Talk:Playstation Update Package (PUP)

From PS3 Developer wiki
Jump to navigation Jump to search

Playstation Update Package (PUP) - Discussion/Talk

What is the part that defines, what firmware it really is?. I mean, for firmwares below 3.55 we have all the keys so whe can forge any PUP and make it appear as a +3.55, that would be a way to downgrade, without the need of a dongle and recovery mode.

I know there are version strings in pupheader,version.txt, info0, and in vsh.self.. but what is missing? What isn´t correclty set in mfw to make it pass the checks of a legit +3.55 fw?

We are using recovery mode to downgrade because, we haven´t found a way to create a legit +3.55


Unpacking a firmware

Unpack the PUP

Dots.txt
EULA.xml
Update_Files.tar
Updater.self
Version.txt
VSH.tar
Zeros.bin

Untar the Update_Files.tar

BDIT_FIRMWARE_PACKAGE.pkg
BDPT_FIRMWARE_PACKAGE_301R.pkg
BDPT_FIRMWARE_PACKAGE_302R.pkg
BDPT_FIRMWARE_PACKAGE_303R.pkg
BDPT_FIRMWARE_PACKAGE_304R.pkg
BDPT_FIRMWARE_PACKAGE_306R.pkg
BDPT_FIRMWARE_PACKAGE_308R.pkg
BLUETOOTH_FIRMWARE.pkg
CORE_OS_PACKAGE.pkg
dev_flash3_022.tar.aa.2010_11_27_051800
dev_flash_000.tar.aa.2010_11_27_051337
dev_flash_001.tar.aa.2010_11_27_051337
dev_flash_002.tar.aa.2010_11_27_051337
dev_flash_003.tar.aa.2010_11_27_051337
dev_flash_004.tar.aa.2010_11_27_051337
dev_flash_005.tar.aa.2010_11_27_051337
dev_flash_006.tar.aa.2010_11_27_051337
dev_flash_007.tar.aa.2010_11_27_051337
dev_flash_008.tar.aa.2010_11_27_051337
dev_flash_009.tar.aa.2010_11_27_051337
dev_flash_010.tar.aa.2010_11_27_051337
dev_flash_011.tar.aa.2010_11_27_051337
dev_flash_012.tar.aa.2010_11_27_051337
dev_flash_013.tar.aa.2010_11_27_051337
dev_flash_014.tar.aa.2010_11_27_051337
dev_flash_015.tar.aa.2010_11_27_051337
dev_flash_016.tar.aa.2010_11_27_051337
dev_flash_017.tar.aa.2010_11_27_051337
dev_flash_018.tar.aa.2010_11_27_051337
dev_flash_019.tar.aa.2010_11_27_051337
dev_flash_020.tar.aa.2010_11_27_051337
dev_flash_021.tar.aa.2010_11_27_051337
MULTI_CARD_FIRMWARE.pkg
RL_FOR_PACKAGE.img
RL_FOR_PROGRAM.img
SYS_CON_FIRMWARE_01000006.pkg
SYS_CON_FIRMWARE_01010303.pkg
SYS_CON_FIRMWARE_01020302.pkg
SYS_CON_FIRMWARE_01030302.pkg
SYS_CON_FIRMWARE_01040402.pkg
SYS_CON_FIRMWARE_01050002.pkg
SYS_CON_FIRMWARE_01050101.pkg
SYS_CON_FIRMWARE_S1_00010002083E0832.pkg
UPL.xml.pkg

unpkg CORE_OS_PACKAGE.pkg

content
info0
info1
cosunpkg content from CORE_OS_PACKAGE.pkg
aim_spu_module.self
appldr
creserved_0
default.spp
emer_init.self
eurus_fw.bin
hdd_copy.self
isoldr
lv0
lv1.self
lv1ldr
lv2ldr
lv2_kernel.self
manu_info_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
sb_iso_spu_module.self
sc_iso.self
sdk_version
spp_verifier.self
spu_pkg_rvk_verifier.self
spu_token_processor.self
spu_utoken_processor.self
sv_iso_spu_module.self
unself the self's

...

unpkg dev_flash*

content
info0
info1
untar dev_flash* content

...

