Editing Talk:Patches

==Shop firmware on Retail console==

&lt;patote&gt;	i used the same shop.tcl : http://pastie.org/1979531 :
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
    
# Priority: 2300
# Description: Patch firmware for installation shop/promo unit

# Option --patch-promo-flags: Patch promo_flags file
# Option --patch-update-flags: Patch update_flags file
# Option --patch-version: Append string to build version

# Type --patch-promo-flags: boolean
# Type --patch-update-flags: boolean
# Type --patch-version: string 
    
namespace eval ::patch_shop {

    array set ::patch_shop::options {
        --patch-promo-flags true
        --patch-update-flags true
        --patch-version "Promotional-to-Retail"
    }

    proc main {} {
        if {$::patch_shop::options(--patch-promo-flags)} {
          debug "Patching [file tail $::CUSTOM_PROMO_FLAGS_TXT]"

        }
        if {$::patch_shop::options(--patch-update-flags)} {
          debug "Patching [file tail $::CUSTOM_UPDATE_FLAGS_TXT]"
          set fd [open $::CUSTOM_UPDATE_FLAGS_TXT w]
          puts -nonewline $fd "0000"
          close $fd
        }
        if {$::patch_shop::options(--patch-version) != ""} {
          append ::options(--build-suffix) "($::patch_shop::options(--patch-version))"
        }
    }
}
</pre>

patote succesfully installed the resulting 3.55 PUP on a Retail console. The console is in locked mode after installation of the firmware.
<pre>
 patote	8294 does nothing
 patote	0168 does nothing
 patote	5138 does nothing
 patote	1739 worked fine
 patote	or not ; it didnt said wrong password ; but all is still locked
 patote	2297 nothing
 patote	the code is................. 0000
 patote	and now the install package files and app_home are back in game menu
 patote	ohhh ; and in system too ; all the way down
 patote	if you go to security settings and do l1+r1+select+square it goes back to demo without turn the unit off
 patote	thats system settings install packages option only does blind installations
 patote	you cant browse the thumbdrive ; it just starts installing all the pkgs in the drive
 patote	it works ; but fails in geohot signed ones ; the regular ones installs without problems
 patote	theres another extra option
 patote	automatic update
 patote	"sets wheter to update the system software automatically via internet when the ps3 system is turned on"
</pre>


----


==FSELF patch appldr==

MFW does not seem to have (proper) support for fself's.

 Mathieulh	why do all those emu devs actually use geohot's tool on their selfs, I wonder xD
 Mathieulh	the proper format to use is fself
 Mathieulh	there are existing patches for fself on 3.41
 Mathieulh	but those guys who make those so called cfw didn't port many patches at all
 Mathieulh	if not any
 Mathieulh	and the memory patcher one for fself isn't there
 eussNL	ehm, including MFW Mathieulh ?
 Mathieulh	you should just patch appldr
 Mathieulh	and make the function that detects the model return true for debug
 Mathieulh	and you get native fself + edata
 Mathieulh	it's an easy patch
 Mathieulh	you can also patch the sign check along with it
 Mathieulh	4 bytes to patch
 eussNL	I dont see a mention of appldr patch in MFW or I am overlooking it
 Mathieulh	yeah MFW doesn't do that
 Mathieulh	but there is a lv2 patch for fself too
 Mathieulh	(memory patcher)
 Mathieulh	at least in 3.41 there is
 Mathieulh	it's in psgroove
 Mathieulh	but it doesn't work for compressed fself
 Mathieulh	it's better to patch appldr
 Mathieulh	besides I use compressed fself on all my shit now xD
 Mathieulh	saves some room :P
 Mathieulh	people should just use fself anyway
 Mathieulh	that way you don't need to sign or encrypt
 Mathieulh	and it's future proof
 Mathieulh	the geohot signed shit doesn't work with 3.56+ cause of the whitelistù
 Mathieulh	so you have to patch the whitelist check in the ldr to get them to run
 eussNL	some people are having trouble with ps3load/ps3loadx with launching it fselfs on CFWs
 eussNL	and with makeself for the same reason I suppose
 irssi_	devs won't support it if the CFW doesn't run it
 Mathieulh	if the cfw doesn't run fself, it's not complete
 Mathieulh	at least not to me
 Mathieulh	all my personal cfw all run fself natively
 eussNL	hmmm, seems a thing to add to MFW then... appldr patch for fselfs - if it isnt working now


 the 4 byte patch he speaks of is:
 < 00001360 40 80 0e 0c 20 00 57 83 32 00 04 80 32 80 80 8e |@... .W.2...2...|
 ---
 > 00001360 40 80 0e 0c 20 00 57 83 32 11 73 00 32 80 80 8e |@... .W.2.s.2...|


=== Experimental ===

==== Patch Appldr task ====

'''patch_appldr.tcl'''
<pre>
#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch Appldr

# Option --patch-appldr-fself: Patch Appldr to allow Fself (set debug true)

# Type --patch-appldr: boolean

namespace eval ::patch_appldr {

    array set ::patch_appldr::options {
        --patch-appldr-fself true
    }

    proc main { } {
        set self "appldr"

        ::modify_coreos_file $self ::patch_appldr::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_appldr::options(--patch-appldr-fself)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_appldr::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_appldr::options(--patch-appldr-fself)} {
            log "Patching Appldr to allow Fself"

            set search  "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x00\x04\x80\x32\x80\x80"
            set replace "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x11\x73\x00\x32\x80\x80"

            catch_die {::patch_elf $elf $search 7 $replace} \
                "Unable to patch self [file tail $elf]"
        }
    }
}
</pre>

