH.×./ƒ.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     0021D0B0    9E 00 48 38 60 00 00 2F 83 00                  ž.H8`../ƒ.
     0021D0B0    9E 00 48 38 60 00 00 2F 83 00                  ž.H8`../ƒ.
      
      
         
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     0021D260                          38 60 00 00 48 01 8E AD          8`..H.Ž­
     0021D260                          38 60 00 00 48 01 8E AD          8`..H.Ž­
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     0021D260                          38 60 00 01 48 01 8E AD          8`..H.Ž­
     0021D260                          38 60 00 01 48 01 8E AD          8`..H.Ž­
   
      
      
   Original ofw355:
   Original ofw355:
Line 783: Line 181:
     00222260          60 64 00 00 3B F9 3F 01 C8 60 00 F7 EE    `d..;ù?.È`.÷î
     00222260          60 64 00 00 3B F9 3F 01 C8 60 00 F7 EE    `d..;ù?.È`.÷î
     00222270  F8 1F 01                                        ø..
     00222270  F8 1F 01                                        ø..
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00222260          60 64 00 FF FF F9 3F 01 C8 60 00 FF FE    `d.ÿÿù?.È`.ÿþ
     00222260          60 64 00 FF FF F9 3F 01 C8 60 00 FF FE    `d.ÿÿù?.È`.ÿþ
     00222270  F8 1F 01                                        ø..
     00222270  F8 1F 01                                        ø..
   
      
      
   Original ofw355:
   Original ofw355:
Line 792: Line 192:
     002C5030                                        1B 00 00              ...
     002C5030                                        1B 00 00              ...
     002C5040  41 9D 00 A8 7B FD 00                            A..¨{ý.
     002C5040  41 9D 00 A8 7B FD 00                            A..¨{ý.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     002C5030                                        1B 00 00              ...
     002C5030                                        1B 00 00              ...
     002C5040  60 00 00 00 7B FD 00                            `...{ý.
     002C5040  60 00 00 00 7B FD 00                            `...{ý.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     002C7A20                02 B7 01 E8 18 00 08 2F A0 00          .·.è.../ .
     002C7A20                02 B7 01 E8 18 00 08 2F A0 00          .·.è.../ .
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     002C7A20                02 B7 01 38 00 00 00 2F A0 00          .·.8.../ .
     002C7A20                02 B7 01 38 00 00 00 2F A0 00          .·.8.../ .
   
      
      
   Original ofw355:
   Original ofw355:
Line 808: Line 212:
     002DC410                                      38 00 00 09              8...
     002DC410                                      38 00 00 09              8...
     002DC420  41 9D 00 4C 48 00 05                            A..LH..
     002DC420  41 9D 00 4C 48 00 05                            A..LH..
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     002DC410                                      38 00 00 09              8...
     002DC410                                      38 00 00 09              8...
     002DC420  60 00 00 00 48 00 05                            `...H..
     002DC420  60 00 00 00 48 00 05                            `...H..
   
      
      
   Original ofw355:
   Original ofw355:
Line 817: Line 223:
     00340790                                      38 00 00 0D              8...
     00340790                                      38 00 00 0D              8...
     003407A0  7C 63 00 38 4E 80 00                            |c.8N€.
     003407A0  7C 63 00 38 4E 80 00                            |c.8N€.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00340790                                      38 00 00 0D              8...
     00340790                                      38 00 00 0D              8...
     003407A0  38 60 00 00 4E 80 00                            8`..N€.
     003407A0  38 60 00 00 4E 80 00                            8`..N€.
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003787E0  00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00  ..À€......À€....
     003787E0  00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00  ..À€......À€....
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003787E0  00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00  ..Ð.......Ð.....
     003787E0  00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00  ..Ð.......Ð.....
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00378830                    00 00 00 01 C0 80 00 00 00 01        ....À€....
     00378830                    00 00 00 01 C0 80 00 00 00 01        ....À€....
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00378830                    00 00 00 01 D0 00 00 00 00 01        ....Ð.....
     00378830                    00 00 00 01 D0 00 00 00 00 01        ....Ð.....
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00378BD0  00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00  ..À€......À€....
     00378BD0  00 01 C0 80 00 00 00 00 00 01 C0 80 00 00 00 00  ..À€......À€....
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00378BD0  00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00  ..Ð.......Ð.....
     00378BD0  00 01 D0 00 00 00 00 00 00 01 D0 00 00 00 00 00  ..Ð.......Ð.....
   