3.55 example

PSUPDATE.PUP
├── dots.txt
├── license.txt
├── ps3swu.self 
├── update_files.tar
│   ├── BDIT_FIRMWARE_PACKAGE.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_301R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_302R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_303R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_304R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_306R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_308R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BLUETOOTH_FIRMWARE.pkg
│   │   ├── content
│   │   │   ├── RC29_firmware_footer.dfu
│   │   │   ├── usb8780-5.0.1-A1-A2.dfu
│   │   │   └── usb8781-20.0.12.0.dfu
│   │   ├── info0
│   │   └── info1
│   ├── CORE_OS_PACKAGE.pkg
│   │   ├── aim_spu_module.self
│   │   ├── appldr
│   │   ├── creserved_0
│   │   ├── default.spp
│   │   ├── emer_init.self
│   │   ├── eurus_fw.bin
│   │   ├── hdd_copy.self
│   │   ├── isoldr
│   │   ├── lv0
│   │   ├── lv1ldr
│   │   ├── lv1.self
│   │   ├── lv2_kernel.self
│   │   ├── lv2ldr
│   │   ├── manu_info_spu_module.self
│   │   ├── mc_iso_spu_module.self
│   │   ├── me_iso_spu_module.self
│   │   ├── sb_iso_spu_module.self
│   │   ├── sc_iso.self
│   │   ├── sdk_version
│   │   ├── spp_verifier.self
│   │   ├── spu_pkg_rvk_verifier.self
│   │   ├── spu_token_processor.self
│   │   ├── spu_utoken_processor.self
│   │   └── sv_iso_spu_module.self
│   ├── dev_flash_XXX.tar.aa.DATE/TIME
│   ├── dev_flash3_XXX.tar.aa.DATE/TIME
│   ├── MULTI_CARD_FIRMWARE.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── RL_FOR_PACKAGE.img
│   ├── RL_FOR_PROGRAM.img
│   ├── SYS_CON_FIRMWARE_01000006.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01010303.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01020302
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01030302.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01040402.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01050002.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01050101.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_S1_00010002083E0832.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   └── UPL.xml.pkg
│       ├── content
│       ├── info0
│       └── info1
├── update_files.tar
├── update_flags.txt
├── version.txt
└── vsh.tar




PS3 Recovery Menu

note: FW 2.50 or higher
CoreOS file: emer_init.self

Videomode limitations

There are no known limitations on the used video output. Works fine on:

  • Composite
  • Scart-Composite
  • Svideo
  • RGB
    • Scart-RGB
    • RGB Dsub
    • RGB Cinch
  • Component
    • Component Dsub
    • Component Cinch
  • HDMI

Getting into recovery mode

  1. With the system in standby mode. Press and hold the power button down until the system turns on and then off again. Release the power button. Very important to hold the power button until the console shuts off and to release the power button before continuing to step 2.
  2. After about 1 - 2 seconds press and hold the power button again, until you hear 2 consecutive beeps. Release the power button. During this step you will actually here three beeps. There will be one single beep then a short delay followed by the 2 consecutive beeps. Only release the the power button after the 2 consecutive beeps.
  3. You will then be instructed to plug in a controller, via the usb cord, and press the PS button : "Connect the controller using a USB cable and then press the PS button".
  4. At this point the PS3 Recovery Menu will be shown on the screen.

Note: some people have trouble hearing the beeps: the led goes off the same moment it beeps, so the 2 consecutive beeps can also be noticed by seeing the green led fast blink off twice.


PS3 Recovery Menu Options

1. Restart System

This option boots your system as normal without changing any settings or files.

2. Restore Default Settings

Restores all default settings on the PS3 for networking, clock, video, etc. For a full list of the restored settings you can look under settings> system settings > restore defaults on your console. This should not eliminate your game saves or other saved content, including your user login.

3. Restore File System

This will rewrite the files the PS3 uses to boot. This feature will help if files have become corrupted and are not allowing the console to boot as normal. This should not erase any of your saved data or settings.

4. Rebuild Database

This can be a usefull feature if you have lost files on your system for no apparent reason. Try using this feature to see if it can restore those files. This will also rewrite corrupted files within the database, potentially eliminating future issues. This feature should not erase any of your saved data or settings (except some PSN account information - explained in next paragraph.
Deletes messages, playlists, changes made on "Information" screens, trimming information for pictures in "Photo", video thumbnails, video playback history and video resume information. Will also "unregister" your PSN account with your system - anything that needs your PSN information to run correctly, like trophies or games that require trophies with a PSN account to be linked, will not work. To fix, either sign in to PSN or for systems </=3.55, edit the xregistry.sys to have your PSN email and password. This operation may take a long time depending on the type and number of data items.

5. Restore PS3 System

This will restore your system to original including, formatting and erasing all of the data on the HD and returning all system settings to default. This will not take your system back to a previous Firmware release. Use this option as a last resort, unless you have nothing on the console that you want or you want to erase everything on the console, do not use this option.
This is the same as "Restore PS3 system" on the XMB. All data and settings will be lost by performing this step.

6. System Update

This will allow the user to update their console with new firmware via a Flash drive or other portable media. This will not allow you to update via an internet connection. This can usefull if your system has become corrupted to the point you can not boot. Needed for installing same versions MFWs over OFW/MFWs or going back from an MFW to an OFW.

