Talk:Playstation Update Package (PUP)
Playstation Update Package (PUP) - Discussion/Talk
What is the part that defines, what firmware it really is?. I mean, for firmwares below 3.55 we have all the keys so whe can forge any PUP and make it appear as a +3.55, that would be a way to downgrade, without the need of a dongle and recovery mode.
I know there are version strings in pupheader,version.txt, info0, and in vsh.self.. but what is missing? What isn´t correclty set in mfw to make it pass the checks of a legit +3.55 fw?
We are using recovery mode to downgrade because, we haven´t found a way to create a legit +3.55
Unpacking a firmware
Unpack the PUP
Dots.txt EULA.xml Update_Files.tar Updater.self Version.txt VSH.tar Zeros.bin
Untar the Update_Files.tar
BDIT_FIRMWARE_PACKAGE.pkg BDPT_FIRMWARE_PACKAGE_301R.pkg BDPT_FIRMWARE_PACKAGE_302R.pkg BDPT_FIRMWARE_PACKAGE_303R.pkg BDPT_FIRMWARE_PACKAGE_304R.pkg BDPT_FIRMWARE_PACKAGE_306R.pkg BDPT_FIRMWARE_PACKAGE_308R.pkg BLUETOOTH_FIRMWARE.pkg CORE_OS_PACKAGE.pkg dev_flash3_022.tar.aa.2010_11_27_051800 dev_flash_000.tar.aa.2010_11_27_051337 dev_flash_001.tar.aa.2010_11_27_051337 dev_flash_002.tar.aa.2010_11_27_051337 dev_flash_003.tar.aa.2010_11_27_051337 dev_flash_004.tar.aa.2010_11_27_051337 dev_flash_005.tar.aa.2010_11_27_051337 dev_flash_006.tar.aa.2010_11_27_051337 dev_flash_007.tar.aa.2010_11_27_051337 dev_flash_008.tar.aa.2010_11_27_051337 dev_flash_009.tar.aa.2010_11_27_051337 dev_flash_010.tar.aa.2010_11_27_051337 dev_flash_011.tar.aa.2010_11_27_051337 dev_flash_012.tar.aa.2010_11_27_051337 dev_flash_013.tar.aa.2010_11_27_051337 dev_flash_014.tar.aa.2010_11_27_051337 dev_flash_015.tar.aa.2010_11_27_051337 dev_flash_016.tar.aa.2010_11_27_051337 dev_flash_017.tar.aa.2010_11_27_051337 dev_flash_018.tar.aa.2010_11_27_051337 dev_flash_019.tar.aa.2010_11_27_051337 dev_flash_020.tar.aa.2010_11_27_051337 dev_flash_021.tar.aa.2010_11_27_051337 MULTI_CARD_FIRMWARE.pkg RL_FOR_PACKAGE.img RL_FOR_PROGRAM.img SYS_CON_FIRMWARE_01000006.pkg SYS_CON_FIRMWARE_01010303.pkg SYS_CON_FIRMWARE_01020302.pkg SYS_CON_FIRMWARE_01030302.pkg SYS_CON_FIRMWARE_01040402.pkg SYS_CON_FIRMWARE_01050002.pkg SYS_CON_FIRMWARE_01050101.pkg SYS_CON_FIRMWARE_S1_00010002083E0832.pkg UPL.xml.pkg
unpkg CORE_OS_PACKAGE.pkg
content info0 info1
cosunpkg content from CORE_OS_PACKAGE.pkg
aim_spu_module.self appldr creserved_0 default.spp emer_init.self eurus_fw.bin hdd_copy.self isoldr lv0 lv1.self lv1ldr lv2ldr lv2_kernel.self manu_info_spu_module.self mc_iso_spu_module.self me_iso_spu_module.self sb_iso_spu_module.self sc_iso.self sdk_version spp_verifier.self spu_pkg_rvk_verifier.self spu_token_processor.self spu_utoken_processor.self sv_iso_spu_module.self
unself the self's
...
unpkg dev_flash*
content info0 info1
untar dev_flash* content
...