      
      
   Original ofw355:
   Original ofw355:
Line 847: Line 261:
     003895C0                                            33 78                3x
     003895C0                                            33 78                3x
     003895D0  48 00 03 E1 EB A2 80                            H..á뢀
     003895D0  48 00 03 E1 EB A2 80                            H..á뢀
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003895C0                                            33 78                3x
     003895C0                                            33 78                3x
     003895D0  48 01 B6 1D EB A2 80                            H.¶.뢀
     003895D0  48 01 B6 1D EB A2 80                            H.¶.뢀
   
      
      
   Original ofw355:
   Original ofw355:
Line 858: Line 274:
     0038EF40  48 00 5A 71 7F A4 EB 78 7F 85 E3 78 4B FF F0 E5  H.Zq.¤ëx.…ãxKÿðå
     0038EF40  48 00 5A 71 7F A4 EB 78 7F 85 E3 78 4B FF F0 E5  H.Zq.¤ëx.…ãxKÿðå
     0038EF50  54 63 06                                        Tc.
     0038EF50  54 63 06                                        Tc.
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 864: Line 281:
     0038EF40  48 00 5A 71 7F A4 EB 78 7F 85 E3 78 38 60 00 01  H.Zq.¤ëx.…ãx8`..
     0038EF40  48 00 5A 71 7F A4 EB 78 7F 85 E3 78 38 60 00 01  H.Zq.¤ëx.…ãx8`..
     0038EF50  54 63 06                                        Tc.
     0038EF50  54 63 06                                        Tc.
   
      
      
   Original ofw355:
   Original ofw355:
Line 869: Line 287:
     0038EFC0  7F 84 E3 78 38 A1 00 70 9B E1 00 70 48 00 5F A5  .„ãx8¡.p›á.pH._¥
     0038EFC0  7F 84 E3 78 38 A1 00 70 9B E1 00 70 48 00 5F A5  .„ãx8¡.p›á.pH._¥
     0038EFD0  2F 83 00 00                                      /ƒ..
     0038EFD0  2F 83 00 00                                      /ƒ..
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     0038EFC0  7F 84 E3 78 3B E0 00 01 9B E1 00 70 38 60 00 00  .„ãx;à..›á.p8`..
     0038EFC0  7F 84 E3 78 3B E0 00 01 9B E1 00 70 38 60 00 00  .„ãx;à..›á.p8`..
     0038EFD0  2F 83 00 00                                      /ƒ..
     0038EFD0  2F 83 00 00                                      /ƒ..
   
      
      