When to use Recovery Menu

Execute Recovery Menu when the PS3 is experiencing the following symptoms:

  • When the PS3 is started up, the XMB menu is not displayed (only the wave screen background appears)
  • When the PS3 is started up, nothing appears on the screen
  • When the PS3 is started up, a message stating "The hard disk's file system is corrupted and will be restored." is displayed and prompts the user to press X to Restore the system. Original message is displayed again or the system stops during restoration.
  • When the PS3 system is started up, an error message stating "The hard disk's database will be rebuilt." is displayed and prompts the user to press X. The system again fails start up or stops while formatting the hard drive.
  • The system stops while restarting after a PS3 system update or while updating or rebuilding the database.
  • When wanting to install a same version firmware (e.g. MFW/CFW over an OFW).



Adding new keys to older firmwares

patch the loaders
add keys to appldr keys index & tables
there are also npdrm keys inside appldr as well, add the 3.56++ ones
appldr,. lv2.self and game_ext_plugin need patching for new games support
vsh.self maybe too

Creating a MFW? (3.41/3.55 with 3.56 keys)


Proof of concept with added keys to appldr (and none of the other mentioned files above) : http://www.ps3devwiki.com/wiki/Talk:Patches#appldr_3.55_add_3.56.2F3.60_keys


Using fake upgrade to get lowest firmware version info

PS3_MinVerChk use on the CECHG04, using fake upgrade to get lowest firmware version info

http://ps3devwiki.com/files/firmware/MFW-CEX/MinVerCheck/ // MinVerChk.rar (3.96 KB)

CRC-16: 9A11
CRC-32 (Ethernet and PKZIP): 50EE9A92
SHA-1: 1B60E0ADE8E698D9796AA78B7AD54B10E05A9B0B
MD-5: BB39828156BC7DF144E4D06D81C801AB
  1. Unrar and copy this MinVerChk PUP to your USB stick (/PS3/UPDATE/PS3UPDAT.PUP), the same way as if it was an firmware upgrade.
  2. Insert the USB stick into the PS3.
  3. Start a firmware update like normal from XMB (Don’t worry, it will not update!)
  4. It will shortly fail and display the Firmware Base Value

Note: console needs to run at least FW 2.50? (2.30 didn't work)


Cinavia DRM

Watermark which survives ripping to e.g. xvid/mp3 Detection of watermark

According to Cinavia website (www cinavia com) there are 4 possible warning messages on detection:

Message Code 1: Playback stopped

Typical on-screen message:

“Playback stopped. The content being played is protected by Cinavia™ and is not authorized for playback on this device.
For more information, see http://www.cinavia.com.
Message Code 1.”
Typical front panel message:

“Cinavia™ playback restriction (1).”


Explanation

The audio track of the video that you are playing contains a Cinavia code indicating it was intended for presentation using professional equipment only (for example, in a theater) and is not authorized for playback by consumers.


Recommendations

If the video that you are playing is a professionally produced video (such as a movie or television show), you will need to obtain a copy that was made with the permission of the copyright owner.

If the video that you are playing back is a home movie or other personal recording, that includes some professionally produced content (including the audio track of a professionally produced movie or television show), you will need to either skip over the parts of the video that contain the professionally produced content during playback or else create or obtain a version of the video that does not include this protected material.

Message Code 2: Copying stopped

Typical on-screen message:

“Copying stopped. The content being copied is protected by Cinavia™ and is not authorized for copying from this device.
For more information, see http:// www.cinavia.com.
Message Code 2.”
Typical front panel message:

“Cinavia™ copy restriction (2)”


Explanation

The audio track of the video that you are copying contains a Cinavia code indicating that it was intended for duplication using professional equipment only (for example, by a professional replicator) and is not authorized for copying by consumers.


Recommendations

If the video that you are copying is a professionally produced movie or television show, you will need to obtain a copy that was made with the permission of its copyright owner.

If the video that you are copying is a home movie or other personal recording that includes some professionally produced content (including the audio track of a professionally produced movie or television show), in order to make a copy you will need to either copy only those parts of the recording that do not include professionally produced content or else you may create or obtain a version of the video that does not include this protected material.

Message Code 3: Audio muted

Typical on-screen message:

“Audio outputs temporarily muted. Do not adjust the playback volume. The content being played is protected by Cinavia™
and is not authorized for playback on this device. For more information, see http://www.cinavia.com. Message Code 3.”
Typical front panel message:

“Cinavia™ playback restriction (3)”


Explanation

The audio track of the video that you are playing contains a Cinavia code indicating that it is an unauthorized copy of professionally-produced content.


Recommendations

If the video that you are playing is a professionally produced video (such as a movie or television show), you will need to obtain a copy that was made with the permission of the copyright owner.

If the video that you are playing is a home movie or other personal recording that includes some professionally produced content (including the audio track of a professionally produced video), to play your recording without muting you may either:

    Pause the video, wait 30 seconds for the audio to be un-muted, then skip over those portions where the professionally produced material is used and continue playing the rest of the video, or
    Pause the video, wait 30 seconds for the audio to be un-muted, then play video from a different optical disc for at least 10 minutes before continuing playback of this video.