3.55 example
PSUPDATE.PUP ├── dots.txt ├── license.txt ├── ps3swu.self ├── update_files.tar │ ├── BDIT_FIRMWARE_PACKAGE.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_301R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_302R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_303R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_304R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_306R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BDPT_FIRMWARE_PACKAGE_308R.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── BLUETOOTH_FIRMWARE.pkg │ │ ├── content │ │ │ ├── RC29_firmware_footer.dfu │ │ │ ├── usb8780-5.0.1-A1-A2.dfu │ │ │ └── usb8781-20.0.12.0.dfu │ │ ├── info0 │ │ └── info1 │ ├── CORE_OS_PACKAGE.pkg │ │ ├── aim_spu_module.self │ │ ├── appldr │ │ ├── creserved_0 │ │ ├── default.spp │ │ ├── emer_init.self │ │ ├── eurus_fw.bin │ │ ├── hdd_copy.self │ │ ├── isoldr │ │ ├── lv0 │ │ ├── lv1ldr │ │ ├── lv1.self │ │ ├── lv2_kernel.self │ │ ├── lv2ldr │ │ ├── manu_info_spu_module.self │ │ ├── mc_iso_spu_module.self │ │ ├── me_iso_spu_module.self │ │ ├── sb_iso_spu_module.self │ │ ├── sc_iso.self │ │ ├── sdk_version │ │ ├── spp_verifier.self │ │ ├── spu_pkg_rvk_verifier.self │ │ ├── spu_token_processor.self │ │ ├── spu_utoken_processor.self │ │ └── sv_iso_spu_module.self │ ├── dev_flash_XXX.tar.aa.DATE/TIME │ ├── dev_flash3_XXX.tar.aa.DATE/TIME │ ├── MULTI_CARD_FIRMWARE.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── RL_FOR_PACKAGE.img │ ├── RL_FOR_PROGRAM.img │ ├── SYS_CON_FIRMWARE_01000006.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01010303.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01020302 │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01030302.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01040402.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01050002.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_01050101.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ ├── SYS_CON_FIRMWARE_S1_00010002083E0832.pkg │ │ ├── content │ │ ├── info0 │ │ └── info1 │ └── UPL.xml.pkg │ ├── content │ ├── info0 │ └── info1 ├── update_files.tar ├── update_flags.txt ├── version.txt └── vsh.tar
PS3 Recovery Menu
note: FW 2.50 or higher
CoreOS file: emer_init.self
Videomode limitations
There are no known limitations on the used video output. Works fine on:
- Composite
- Scart-Composite
- Svideo
- RGB
- Scart-RGB
- RGB Dsub
- RGB Cinch
- Component
- Component Dsub
- Component Cinch
- HDMI
Getting into recovery mode
- With the system in standby mode. Press and hold the power button down until the system turns on and then off again. Release the power button. Very important to hold the power button until the console shuts off and to release the power button before continuing to step 2.
- After about 1 - 2 seconds press and hold the power button again, until you hear 2 consecutive beeps. Release the power button. During this step you will actually here three beeps. There will be one single beep then a short delay followed by the 2 consecutive beeps. Only release the the power button after the 2 consecutive beeps.
- You will then be instructed to plug in a controller, via the usb cord, and press the PS button : "Connect the controller using a USB cable and then press the PS button".
- At this point the PS3 Recovery Menu will be shown on the screen.
Note: some people have trouble hearing the beeps: the led goes off the same moment it beeps, so the 2 consecutive beeps can also be noticed by seeing the green led fast blink off twice.
PS3 Recovery Menu Options
1. Restart System
This option boots your system as normal without changing any settings or files.
2. Restore Default Settings
Restores all default settings on the PS3 for networking, clock, video, etc. For a full list of the restored settings you can look under settings> system settings > restore defaults on your console. This should not eliminate your game saves or other saved content, including your user login.
3. Restore File System
This will rewrite the files the PS3 uses to boot. This feature will help if files have become corrupted and are not allowing the console to boot as normal. This should not erase any of your saved data or settings.
4. Rebuild Database
This can be a usefull feature if you have lost files on your system for no apparent reason. Try using this feature to see if it can restore those files. This will also rewrite corrupted files within the database, potentially eliminating future issues. This feature should not erase any of your saved data or settings (except some PSN account information - explained in next paragraph.
Deletes messages, playlists, changes made on "Information" screens, trimming information for pictures in "Photo", video thumbnails, video playback history and video resume information. Will also "unregister" your PSN account with your system - anything that needs your PSN information to run correctly, like trophies or games that require trophies with a PSN account to be linked, will not work. To fix, either sign in to PSN or for systems </=3.55, edit the xregistry.sys to have your PSN email and password.
This operation may take a long time depending on the type and number of data items.