   Original ofw355:
   Original ofw355:
Line 957: Line 377:
     003A50D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     003A50D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     003A50E0  00 00 00 00 00 00 00 00 00 00                    ..........
     003A50E0  00 00 00 00 00 00 00 00 00 00                    ..........
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 963: Line 384:
     003A4C00  FB 61 00 E8 FB 81 00 E0 FB A1 00 D8 FB C1 00 D0  ûa.èû..àû¡.ØûÁ.Ð
     003A4C00  FB 61 00 E8 FB 81 00 E0 FB A1 00 D8 FB C1 00 D0  ûa.èû..àû¡.ØûÁ.Ð
     003A4C10  FB E1 00 C8 F8 61 00 C0 F8 81 00 B8 F8 A1 00 B0  ûá.Èøa.Àø..¸ø¡.°
     003A4C10  FB E1 00 C8 F8 61 00 C0 F8 81 00 B8 F8 A1 00 B0  ûá.Èøa.Àø..¸ø¡.°
     003A4C20  48 00 00 05 7F E8 02 A6 3B FF FF C8 E8 1F 04 A0  H....è.¦;ÿÿÈè..  
     003A4C20  48 00 00 05 7F E8 02 A6 3B FF FF C8 E8 1F 04 A0  H....è.¦;ÿÿÈè.. 
     003A4C30  F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 B0  ø..ˆè..¨ø...è..°
     003A4C30  F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 B0  ø..ˆè..¨ø...è..°
     003A4C40  F8 01 00 98 E8 1F 04 B8 F8 01 00 A0 38 00 00 00  ø..˜è..¸ø.. 8...
     003A4C40  F8 01 00 98 E8 1F 04 B8 F8 01 00 A0 38 00 00 00  ø..˜è..¸ø.. 8...
     003A4C50  F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88  ø..xø..€8`..8..ˆ
     003A4C50  F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88  ø..xø..€8`..8..ˆ
     003A4C60  38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0  8¡.x;À..gÞ€.cÞ/Ð
     003A4C60  38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0  8¡.x;À..gÞ€.cÞ/Ð
     003A4C70  7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18  .É.¦N€.!/£..@ž..
     003A4C70  7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18  .É.¦N€.!/£..@ž..
     003A4C80  E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F  è..xx.. /€.ÿ;`..
     003A4C80  E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F  è..xx.. /€.ÿ;`..
     003A4C90  40 9E 03 54 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8  @ž.Tè.. ø..ˆè..¨
     003A4C90  40 9E 03 54 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8  @ž.Tè.. ø..ˆè..¨
     003A4CA0  F8 01 00 90 E8 1F 04 C0 F8 01 00 98 E8 1F 04 C8  ø...è..Àø..˜è..È
     003A4CA0  F8 01 00 90 E8 1F 04 C0 F8 01 00 98 E8 1F 04 C8  ø...è..Àø..˜è..È
     003A4CB0  F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80  ø.. 8...ø..xø..€
     003A4CB0  F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80  ø.. 8...ø..xø..€
     003A4CC0  38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00  8`..8..ˆ8¡.x;À..
     003A4CC0  38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00  8`..8..ˆ8¡.x;À..
     003A4CD0  67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21  gÞ€.cÞ/Ð.É.¦N€.!
     003A4CD0  67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21  gÞ€.cÞ/Ð.É.¦N€.!
     003A4CE0  2F A3 00 00 40 9E 00 18 E8 01 00 78 78 00 06 20  /£..@ž..è..xx..  
     003A4CE0  2F A3 00 00 40 9E 00 18 E8 01 00 78 78 00 06 20  /£..@ž..è..xx..  
     003A4CF0  2F 80 00 FF 3B 60 00 0F 40 9E 02 EC E8 1F 04 A0  /€.ÿ;`..@ž.ìè..  
     003A4CF0  2F 80 00 FF 3B 60 00 0F 40 9E 02 EC E8 1F 04 A0  /€.ÿ;`..@ž.ìè.. 
     003A4D00  F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 D0  ø..ˆè..¨ø...è..Ð
     003A4D00  F8 01 00 88 E8 1F 04 A8 F8 01 00 90 E8 1F 04 D0  ø..ˆè..¨ø...è..Ð
     003A4D10  F8 01 00 98 E8 1F 04 C8 F8 01 00 A0 38 00 00 00  ø..˜è..Èø.. 8...
     003A4D10  F8 01 00 98 E8 1F 04 C8 F8 01 00 A0 38 00 00 00  ø..˜è..Èø.. 8...
     003A4D20  F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88  ø..xø..€8`..8..ˆ
     003A4D20  F8 01 00 78 F8 01 00 80 38 60 00 01 38 81 00 88  ø..xø..€8`..8..ˆ
     003A4D30  38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0  8¡.x;À..gÞ€.cÞ/Ð
     003A4D30  38 A1 00 78 3B C0 00 00 67 DE 80 01 63 DE 2F D0  8¡.x;À..gÞ€.cÞ/Ð
     003A4D40  7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18  .É.¦N€.!/£..@ž..