For information on how this professionally produced content can be included in your home movies or other personal recordings in a way that will not be limited by Blu-ray Disc players, see Cinavia website : Guidelines for Use of Content in Home Movies.

Message Code 4: Copying stopped

Typical on-screen message:

“Copying stopped. This content is protected by Cinavia™
and is not authorized for copying from this device.
For more information, see http://www.cinavia.com”
Typical front panel message:

“Cinavia™ copy restriction (4)”


Explanation
The audio track of the video that you are copying contains a Cinavia code indicating that it is an unauthorized copy of professionally produced content.


Recommendation

If the video that you are copying is a professionally produced video (such as a movie or television show), you should obtain a copy that was made with the permission of the copyright owner.

If the video that you are copying is a home movie or other personal recording that includes some professionally produced material (including the audio track of a professionally produced movie or television show), in order to make a copy without interruption you will need to either copy only those parts of the recording that do not include professionally produced content or else you may create or obtain a version of the video that does not include this protected material.

For information on how this professionally produced material can be included in your home movies or other personal recordings in a way that will not be limited by Blu-ray Disc players, see Guidelines for Use of Content in Home Movies.

PS3 specifics

Cinavia is not experienced in firmware 3.01 and older - firmware 3.10 and higher contain Cinavia DRM Most likely suspects for the DRM are the player, streamsplitter and video- / audio decoders (e.g. libmp3dec.sprx) Content known to trigger Cinavia DRM: certain xvid/mp3 rips (e.g. Battle_Los_Angeles_2011_R5_XViD-IMAGiNE & the R5.LiNE.XViD-FOAM release of that same title / The.Tourist.DVDR-TWiZTED)

Playing Cinavia DRM protected content with Showtime works without problems (Showtime uses ffmpg), PS3 Media Server can also be used with the MEncoder transcoder otherwise it fails.

Debug firmware doesnt contain Cinavia DRM, neither has Rebug which uses same Debug system files (only CoreOS = Retail on Rebug)

30.07.2011 addition

''I have traced the Cinavia DRM checks to 4 separate sprx files and after a long time trying to patch these files I have found that 3 of those files are present in the DEBUG (DEX) firmware don’t have the Cinavia DRM checks enabled. Files are videoplayer_util sprx, videoplayer_plugin sprx and videoeditor_plugin sprx.

I have successfully copied these 3 sprx files from DEBUG (DEX) FW 341 over to my retail PS3 unit running OFW 341 using dev_blind and Cinavia seems to be now disabled. I’ve confirmed this by playing back a number of Cinavia affected video files.

This means that Cinavia is now disabled for all DLNA playback and copying, but Cinavia checks on AVCHD and BD playback are still present with Message Code 3 that mutes the audio as the sprx file with the Cinavia check bdp_plugin sprx is not present in DEX firmware because BD playback is disabled in DEBUG. If someone is able to patch Cinavia out of bdp_plugin sprx this will be solved too.

I have created a new task for PS3MFW so this can be easily made part of any new MFW’s as needed. Any FW version that has had the DEX firmware leaked should be able to be used to create a CFW of the same version. eg DEX 3.41 -> MFW 341 or DEX 355 -> MFW 355 etc etc. Don’t use sprx files from different FW versions! See git hacks for change_cinavia_files task source.

Big thanks to the KaKaRoTo and REBUG team for their community contributions as this would have never been possible without the knowledge they’ve shared with us.'' http://git.dashhacks.com/~tical/ps3mfw/ticals-tasks
change_cinavia_files.tcl (4.22 KB)

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Notes: videoplayer_util.sprx, videoplayer_plugin.sprx and videoeditor_plugin.sprx
#        have Cinavia DRM checks. These checks are disabled in DEX firmware so these 
#        files can be replaced by those from the equivalent DEX firmware or if they
#        have been manually patched. 
#        TODO: bdp_plugin.sprx also contains checks but BD playback is disabled on 
#        DEX firmware so this file is not included in DEX firmware. This means that 
#        DNLA copy/playback won't have any Cinavia checks done on it but a copied BD 
#        playback will still check for Cinavia and mute the audio (Message Code 3) 
#        until DEX firmware with a bdp_plugin.sprx is released or someone patches 
#        this file manually.

# Priority: 2300
# Description: Change Cinavia DRM affected files

# Option --cinavia-videoplayerutil: Patched videoplayer_util.sprx filename
# Option --cinavia-videoplayerplugin: Patched videoplayer_plugin.sprx filename
# Option --cinavia-videoeditorplugin: Patched videoeditor_plugin.sprx filename
# Option --cinavia-bdpplugin: Patched bdp_plugin.sprx filename