5. Restore PS3 System
This will restore your system to original including, formatting and erasing all of the data on the HD and returning all system settings to default. This will not take your system back to a previous Firmware release. Use this option as a last resort, unless you have nothing on the console that you want or you want to erase everything on the console, do not use this option.
This is the same as "Restore PS3 system" on the XMB. All data and settings will be lost by performing this step.
6. System Update
This will allow the user to update their console with new firmware via a Flash drive or other portable media. This will not allow you to update via an internet connection. This can usefull if your system has become corrupted to the point you can not boot. Needed for installing same versions MFWs over OFW/MFWs or going back from an MFW to an OFW.
When to use Recovery Menu
Execute Recovery Menu when the PS3 is experiencing the following symptoms:
- When the PS3 is started up, the XMB menu is not displayed (only the wave screen background appears)
- When the PS3 is started up, nothing appears on the screen
- When the PS3 is started up, a message stating "The hard disk's file system is corrupted and will be restored." is displayed and prompts the user to press X to Restore the system. Original message is displayed again or the system stops during restoration.
- When the PS3 system is started up, an error message stating "The hard disk's database will be rebuilt." is displayed and prompts the user to press X. The system again fails start up or stops while formatting the hard drive.
- The system stops while restarting after a PS3 system update or while updating or rebuilding the database.
- When wanting to install a same version firmware (e.g. MFW/CFW over an OFW).
Adding new keys to older firmwares
patch the loaders add keys to appldr keys index & tables there are also npdrm keys inside appldr as well, add the 3.56++ ones appldr,. lv2.self and game_ext_plugin need patching for new games support vsh.self maybe too
Creating a MFW? (3.41/3.55 with 3.56 keys)
Proof of concept with added keys to appldr (and none of the other mentioned files above) : http://www.ps3devwiki.com/wiki/Talk:Patches#appldr_3.55_add_3.56.2F3.60_keys
Using fake upgrade to get lowest firmware version info
http://ps3devwiki.com/files/firmware/MFW-CEX/MinVerCheck/ // MinVerChk.rar (3.96 KB)
CRC-16: 9A11 CRC-32 (Ethernet and PKZIP): 50EE9A92 SHA-1: 1B60E0ADE8E698D9796AA78B7AD54B10E05A9B0B MD-5: BB39828156BC7DF144E4D06D81C801AB
- Unrar and copy this MinVerChk PUP to your USB stick (/PS3/UPDATE/PS3UPDAT.PUP), the same way as if it was an firmware upgrade.
- Insert the USB stick into the PS3.
- Start a firmware update like normal from XMB (Don’t worry, it will not update!)
- It will shortly fail and display the Firmware Base Value
Note: console needs to run at least FW 2.50? (2.30 didn't work)
Watermark which survives ripping to e.g. xvid/mp3 Detection of watermark
According to Cinavia website (www cinavia com) there are 4 possible warning messages on detection:
Message Code 1: Playback stopped
Typical on-screen message: “Playback stopped. The content being played is protected by Cinavia™ and is not authorized for playback on this device. For more information, see http://www.cinavia.com. Message Code 1.” Typical front panel message: “Cinavia™ playback restriction (1).” Explanation The audio track of the video that you are playing contains a Cinavia code indicating it was intended for presentation using professional equipment only (for example, in a theater) and is not authorized for playback by consumers. Recommendations If the video that you are playing is a professionally produced video (such as a movie or television show), you will need to obtain a copy that was made with the permission of the copyright owner. If the video that you are playing back is a home movie or other personal recording, that includes some professionally produced content (including the audio track of a professionally produced movie or television show), you will need to either skip over the parts of the video that contain the professionally produced content during playback or else create or obtain a version of the video that does not include this protected material.
Message Code 2: Copying stopped
Typical on-screen message: “Copying stopped. The content being copied is protected by Cinavia™ and is not authorized for copying from this device. For more information, see http:// www.cinavia.com. Message Code 2.” Typical front panel message: “Cinavia™ copy restriction (2)” Explanation The audio track of the video that you are copying contains a Cinavia code indicating that it was intended for duplication using professional equipment only (for example, by a professional replicator) and is not authorized for copying by consumers. Recommendations If the video that you are copying is a professionally produced movie or television show, you will need to obtain a copy that was made with the permission of its copyright owner. If the video that you are copying is a home movie or other personal recording that includes some professionally produced content (including the audio track of a professionally produced movie or television show), in order to make a copy you will need to either copy only those parts of the recording that do not include professionally produced content or else you may create or obtain a version of the video that does not include this protected material.