     003A4D40  7F C9 03 A6 4E 80 04 21 2F A3 00 00 40 9E 00 18  .É.¦N€.!/£..@ž..
     003A4D50  E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F  è..xx.. /€.ÿ;`..
     003A4D50  E8 01 00 78 78 00 06 20 2F 80 00 FF 3B 60 00 0F  è..xx.. /€.ÿ;`..
     003A4D60  40 9E 02 84 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8  @ž.„è.. ø..ˆè..¨
     003A4D60  40 9E 02 84 E8 1F 04 A0 F8 01 00 88 E8 1F 04 A8  @ž.„è.. ø..ˆè..¨
     003A4D70  F8 01 00 90 E8 1F 04 D8 F8 01 00 98 E8 1F 04 C8  ø...è..Øø..˜è..È
     003A4D70  F8 01 00 90 E8 1F 04 D8 F8 01 00 98 E8 1F 04 C8  ø...è..Øø..˜è..È
     003A4D80  F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80  ø.. 8...ø..xø..€
     003A4D80  F8 01 00 A0 38 00 00 00 F8 01 00 78 F8 01 00 80  ø.. 8...ø..xø..€
     003A4D90  38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00  8`..8..ˆ8¡.x;À..
     003A4D90  38 60 00 01 38 81 00 88 38 A1 00 78 3B C0 00 00  8`..8..ˆ8¡.x;À..
     003A4DA0  67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21  gÞ€.cÞ/Ð.É.¦N€.!
     003A4DA0  67 DE 80 01 63 DE 2F D0 7F C9 03 A6 4E 80 04 21  gÞ€.cÞ/Ð.É.¦N€.!
Line 1,001: Line 422:
     003A4E60  3B 60 00 10 3B C0 00 00 67 DE 80 01 63 DE 3D B8  ;`..;À..gÞ€.cÞ=¸
     003A4E60  3B 60 00 10 3B C0 00 00 67 DE 80 01 63 DE 3D B8  ;`..;À..gÞ€.cÞ=¸
     003A4E70  7F C9 03 A6 4E 80 04 21 7F A3 C8 00 40 9E 01 34  .É.¦N€.!.£È.@ž.4
     003A4E70  7F C9 03 A6 4E 80 04 21 7F A3 C8 00 40 9E 01 34  .É.¦N€.!.£È.@ž.4
     003A4E80  3B 60 00 14 38 7F 04 60 E8 81 00 A8 38 A0 00 10  ;`..8..`è..¨8 ..
     003A4E80  3B 60 00 14 38 7F 04 60 E8 81 00 A8 38 A0 00 10  ;`..8..`è..¨8 ..
     003A4E90  3B C0 00 00 67 DE 80 01 63 DE 39 E0 7F C9 03 A6  ;À..gÞ€.cÞ9à.É.¦
     003A4E90  3B C0 00 00 67 DE 80 01 63 DE 39 E0 7F C9 03 A6  ;À..gÞ€.cÞ9à.É.¦
     003A4EA0  4E 80 04 21 2F A3 00 00 40 9E 01 08 E8 A1 00 A8  N€.!/£..@ž..è¡.¨
     003A4EA0  4E 80 04 21 2F A3 00 00 40 9E 01 08 E8 A1 00 A8  N€.!/£..@ž..è¡.¨
Line 1,012: Line 433:
     003A4F10  7F A3 C8 00 40 9E 00 9C E8 1F 04 E0 F8 01 00 88  .£È.@ž.œè..àø..ˆ
     003A4F10  7F A3 C8 00 40 9E 00 9C E8 1F 04 E0 F8 01 00 88  .£È.@ž.œè..àø..ˆ
     003A4F20  E8 1F 04 E8 F8 01 00 90 E8 1F 04 F0 F8 01 00 98  è..èø...è..ðø..˜
     003A4F20  E8 1F 04 E8 F8 01 00 90 E8 1F 04 F0 F8 01 00 98  è..èø...è..ðø..˜
     003A4F30  E8 1F 04 F8 F8 01 00 A0 38 00 00 00 F8 01 00 78  è..øø.. 8...ø..x
     003A4F30  E8 1F 04 F8 F8 01 00 A0 38 00 00 00 F8 01 00 78  è..øø.. 8...ø..x
     003A4F40  F8 01 00 80 38 60 00 01 38 81 00 88 38 A1 00 78  ø..€8`..8..ˆ8¡.x
     003A4F40  F8 01 00 80 38 60 00 01 38 81 00 88 38 A1 00 78  ø..€8`..8..ˆ8¡.x
     003A4F50  3B C0 00 00 67 DE 80 01 63 DE 2F 88 7F C9 03 A6  ;À..gÞ€.cÞ/ˆ.É.¦
     003A4F50  3B C0 00 00 67 DE 80 01 63 DE 2F 88 7F C9 03 A6  ;À..gÞ€.cÞ/ˆ.É.¦
Line 1,040: Line 461:
     003A50D0  69 6F 73 00 61 74 61 00 00 00 00 00 72 65 67 69  ios.ata.....regi
     003A50D0  69 6F 73 00 61 74 61 00 00 00 00 00 72 65 67 69  ios.ata.....regi
     003A50E0  6F 6E 30 00 61 63 63 65 73 73                    on0.access
     003A50E0  6F 6E 30 00 61 63 63 65 73 73                    on0.access
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003B1420  00 00 0C F0 00 00                                ...ð..
     003B1420  00 00 0C F0 00 00                                ...ð..
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,058: Line 481:
     00011750  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00011750  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
     00011760  00 00 00 00 00 00 00 00                          ........
     00011760  00 00 00 00 00 00 00 00                          ........
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,067: Line 491:
     00011750  F8 01 00 10 7D 4B 53 78 44 00 00 22 E8 01 00 10  ø...}KSxD.."è...
     00011750  F8 01 00 10 7D 4B 53 78 44 00 00 22 E8 01 00 10  ø...}KSxD.."è...
     00011760  7C 08 03 A6 4E 80 00 20                          |..¦N€.  
     00011760  7C 08 03 A6 4E 80 00 20                          |..¦N€.  
   