==== Errorlog ====

 Patching Appldr to allow Fself
 Executing command ::patch_elf $elf $search 7 $replace
 offset: 4967
 Rebuilding self file appldr.self
 Executing command makeself $in $out $original
 Executing shell self_rebuilder {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.elf} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.self} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr}
 FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
 See Temp/PS3MFW/ps3mfw.log for more info
 Last lines of log : 
 *****************
   auth id:        1ff000000c000001 
   vendor id:      00000000ff000000
   app version:    3.55.0
   version suffix: 355 
   SDK type:       Retail (Type 0)
   app type:       secure loader
   file suffix:    355 (rev 0x0a)
   key file:   ps3keys\/ldr-key-355 (ERROR)
 key_get failed
 FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
 Error running script: Could not rebuild file appldr.self : child process exited abnormally

available LDR @ ps3keys: ldr-pub-retail, ldr-priv-retail, ldr-key-retail, ldr-iv-retail, ldr-ctype-retail

Just add those keys to the ps3keys folder to make the task work : [http://www.multiupload.com/ZYKNPYY7FD ''ps3keys in RAR sfx (107.37 KB)'']<!--//(315-341-355):http://www.multiupload.com/II4DDPXRFS//-->

==== Offsets ====

 3.55 : offset: 4967
 3.50 : offset: 3459
 3.42 : offset: 3395
 3.41 : offset: 3395
 3.40 : offset: 3395
 3.30 or lower: FATAL ERROR: Unable to patch self appldr.elf : Could not find pattern to patch
 3.30 offset: 2299 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
 3.21 offset: 3064 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
 3.20 DEBUG offset: 3064 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
 3.15 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
 3.10 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )

=== Conclusion / Status ===

Although it is possible to add as a task, it is not recommended in general. There is brick risk.

   <mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target


== JFW MA-1 3.56 "bad idea" == 
http://www.multiupload.com/WO4UYJIJ6T
   SHA1: 9FDC74F0BB4244EF37DEFD20E7CF9E5B08BD4DD3  MD5: EFE066E4836393C8BF60A5CC6804DDC3  CRC32: 735B21DC  CRC16: 4766  HMAC_SHA1: 1D4382A5EB811859192DF75BB3284E284EF70601
<!--//PUP file information
Package version: 1
Image version: 64017
File count: 9
Header length: 656
Data length: 184549480
PUP file hash : 1D4382A5EB811859192DF75BB3284E284EF70601
	File 0
	Entry id: 0x100
	Filename : version.txt
	Data offset: 0x290
	Data length: 5
File hash : DE5F93B189BB136A1544465A1DB333F66DA67D6D
	File 1
	Entry id: 0x101
	Filename : license.xml
	Data offset: 0x295
	Data length: 264283
File hash : 367FCD28D27719525D0A11A4F2679FBF35B4681F
	File 2
	Entry id: 0x103
	Filename : update_flags.txt
	Data offset: 0x40AF0
	Data length: 5
File hash : FD7C893936FDFC668922BE6D119A462111B2BBDB
	File 3
	Entry id: 0x200
	Filename : ps3swu.self
	Data offset: 0x40AF5
	Data length: 5660160
File hash : F8E6F0D100433C6B63A615FA513967250996F771
	File 4
	Entry id: 0x201
	Filename : vsh.tar
	Data offset: 0x5A68F5
	Data length: 10240
File hash : D9B66E0D2845D71A67D76E7907AB06368CE61E08
	File 5
	Entry id: 0x202
	Filename : dots.txt
	Data offset: 0x5A90F5
	Data length: 3
File hash : 1AA4749D0EE0D0AE937FBF73BC4B9ACD352F732A
	File 6
	Entry id: 0x300
	Filename : update_files.tar
	Data offset: 0x5A90F8
	Data length: 172882944
File hash : 99485FA5EA876EC502091F5CB6A5C68A9BD89277
	File 7
	Entry id: 0x501
	Filename : Unknown entry id
	Data offset: 0xAA88CF8
	Data length: 71680
File hash : 84F7D4FDBE9A1EEAF6E0EB3EFC7A5E53ECD7B448
	File 8
	Entry id: 0x601
	Filename : Unknown entry id
	Data offset: 0xAA9A4F8
	Data length: 5660160
File hash : B3318822A7F60B2C104EE1789532B9B779094D62//-->

Patches (compared to OFW 3.56) : http://pastie.org/private/z0evad6frsdlbntk2suqa <br />
shortlist changed files:
*lv1ldr
*lv1.self
*lv2ldr
*lv2_kernel.self
*appldr
*nas_plugin.sprx 
*vsh.self 
*explore_category_game.sprx 
*explore_plugin.sprx

Request for anyone that installed this FW : lv1 and lv2 dump (can be done e.g. with glevand' PKGs).

[http://www.multiupload.com/VTB7715SM8 dump_lv1.pkg (69.61 KB)]
[http://www.multiupload.com/W6UVJ776R3 dump_lv2.pkg (70.11 KB)]<br />
or dumperpack wich includes those 2 and other dumpers as well: [http://www.multiupload.com/R34YRGY6Z8 dumperpack.rar (1.9 MB)]

lv1 dump will take about 30minutes, size: 16MB
<!--// 
http://www.mediafire.com/?8yhidf1a8ng0v5w LV1
http://www.mediafire.com/?dajss2b3c3hyj5v LV2
 (TechnoDon) //-->