Message Code 3: Audio muted
Typical on-screen message: “Audio outputs temporarily muted. Do not adjust the playback volume. The content being played is protected by Cinavia™ and is not authorized for playback on this device. For more information, see http://www.cinavia.com. Message Code 3.” Typical front panel message: “Cinavia™ playback restriction (3)” Explanation The audio track of the video that you are playing contains a Cinavia code indicating that it is an unauthorized copy of professionally-produced content. Recommendations If the video that you are playing is a professionally produced video (such as a movie or television show), you will need to obtain a copy that was made with the permission of the copyright owner. If the video that you are playing is a home movie or other personal recording that includes some professionally produced content (including the audio track of a professionally produced video), to play your recording without muting you may either: Pause the video, wait 30 seconds for the audio to be un-muted, then skip over those portions where the professionally produced material is used and continue playing the rest of the video, or Pause the video, wait 30 seconds for the audio to be un-muted, then play video from a different optical disc for at least 10 minutes before continuing playback of this video. For information on how this professionally produced content can be included in your home movies or other personal recordings in a way that will not be limited by Blu-ray Disc players, see Cinavia website : Guidelines for Use of Content in Home Movies.
Message Code 4: Copying stopped
Typical on-screen message: “Copying stopped. This content is protected by Cinavia™ and is not authorized for copying from this device. For more information, see http://www.cinavia.com” Typical front panel message: “Cinavia™ copy restriction (4)” Explanation The audio track of the video that you are copying contains a Cinavia code indicating that it is an unauthorized copy of professionally produced content. Recommendation If the video that you are copying is a professionally produced video (such as a movie or television show), you should obtain a copy that was made with the permission of the copyright owner. If the video that you are copying is a home movie or other personal recording that includes some professionally produced material (including the audio track of a professionally produced movie or television show), in order to make a copy without interruption you will need to either copy only those parts of the recording that do not include professionally produced content or else you may create or obtain a version of the video that does not include this protected material. For information on how this professionally produced material can be included in your home movies or other personal recordings in a way that will not be limited by Blu-ray Disc players, see Guidelines for Use of Content in Home Movies.
PS3 specifics
Cinavia is not experienced in firmware 3.01 and older - firmware 3.10 and higher contain Cinavia DRM Most likely suspects for the DRM are the player, streamsplitter and video- / audio decoders (e.g. libmp3dec.sprx) Content known to trigger Cinavia DRM: certain xvid/mp3 rips (e.g. Battle_Los_Angeles_2011_R5_XViD-IMAGiNE & the R5.LiNE.XViD-FOAM release of that same title / The.Tourist.DVDR-TWiZTED)
Playing Cinavia DRM protected content with Showtime works without problems (Showtime uses ffmpg), PS3 Media Server can also be used with the MEncoder transcoder otherwise it fails.
Debug firmware doesnt contain Cinavia DRM, neither has Rebug which uses same Debug system files (only CoreOS = Retail on Rebug)
30.07.2011 addition
''I have traced the Cinavia DRM checks to 4 separate sprx files and after a long time trying to patch these files I have found that 3 of those files are present in the DEBUG (DEX) firmware don’t have the Cinavia DRM checks enabled. Files are videoplayer_util sprx, videoplayer_plugin sprx and videoeditor_plugin sprx.
I have successfully copied these 3 sprx files from DEBUG (DEX) FW 341 over to my retail PS3 unit running OFW 341 using dev_blind and Cinavia seems to be now disabled. I’ve confirmed this by playing back a number of Cinavia affected video files.
This means that Cinavia is now disabled for all DLNA playback and copying, but Cinavia checks on AVCHD and BD playback are still present with Message Code 3 that mutes the audio as the sprx file with the Cinavia check bdp_plugin sprx is not present in DEX firmware because BD playback is disabled in DEBUG. If someone is able to patch Cinavia out of bdp_plugin sprx this will be solved too.
I have created a new task for PS3MFW so this can be easily made part of any new MFW’s as needed. Any FW version that has had the DEX firmware leaked should be able to be used to create a CFW of the same version. eg DEX 3.41 -> MFW 341 or DEX 355 -> MFW 355 etc etc. Don’t use sprx files from different FW versions! See git hacks for change_cinavia_files task source.