      
      
   Original ofw355:
   Original ofw355:
Line 1,075: Line 500:
     00029360  3C 60 80 01 60 63 00 03 4E 80 00 20 3C 60 80 01  <`€.`c..N€. <`€.
     00029360  3C 60 80 01 60 63 00 03 4E 80 00 20 3C 60 80 01  <`€.`c..N€. <`€.
     00029370  60 63 00 03 4E 80 00 20 3C 60 80 01 60          `c..N€. <`€.`
     00029370  60 63 00 03 4E 80 00 20 3C 60 80 01 60          `c..N€. <`€.`
   Patched 355checkoff (flukes1):
   
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00029330                                      E8 63 00 00              èc..
     00029330                                      E8 63 00 00              èc..
Line 1,082: Line 508:
     00029360  4B FE 83 CC 60 00 00 00 60 00 00 00 4B FE 83 E0  KþƒÌ`...`...Kþƒà
     00029360  4B FE 83 CC 60 00 00 00 60 00 00 00 4B FE 83 E0  KþƒÌ`...`...Kþƒà
     00029370  60 00 00 00 60 00 00 00 3C 60 80 01 60          `...`...<`€.`
     00029370  60 00 00 00 60 00 00 00 3C 60 80 01 60          `...`...<`€.`
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003591D0                                            E8 CF                èÏ
     003591D0                                            E8 CF                èÏ
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003591D0                                            D6 94                Ö”
     003591D0                                            D6 94                Ö”
            
            
   
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003592F0                                            E8 CF                èÏ
     003592F0                                            E8 CF                èÏ
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     003592F0                                            D6 94                Ö”
     003592F0                                            D6 94                Ö”
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00359380  A0 40 36 6B 2D 8A 50 99 1E B3 0C 53 E5 9B 5D 6E   @6k-ŠP™.³.Så›]n
     00359380  A0 40 36 6B 2D 8A 50 99 1E B3 0C 53 E5 9B 5D 6E  @6k-ŠP™.³.Så›]n
     00359390  61 2C AC B8                                      a,¬¸
     00359390  61 2C AC B8                                      a,¬¸
   
   Patched 355checkoff:
   Patched 355checkoff:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,114: Line 546:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00003250                                      7C 60 1B 78              |`.x
     00003250                                      7C 60 1B 78              |`.x
   
   Patched 355checkoff (OtherOS++ --allow-pseudoretail-pkg):
   Patched 355checkoff (OtherOS++ --allow-pseudoretail-pkg):
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00003250                                      38 00 00 00              8...
     00003250                                      38 00 00 00              8...
   
      
      
   Original ofw355:
   Original ofw355:
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     00037350  41 9E 00 4C                                      Až.L
     00037350  41 9E 00 4C                                      Až.L
   
   Patched 355checkoff (OtherOS++ --allow-debug-pkg):
   Patched 355checkoff (OtherOS++ --allow-debug-pkg):
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
Line 1,136: Line 571:
     [http://www.multiupload.com/J7EWTIR8RO 355checkoff-category_game.xml (31.54 KB)]
     [http://www.multiupload.com/J7EWTIR8RO 355checkoff-category_game.xml (31.54 KB)]


=== Known Issues ===
== V1 ==
"Registration of the trophy information could not be completed. The game will quit. (80010505)"
 
=== Tasks ===
[http://git.gitbrew.org/repos/?p=ps3/ps3mfw/tasks.git;a=blob;f=patch_lv1.tcl MFW Task::patch_lv1.tcl] with the following patches selected:
* --patch-lv1-storage-skip-acl-check
* --patch-lv1-sysmgr-disable-integrity-check
 
=== Patches ===
http://pastebin.com/aNehMfGi :
 
    Downgrade patches
&nbsp;       
    http://www.multiupload.com/O0TZGNP92M
&nbsp;       
    DIFF:
&nbsp;       
    -------------
    patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
&nbsp;   
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340  54 63 06 3E                                      Tc.>
&nbsp;       
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340  38 60 00 01                                      8`..
&nbsp;       
    -----
    patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
&nbsp;       
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340                                      E8 01 00 70              è..p
&nbsp;       
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0007B340                                      38 00 00 01              8...
&nbsp;       
    -----
    patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager
&nbsp;       
    ORIGINAL
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0021D0B0              48 00 D7 15                              H.×.
&nbsp;       
    PATCHED
    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    0021D0B0              38 60 00 00                              8`..
&nbsp;       
    -------------
&nbsp;   
    Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
 
 
----
 
 
=== Combining patches ===
There is a difference between the patches on the [[Talk:Downgrading with NOR flasher]] and [[Talk:Downgrading with NAND flasher]]
 
what if you combine those together? 1st try: selecting both patch tasks manually:


<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9
<keperfear> could you check if i patched everything correctly
<keperfear> anyway i really need to sleep now
<keperfear> good luck everyone
* keperfear left
<eussNL> oh dear, keperfear is already gone ...  anyhow, this was my version : [http://www.multiupload.com/3KW1IZ45E0 patched355coreos.rar (4.84 MB)] (no "Patch In product mode erase standby bank skipped" selected)


----
----


<keperfear> Eussnl try with this one
<pre>
      # In product mode erase standby bank skipped
   
      log "Patch In product mode erase standby bank skipped"
   
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
</pre>(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\'''x38''' instead of \x41\x9E\x00\x0C\xE8\xA2\x8A'''\x30''')<br />
==== Combined TCL ====
2nd try, Combined single TCL "patch-lv1checks.tcl" :
 
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
# Priority: 300
# Description: Patch LV1 checks
# Option --patch-lv1checks: Disables many checks in lv1
# Type --patch-lv1checks: boolean
namespace eval ::patch_lv1checks {
    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }
    proc main { } {
        set self "lv1.self"
        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }
    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }
    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
   