# Type --cinavia-videoplayerutil: file open {"SPRX library" {sprx}}
# Type --cinavia-videoplayerplugin: file open {"SPRX library" {sprx}}
# Type --cinavia-videoeditorplugin: file open {"SPRX library" {sprx}}
# Type --cinavia-bdpplugin: file open {"SPRX library" {sprx}}

namespace eval change_cinavia_files {

    array set ::change_cinavia_files::options {
        --cinavia-videoplayerutil "/path/to/videoplayer_util.sprx"
        --cinavia-videoplayerplugin "/path/to/videoplayer_plugin.sprx"
        --cinavia-videoeditorplugin "/path/to/videoeditor_plugin.sprx"
        --cinavia-bdpplugin "/path/to/bdp_plugin.sprx"
    }

    proc main {} {
        variable options

        set cinavia_videoplayerutil [file join dev_flash vsh module videoplayer_util.sprx]
        set cinavia_videoplayerplugin [file join dev_flash vsh module videoplayer_plugin.sprx]
        set cinavia_videoeditorplugin [file join dev_flash vsh module videoeditor_plugin.sprx]
        set cinavia_bdpplugin [file join dev_flash vsh module bdp_plugin.sprx]

        if {[file exists $options(--cinavia-videoplayerutil)] == 0 } {
            log "Skipping videoplayer_util.sprx, $options(--cinavia-videoplayerutil) does not exist"
        } else {
            ::modify_devflash_file ${cinavia_videoplayerutil} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoplayerutil)
        }

        if {[file exists $options(--cinavia-videoplayerplugin)] == 0 } {
            log "Skipping cinavia_videoplayerplugin, $options(--cinavia-videoplayerplugin) does not exist"
        } else {
            ::modify_devflash_file ${cinavia_videoplayerplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoplayerplugin)
        }

        if {[file exists $options(--cinavia-videoeditorplugin)] == 0 } {
            log "Skipping cinavia_videoeditorplugin, $options(--cinavia-videoeditorplugin) does not exist"
        } else {
            ::modify_devflash_file ${cinavia_videoeditorplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoeditorplugin)
        }
        
        # TODO: no known bdp_plugin.sprx patch yet
        if {[file exists $options(--cinavia-bdpplugin)] == 0 } {
            log "Skipping cinavia_bdpplugin, $options(--cinavia-bdpplugin) does not exist"
        } else {
            ::modify_devflash_file ${cinavia_bdpplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-bdpplugin)
        }
    }

    proc copy_cinavia_file { dst src } {
        if {[file exists $src] == 0} {
            die "$src does not exist"
        } else {
            if {[file exists $dst] == 0} {
                die "$dst does not exist"
            } else {
                log "Replacing default file [file tail $dst] with patched [file tail $src]"
                copy_file -force $src $dst
            }
        }
    }
}

Note: only :

  • bdp_plugin sprx
  • videoplayer_plugin sprx

might need proper patching, because videoplayer_util.sprx is the same on Retail/CEX and Debug/DEX and videoeditor_plugin sprx might not be used for playback at all.

edit, correction: videoeditor_plugin.prx is same on CEX and DEX

cinavia-310.rar (2.32 MB)


Hashes

Version MD5 SHA1 CRC32 CRC16 HMAC_SHA1
0 file (do not use) MD5::1f5039e50bd66b290c56684d8550c6c2 SHA1::7b91dbdc56c5781edf6c8847b4aa6965566c5c75 CRC32::2A0E7DBB CRC16::0 HMAC_SHA1::
3.41 RETAIL/CEX PSJB MD5::6f1ef9144c43c9a6f00f7ee7464a6689 SHA1::f3c19e06c0e7b8cc550bb3244f5f88356173fa6d CRC32::8A1E7548 CRC16::7FFC HMAC_SHA1::9F7001A6A93AE03A61ED7CFB7156A68DF0740708



Repositories

stoker25 - specialises in debug/DEX and DECR/TOOL firmwares (self hosted)

Remark @ Installation

ps3d storage region 3 on the internal harddisk (ps3dc) is used by the PS3 as temp for installing updates. When installing PUP files, the PUP content gets unpacked there, checked - the system flags the update bit and prompts for reboot. After reboot it sees the update bit set and installs the files from ps3dc without rechecking (!) -> possible attack vector for circumventing checks, like down-/crossgrading). edit-note: doesn't seem to be true, it is still checked.

ps3d - 4 possible regions :

ps3da : whole disk
  ps3db : UFS2 : GameOS
  ps3dc : FAT (2GB) : Update
  ps3dd : EXT3 : OtherOS (in the <=3.15 way)


Factory Service Mode - Installation log breakdown

Explaination from rms: http://rmscrypt.wordpress.com/2011/02/01/the-downgrade-process/