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped"
     
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"
      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
     
     
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"
      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
     
        }
    }
}
</pre>download: [http://www.multiupload.com/H61RYAPLHQ patch_lv1checks.rar (1.29 KB)] (2.88-3.42 / 3.50-3.55)<br />
<br />
==== PreAlpha v1 smoketest - offsets ====
'''patch-lv1checks''' (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
{|class="wikitable"
|-
! No. !! Description !! 2.80 !! 3.00 !! 3.01 !! 3.10 !! 3.15 !! 3.20 !! 3.21 !! 3.30 !! 3.40 !! 3.41-BAD !! 3.41-FIX !! 3.42 !! 3.50 !! 3.55
|-
| 1 || Patch core OS Hash check // product mode always on || 2958632 || 2958452 || 2958452 || 2958984 || 2958984 || 2959072 || 2891632 || 2891556 || 2891596 || 2891596 || 2891596 || 2891596 || 2891684 || 2891684
|-
| 2 || Patch check_revoke_list_hash check // product mode always on || 2961708 || 2961528 || 2961528 || 2962060 || 2962060 || 2962148 || 2894708 || 2894632 || 2894672 || 2894672 || 2894672 || 2894672 || 2894836 || 2894836
|-
| 16 || Patch In product mode erase standby bank skipped || ''2977960'' || ''2977780'' || ''2977780'' || ''2978324'' || ''2978324'' || ''2978412'' || ''2910972'' || ''2910896'' || ''2910936'' || ''2910936'' || ''2910936'' || ''2910936'' || 2911100 || 2911100
|-
| 23 || Patching System Manager to disable integrity check || 2211164 || 2211424 || 2211424 || 2217608 || 2217608 || 2218192 || 2218120 || 2215760 || 2216052 || 2216052 || 2216052 || 2216052 || 2216096 || 2216096
|-
| 24 || Patching LV1 to enable skipping of ACL checks for all storage devices || 498208 || 500212 || 500212 || 505304 || 505420 || 506032 || 506032 || 505112 || 504568 || 504568 || 504568 || 504568 || 504640 || 504640
|-
|}
<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: [http://www.multiupload.com/4FEHWKT2ZN coreos355nandandnordowngradepatches.rosx (7 MB)]
==== Status ====
MFW patch_lv1checks.tcl seems to work fine.
Needs testing in the field by people with hardware flasher only.
Update:
    [01:43:10] <Ryd3R> RSOD x_x
    [01:44:41] <Ryd3R> i hate when it show up
    [01:45:20] <Ryd3R> @eussNL: are you there ?
    [01:46:41] <eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden
                          and what did you do to  make it bitch like that?
    [01:47:36] <Ryd3R> i did the 3.70 downgrade using a teensy++
    [01:48:42] <Ryd3R> it works well when i revert back to 3.70
    [01:49:23] <Ryd3R> i think it have something to do whith the fuckin syscon
    [01:49:37] <eussNL> ok, did you patch lv1 ?
    [01:49:43] <Ryd3R> yeah
    [01:50:09] <Ryd3R> the No hash check patch right ?
    [01:51:50] <Ryd3R> for some fuckin reason any version perior 3.70 gave me an rsod
    [01:52:41] <Ryd3R> i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod
    [01:53:15] <eussNL> yes and then some... Ryd3R> the No hash check patch right ?
    [01:53:46] <eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL
    [01:55:47] <Ryd3R> i'll give it a try
   
    [02:16:19] <Ryd3R> thanks eussNL you'r the man, the patch works like charm
    [02:22:53] <eussNL> good to hear, hope it stays flawless now :)


== 3.56v1/v2 HDD exchange issue ==


=== option 1 ===
== V2 ==
[http://www.multiupload.com/HA1TLN9HSK 1patchcos355.rar (9.68 MB)]
http://darkconsoles.com/foro/viewtopic.php?f=7&t=16


<blakcat> i had one 3.56v1 with bucle error
=== NOR offsets used ===
<blakcat> i used patchcoreos355 to solve
<blakcat> patchcoreos355 is the same thing that if you take all coreos from other 3.55 cfw dump
<blakcat> and patch with your console specific files metldr, vtrm, bootloader, EID etc ....
<blakcat> http://www.multiupload.com/HA1TLN9HSK
<blakcat> for people asking 3.56v1 error
<blakcat> you only need to use patchv2 from dospiedras and you get your ps3 unbricked with 3.55
<blakcat> or take another dump 3.55 cfw and patch with your data


=== option 2 ===
1. Use the built-in patcher of progskeet to patch your image : [http://www.multiupload.com/GRPAM1598K downgrade v2 ProgSkeet.rar (19.62 MB)]
==== NOR offsets used ====
{|class="wikitable sortable"
{|class="wikitable sortable"
|-
|-
! target area !! patch no. !! NOR Offset !! Paste length !! Remarks
! target area !! patch no. !! NOR Offset !! Paste length !! Remarks
|-
|-
| ROS0 || patch1 || 0x0C0010 || 0x6FFFE0 ||  
| ROS0 || [http://www.multiupload.com/RJVZP6CKZ5 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || version string not changed?
|-
|-
| ROS1 || patch2 || 0x7C0010 || 0x6FFFE0 ||  
| ROS1 || [http://www.multiupload.com/DGVUPMNDQU patch2 (7 MB)] || 0x7C0010 || 0x6FFFE0 || same as patch1?
|-
|-
| trvk_pkg0 || patch3 || 0x80000 || 0x20000 ||  
| trvk_pkg0 || [http://www.multiupload.com/Z7424DXPLJ patch3 (128 KB)] || 0x80000 || 0x20000 ||  
|-
|-
| trvk_pkg1 || patch4 || 0xA0000 || 0x20000 ||  
| trvk_pkg1 || [http://www.multiupload.com/74GLX7XFDG patch4 (128 KB)] || 0xA0000 || 0x20000 ||  
|-
|-
| trvk_prg0 || patch5 || 0x40000 || 0x20000 ||  
| trvk_prg0 || [http://www.multiupload.com/HHJ3GDGL7X patch5 (128 KB)] || 0x40000 || 0x20000 ||  
|-
|-
| trvk_prg1 || patch6 || 0x60000 || 0x20000 ||  
| trvk_prg1 || [http://www.multiupload.com/4SP4DIK1ZM patch6 (128 KB)] || 0x60000 || 0x20000 ||  
|-
|-
|}
|}
2. After flashing, install the prepatched PUP (.e.g Rogero v2)


=== LV1 patches used ===
  Downgrade patches v2
         
  http://www.multiupload.com/DVFD9AZGO5
         
  DIFF:
         
  -------------
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
     
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  54 63 06 3E                                      Tc.>
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340  38 60 00 01                                      8`..
         
  -----
  patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      E8 01 00 70              è..p
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0007B340                                      38 00 00 01              8...
         
  -----
  ???? Patch sys_mgr integrity lv1 and lv0 integrity check ????
         
  ORIGINAL
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              48 00 D7 15                              H.×.
         
  PATCHED
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  0021D0B0              38 60 00 00                              8`..
         
  -----
==== Combined TCL V2====
Combined single TCL "patch-lv1checks.tcl" with added new patch :
 
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
# Priority: 300
# Description: Patch LV1 checks
# Option --patch-lv1checks: Disables many checks in lv1
# Type --patch-lv1checks: boolean
namespace eval ::patch_lv1checks {
    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }


=== option 3 ===
    proc main { } {
# Dump flash and patch with downgrader (insert 3.55 CoreOS in ROS'), reflash
        set self "lv1.self"
# Put lv2diag.self and 3.7x PUP on USB stick (make sure no discs are in drive) to upgrade to 3.7x in service mode (normally a sin to do UPdate in service mode!)
# Once on 3.7x, redo the downgrade steps to get back to 3.55 and use the second lv2diag.self file to get out of service mode.


=== option 4 ===
        ::modify_coreos_file $self ::patch_lv1checks::patch_self
note: Not tried+tested
    }
# Dump flash and patch with downgrader (insert 3.55 CoreOS in ROS'), reflash
# Put lv2diag.self and 3.55 Dex Downgrader PUP on USB stick (make sure no discs are in drive) to crossgrade to 3.55 DEX in service mode (normally a sin to do crossgrade without EID change in service mode!)
# Once on 3.55 DEX downgrader, '''don't leave service mode or you'll brick'''. Redo the downgrade steps to flash NAND/NOR to 3.55 prepatched Retail/CEX.
# Reinstall 3.55 Retail/CEX PUP in service mode
# Use the second lv2diag.self file to get out of service mode.


    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }


== Hashing ==
    proc patch_elf {elf} {
=== CELL_EXTNOR_AREA ===
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
magic "CELL_EXTNOR_AREA" @ offset 0, size 0x10 :
            log "Patching LV1 Checks"
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   
         
      # ss_server1
00F20000  43 45 4C 4C 5F 45 58 54 4E 4F 52 5F 41 52 45 41  CELL_EXTNOR_AREA
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
     
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


version @ offset 0x10, 4 bytes :
     
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      # Patch check_revoke_list_hash check // product mode always on
         
      log "Patch check_revoke_list_hash check // product mode always on"
00F20010  00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
     
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"


data offset field @ offset 0x20 (02 meaning second sector) / datasize @ offset 0x24, 4 bytes (0x44 bytes):
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
         
00F20020  00 00 02 00 00 00 00 44 00 00 00 00  .......D....