Sample logs:

log Explaination Notes
manufacturing bit detection in Syscon eeprom, manufacturing mode enabled, looking for lv2_diag.self
 manufacturing updating start
lv2_diag.self initialised
PackageName = /dev_usb000/PS3UPDAT.PUP
PUP file used for FSM reinstall on USB root
 settle polling interval success
 vflash is disabled...
 boot from nand flash...
NAND system detected, vflash disabled
 creating flash regions...
 create storage region: (region id = 2)
 format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
 create storage region: (region id = 3)
 format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
 create storage region: (region id = 4)
 format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
 create storage region: (region id = 5)
 create storage region: (region id = 6)
creating and formatting FLASH regions 2, 3, 4, 5, 6
 Initializing
 taking a while...
 start Updating Proccess
 Initialize elapsed time = 61 msec
Initializing + Start Updating Proccess
 check UPL
 Check UPL elapsed time = 34 msec
 check Package Size
 get package size elapsed time = 8 msec
 start Updating Package
 Update packages num = 29
 Update packages total size = 160699026
UPL.xml.pkg from PUP unpkg'ed and read
 Update Package Revoke list
 read package revoke list package (576 bytes) elapsed = 6 msec
 update package revoke list elapsed = 331 msec
 Update Package Revoke list done(0x8002f000)
RL_FOR_PACKAGE.img copied from PUP to trvk_pkg
 Update Core OS Package
 read core os package (5193774 bytes) elapsed = 324 msec
 update core os package elapsed = 1965 msec
 Update Core OS Package done(0x8002f000)
Core OS package (CORE_OS_PACKAGE.pkg) is unpkg'ed from PUP and written to ros
 Update VSH Package
 sys_memory_container_create() success(id = 0xc0effffe)
 Update VSH's package : 1/21
 read vsh package (2070 bytes) elapsed = 8 msec
 decrypt and verify vsh package elapsed = 23 msec
 write vsh package elapsed = 9259 msec
 compare vsh package elapsed = 0 msec
 Update VSH's package : 2/21
 read vsh package (5616383 bytes) elapsed = 351 msec
 decrypt and verify vsh package elapsed = 341 msec
 write vsh package elapsed = 1725 msec
 compare vsh package elapsed = 402 msec
 Update VSH's package : 3/21
 read vsh package (3357780 bytes) elapsed = 214 msec
 decrypt and verify vsh package elapsed = 227 msec
 write vsh package elapsed = 2926 msec
 compare vsh package elapsed = 312 msec
 Update VSH's package : 4/21
 read vsh package (5240122 bytes) elapsed = 328 msec
 decrypt and verify vsh package elapsed = 309 msec
 write vsh package elapsed = 2776 msec
 compare vsh package elapsed = 399 msec
 Update VSH's package : 5/21
 read vsh package (24029 bytes) elapsed = 9 msec
 decrypt and verify vsh package elapsed = 24 msec
 write vsh package elapsed = 1185 msec
 compare vsh package elapsed = 9 msec
 Update VSH's package : 6/21
 read vsh package (9831317 bytes) elapsed = 599 msec
 decrypt and verify vsh package elapsed = 279 msec
 write vsh package elapsed = 11830 msec
 compare vsh package elapsed = 466 msec
 Update VSH's package : 7/21
 read vsh package (8662380 bytes) elapsed = 539 msec
 decrypt and verify vsh package elapsed = 272 msec
 write vsh package elapsed = 16532 msec
 compare vsh package elapsed = 474 msec
 Update VSH's package : 8/21
 read vsh package (8657372 bytes) elapsed = 541 msec
 decrypt and verify vsh package elapsed = 361 msec
 write vsh package elapsed = 5911 msec
 compare vsh package elapsed = 448 msec
 Update VSH's package : 9/21
 read vsh package (10445426 bytes) elapsed = 635 msec
 decrypt and verify vsh package elapsed = 255 msec
 write vsh package elapsed = 5408 msec
 compare vsh package elapsed = 467 msec
 Update VSH's package : 10/21
 read vsh package (10252830 bytes) elapsed = 641 msec
 decrypt and verify vsh package elapsed = 262 msec
 write vsh package elapsed = 8646 msec
 compare vsh package elapsed = 476 msec
 Update VSH's package : 11/21
 read vsh package (9922968 bytes) elapsed = 621 msec
 decrypt and verify vsh package elapsed = 252 msec
 write vsh package elapsed = 6950 msec
 compare vsh package elapsed = 467 msec
 Update VSH's package : 12/21
 read vsh package (8214459 bytes) elapsed = 505 msec
 decrypt and verify vsh package elapsed = 199 msec
 write vsh package elapsed = 5843 msec
 compare vsh package elapsed = 386 msec
 Update VSH's package : 13/21
 read vsh package (9428094 bytes) elapsed = 594 msec
 decrypt and verify vsh package elapsed = 244 msec
 write vsh package elapsed = 5238 msec
 compare vsh package elapsed = 442 msec
 Update VSH's package : 14/21
 read vsh package (7973335 bytes) elapsed = 498 msec
 decrypt and verify vsh package elapsed = 346 msec
 write vsh package elapsed = 13617 msec
 compare vsh package elapsed = 456 msec
 Update VSH's package : 15/21
 read vsh package (9766737 bytes) elapsed = 603 msec
 decrypt and verify vsh package elapsed = 360 msec
 write vsh package elapsed = 17267 msec
 compare vsh package elapsed = 529 msec
 Update VSH's package : 16/21
 read vsh package (9199234 bytes) elapsed = 583 msec
 decrypt and verify vsh package elapsed = 407 msec
 write vsh package elapsed = 23189 msec
 compare vsh package elapsed = 689 msec
 Update VSH's package : 17/21
 read vsh package (7260896 bytes) elapsed = 466 msec
 decrypt and verify vsh package elapsed = 286 msec
 write vsh package elapsed = 14751 msec
 compare vsh package elapsed = 689 msec
 Update VSH's package : 18/21
 read vsh package (6563380 bytes) elapsed = 422 msec
 decrypt and verify vsh package elapsed = 155 msec
 write vsh package elapsed = 1906 msec
 compare vsh package elapsed = 357 msec
 Update VSH's package : 19/21
 read vsh package (6092245 bytes) elapsed = 373 msec
 decrypt and verify vsh package elapsed = 227 msec
 write vsh package elapsed = 1457 msec
 compare vsh package elapsed = 405 msec
 Update VSH's package : 20/21
 read vsh package (9859067 bytes) elapsed = 590 msec
 decrypt and verify vsh package elapsed = 238 msec
 write vsh package elapsed = 2187 msec
 compare vsh package elapsed = 498 msec
 Update VSH's package : 21/21
 read vsh package (6492084 bytes) elapsed = 419 msec
 decrypt and verify vsh package elapsed = 321 msec
 write vsh package elapsed = 17509 msec
 compare vsh package elapsed = 674 msec
 Update VSH Package done(0x8002f000)
dev_flash_000.tar.aa.* files from PUP are unpkg'ed to dev_flash
 Bul-ray Disc Player Revoke
 read bdp revoke package (1904 bytes) elapsed = 23 msec
 decrypt and verify bdp revoke package elapsed = 29 msec
 write bdp revoke package elapsed = 2240 msec
 compare bdprevoke package elapsed = 57 msec
 Bul-ray Disc Player Revoke done(0x8002f000)
dev_flash3_024.tar.aa.* files from PUP are unpkg'ed to dev_flash3
 Update Program Revoke list
 read program revoke list package (704 bytes) elapsed = 7 msec
 update program revoke list elapsed = 331 msec
 Update Program Revoke list done(0x8002f000)
RL_FOR_PROGRAM.img from PUP is copied to trvk_prg
 move_2block_status_into_the_region(): region id = 3
 rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 rewrite region done (ret = 0x8002f000)
 rewrite region elapsed time = 1262 msec
 touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 touch_1st_sector() done (ret = 0x8002f000)
 touch_1st_sector() elapsed time = 1121 msec
 rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 rewrite region done (ret = 0x8002f000)
 rewrite region elapsed time = 1262 msec
 Update BD firmware
 read BD firmware package (1966992 bytes) elapsed = 142 msec
 update BD firmware elapsed = 184 msec
 read BD firmware package (951040 bytes) elapsed = 78 msec
 update BD firmware elapsed = 142 msec
 read BD firmware package (951040 bytes) elapsed = 80 msec
 update BD firmware elapsed = 13959 msec
 Update BD firmware done(0x8002f000)
Appropiate BD firmware for that Bluray Drive is flashed to BD eeprom
 Update Multi-Card controller firmware
 read MCC package (28636 bytes) elapsed = 25 msec
 update MCC elapsed = 24 msec
 Update Multi-Card controller firmware done(0x8002f000)
If SKU with MultiCardReader then Multi-Card controller firmware is flashed to SST 1mbit Flash
 Update BlueTooth firmware
 read BT package (639368 bytes) elapsed = 62 msec
 update BT elapsed = 56 msec
 Update BlueTooth firmware done(0x8002f000)
Bluetooth NOR flash is updated with