Calculate SHA1 over whole data and compare with data @ offset 0x2C:
     
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
      # In product mode erase standby bank skipped
         
      log "Patch In product mode erase standby bank skipped"
  00F20020                                      A9 C8 06 D0              ©È.Ð
     
00F20030  C0 17 8D 34 55 A7 62 73 DD 16 A6 FB 75 A0 D2 10  À..4U§bsÝ.¦ûu Ò.
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
     
     
      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"
     
      set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"
     
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  
     
     
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"


Harddrive model:
      set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
  Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
         
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"
00F20200  00 00 00 07 46 55 4A 49 54 53 55 20 4D 48 5A 32  ....FUJITSU MHZ2
00F20210  30 38 30 42 48 20 47 31 20 20 20 20 20 20 20 20  080BH G1       
00F20220  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 


Hardrive serial:
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
     
         
     
00F20230  20 20 20 20 4B 36 33 52 54 38 42 34 48 59 42 4B      K63RT8B4HYBK
      # LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?)
      log "?Patch sys_mgr integrity lv1 and lv0 integrity check?"
     
      set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\x01"
      set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\x01"


      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


        }
    }
}
</pre>download: [http://www.multiupload.com/IU061G4J69 patch_lv1checks.rar (1.53 KB)] (3.40-3.42 / 3.50-3.55)<br />
<br />


----


==== PreAlpha v2 smoketest - offsets ====


Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
'''patch-lv1checks''' (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
[...]
00F60000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
00F60010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
00F60020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE  Ñ.¯§›—âzË.+Ma&®      same as
00F60030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00FA0000-00FA0040


{|class="wikitable"
|-
! No. !! Description !! 2.80 !! 3.00 !! 3.01 !! 3.10 !! 3.15 !! 3.20 !! 3.21 !! 3.30 !! 3.40 !! 3.41-BAD !! 3.41-FIX !! 3.42 !! 3.50 !! 3.55
|-
| 1 || Patch core OS Hash check // product mode always on || 2958632 || 2958452 || 2958452 || 2958984 || 2958984 || 2959072 || 2891632 || 2891556 || 2891596 || 2891596 || 2891596 || 2891596 || 2891684 || 2891684
|-
| 2 || Patch check_revoke_list_hash check // product mode always on || 2961708 || 2961528 || 2961528 || 2962060 || 2962060 || 2962148 || 2894708 || 2894632 || 2894672 || 2894672 || 2894672 || 2894672 || 2894836 || 2894836
|-
| 16 || Patch In product mode erase standby bank skipped || ''2977960'' || ''2977780'' || ''2977780'' || ''2978324'' || ''2978324'' || ''2978412'' || ''2910972'' || ''2910896'' || ''2910936'' || ''2910936'' || ''2910936'' || ''2910936'' || 2911100 || 2911100
|-
| 23 || Patching System Manager to disable integrity check || 2211164 || 2211424 || 2211424 || 2217608 || 2217608 || 2218192 || 2218120 || 2215760 || 2216052 || 2216052 || 2216052 || 2216052 || 2216096 || 2216096
|-
| 24 || Patching LV1 to enable skipping of ACL checks for all storage devices || 498208 || 500212 || 500212 || 505304 || 505420 || 506032 || 506032 || 505112 || 504568 || 504568 || 504568 || 504568 || 504640 || 504640
|-


00FA0000  10 00 00 0C 00 04 10 03 00 00 00 01 20 00 00 34  ............ ..4      00F60000-00F60040      (differs in other version/console dump)
| 25 || ?Patch sys_mgr integrity lv1 and lv0 integrity check? || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern || no pattern<br />''2215780''? || ''2216072'' || ''2216072'' || ''2216072'' || ''2216072'' || 2216088 || 2216116
00FA0010  00 00 00 00 00 00 00 00 5B 3F 73 B4 9A 86 C7 B2  ........[?s´š†Ç²      is the
|-
00FA0020  A0 D1 1E AF A7 9B 97 E2 7A CB 05 2B 4D 61 26 AE  Ñ.¯§›—âzË.+Ma&®      same as
|}
00FA0030  13 CA 29 84 19 93 15 E1 4A DB 2C B7 7C 00 E4 EB  .Ê)„.“.áJÛ,·|.äë      00F60000-00F60040




==== Status ====
MFW patch_lv1checks.tcl seems to work fine.
Needs testing in the field by people with hardware flasher only.


Rogero and VAL_ tested, no problems with games/trophy's and bluray movies


----
==== Premade MFW ====
[http://www.multiupload.com/IAGZEX5Q75 Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB)]
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps3/Talk:Downgrading_with_NOR_flasher"