BlueTooth firmware

 Update System controller firmware
 read SC patch package (4864 bytes) elapsed = 24 msec
 read SC patch package (4864 bytes) elapsed = 24 msec
 read SC patch package (4864 bytes) elapsed = 23 msec
 Update System controller firmware done(0x8002f000)
Syscon Hardware is updated with appropiate System controller firmware
 update package elapsed time = 228361 msec
 post processiong...
 post processiong done
 cleanup update status (ret = 0)
 os version = 03.1500
 build_version = 38031,20091206
 region of core os package = 0x40000000
 build_target = CEX-ww
 build target id = 0x83
 manufacturing updating SUCCESS(0x8002f000)
 set product mode (ret = 0)
 Total Elapsed time = 230556 msec


old crossgrading Retail/CEX to Debug/DEX

Note
For this to work your system must be below or at 1.80 for the 1.80 debug update and below or on 2.01 for the 2.15 debug update. Just use the next version up from your current firmware version for the retail update.

It's not very usefull, esp. nowadays, added for historic reasons

How to install debug firmware on retail PS3

old source: http://www.ps3hax.net/other-misc-tutorials/4808-tutorial-how-install-debug-firmware-retail-ps3-partially-hdd-swap-method.html

Tools needed

  • 1 PS3 system
  • 2 PS3 hard drives that are the same size
  • 1 retail firmware upgrade
  • 1.80 Or 2.15 debug firmware

Instructions

  1. Format both hard drives on the PS3 system.
  2. Download a debug PS3 firmware and place it in USB stick, and start the update. This will copy all the debug firmware files to the PS3's HDD-A.
  3. After copied the PS3 will restart and you will see the normal update menu which prompts you to click the button to start update. Do NOT update your PS3, but power it off.
  4. Next remove the HDD-A, and place in the second HDD, HDD-B in the PS3.
  5. Download and copy a retail PS3 firmware to a USB stick.
  6. Again as before place USB in PS3 and update the PS3 as normal but when you get to the screen where it asks for you to press button, do that but stop when it asks you to AGREE to Terms and Condition Page.
  7. While the system is still powered on and on the update screen, REMOVE HDD-B, and insert HDD-A.
  8. After swapping the HDD's continuie to update the PS3 as normal and the PS3 will install the debug PS3 firmware=
  9. Go to the settings and check firmware version and there you will also see the debugging PS3 options :)




Ancient preproduction / prototype

 CEB-201x, DEH-R1030 etc.
 
 old SDKs contain these binairy files in \cell\target\bootrom, 
 while knowledge about previous version existance can be revealed by the documentation in \cell\info\old\XXX

ebootrom structure

Header

Offset Length Type Information
0x0 0x4 unsigned long Unknown
0x4 0x4 unsigned long File Count
0x8 0x8 unsigned long File Length
0x10 0x30 * File Count File Table File Table

File Table

The file table consists of a number of file entries determined by File Count, with the format below:

Offset Length Type Information
0x0 0x8 unsigned long Data Offset
0x10 0x8 unsigned long Data Length
0x20 0x20 unsigned long Data FileName (see below)

Filename IDs

File Entry ID Filename
0x1 sdk_version
0x2 version.txt
0x3 ros (CORE_OS_PACKAGE.pkg)
0x4 trvk_prg
0x5 trvk_pkg
0x6 nand_update
0x7 bdit_firmware
0x8 bdpt_301r_firmware
0x9 bdpt_303r_firmware
bdit_firmware / bdpt_301r_firmware / bdpt_303r_firmware / nand_update / ros / trvk_pkg / trvk_prg
Header
Offset Length Type Information
0x0 0x4 unsigned long Unknown
0x4 0x4 unsigned long File Count
0x8 0x8 unsigned long File Length
0x10 0x30 * File Count File Table File Table
File Table

The file table consists of a number of file entries determined by File Count, with the format below:

Offset Length Type Information
0x0 0x8 unsigned long Data Offset
0x10 0x8 unsigned long Data Length
0x20 0x20 unsigned long DataName
  • bdit_firmware -> BDIT_FIRMWARE_PACKAGE.pkg
  • bdpt_301r_firmware -> BDPT_FIRMWARE_PACKAGE_301R.pkg
  • bdpt_303r_firmware -> BDPT_FIRMWARE_PACKAGE_303R.pkg
  • trvk_pkg -> RL_FOR_PACKAGE.img
  • trvk_prg -> RL_FOR_PROGRAM.img
  • ros -> CORE_OS_PACKAGE.pkg
  • nand_update -> NAND_UPDATE.pkg.[01]-[28]
0x40 Data Length unsigned long SCE signed package data
CORE_OS_PACKAGE.pkg
File Entry ID Filename
aim_spu_module.self
appldr
creserved_0
default.spp
isoldr
lv0
lv1.self
lv1ldr
lv2_kernel.self
lv2ldr
mc_iso_spu_module.self
me_iso_spu_module.self
sb_iso_spu_module.self
sc_iso.self
sdk_version
spp_verifier.self
spu_pkg_rvk_verifier.self
spu_token_processor.self
sv_iso_spu_module.self



known updates

0.2 ebootrom

0.3 ebootrom

0.60 ebootrom

   0.60: lv0 contains string : 'Sony CXD9823 NAND Controller'
Boot Loader SE Version 0.6 2006-01-31_13:53:04

0.80 ebootrom

   key: rev 0x00

0.84 ebootrom

   0.84: lv0 doesnt contain previous mentioned string
from decrypted lv0 0.84: Boot Loader SE Version 0.8.4 (Build ID: 822,8517, Build Data: 2006-05-16_17:50:21)

0.85 ebootrom

0.90 ebootrom

0.92 ebootrom

   key: rev 0x01 + NP rev 0x01

0.93 ebootrom

0.94 ebootrom

0.95 PUP

   0.95: PS3UPDAT.PUP format was implemented since 0.95

0.96 PUP

100.002 ebootrom

ebootrom.100.002.rar (51.29 MB)