Big thanks to the KaKaRoTo and REBUG team for their community contributions as this would have never been possible without the knowledge they’ve shared with us.''
http://git.dashhacks.com/~tical/ps3mfw/ticals-tasks
change_cinavia_files.tcl (4.22 KB)
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Notes: videoplayer_util.sprx, videoplayer_plugin.sprx and videoeditor_plugin.sprx # have Cinavia DRM checks. These checks are disabled in DEX firmware so these # files can be replaced by those from the equivalent DEX firmware or if they # have been manually patched. # TODO: bdp_plugin.sprx also contains checks but BD playback is disabled on # DEX firmware so this file is not included in DEX firmware. This means that # DNLA copy/playback won't have any Cinavia checks done on it but a copied BD # playback will still check for Cinavia and mute the audio (Message Code 3) # until DEX firmware with a bdp_plugin.sprx is released or someone patches # this file manually. # Priority: 2300 # Description: Change Cinavia DRM affected files # Option --cinavia-videoplayerutil: Patched videoplayer_util.sprx filename # Option --cinavia-videoplayerplugin: Patched videoplayer_plugin.sprx filename # Option --cinavia-videoeditorplugin: Patched videoeditor_plugin.sprx filename # Option --cinavia-bdpplugin: Patched bdp_plugin.sprx filename # Type --cinavia-videoplayerutil: file open {"SPRX library" {sprx}} # Type --cinavia-videoplayerplugin: file open {"SPRX library" {sprx}} # Type --cinavia-videoeditorplugin: file open {"SPRX library" {sprx}} # Type --cinavia-bdpplugin: file open {"SPRX library" {sprx}} namespace eval change_cinavia_files { array set ::change_cinavia_files::options { --cinavia-videoplayerutil "/path/to/videoplayer_util.sprx" --cinavia-videoplayerplugin "/path/to/videoplayer_plugin.sprx" --cinavia-videoeditorplugin "/path/to/videoeditor_plugin.sprx" --cinavia-bdpplugin "/path/to/bdp_plugin.sprx" } proc main {} { variable options set cinavia_videoplayerutil [file join dev_flash vsh module videoplayer_util.sprx] set cinavia_videoplayerplugin [file join dev_flash vsh module videoplayer_plugin.sprx] set cinavia_videoeditorplugin [file join dev_flash vsh module videoeditor_plugin.sprx] set cinavia_bdpplugin [file join dev_flash vsh module bdp_plugin.sprx] if {[file exists $options(--cinavia-videoplayerutil)] == 0 } { log "Skipping videoplayer_util.sprx, $options(--cinavia-videoplayerutil) does not exist" } else { ::modify_devflash_file ${cinavia_videoplayerutil} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoplayerutil) } if {[file exists $options(--cinavia-videoplayerplugin)] == 0 } { log "Skipping cinavia_videoplayerplugin, $options(--cinavia-videoplayerplugin) does not exist" } else { ::modify_devflash_file ${cinavia_videoplayerplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoplayerplugin) } if {[file exists $options(--cinavia-videoeditorplugin)] == 0 } { log "Skipping cinavia_videoeditorplugin, $options(--cinavia-videoeditorplugin) does not exist" } else { ::modify_devflash_file ${cinavia_videoeditorplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-videoeditorplugin) } # TODO: no known bdp_plugin.sprx patch yet if {[file exists $options(--cinavia-bdpplugin)] == 0 } { log "Skipping cinavia_bdpplugin, $options(--cinavia-bdpplugin) does not exist" } else { ::modify_devflash_file ${cinavia_bdpplugin} ::change_cinavia_files::copy_cinavia_file $::change_cinavia_files::options(--cinavia-bdpplugin) } } proc copy_cinavia_file { dst src } { if {[file exists $src] == 0} { die "$src does not exist" } else { if {[file exists $dst] == 0} { die "$dst does not exist" } else { log "Replacing default file [file tail $dst] with patched [file tail $src]" copy_file -force $src $dst } } } }
Note: only :
- bdp_plugin sprx
- videoplayer_plugin sprx
might need proper patching, because videoplayer_util.sprx is the same on Retail/CEX and Debug/DEX and videoeditor_plugin sprx might not be used for playback at all.
edit, correction: videoeditor_plugin.prx is same on CEX and DEX
Hashes
Version | MD5 | SHA1 | CRC32 | CRC16 | HMAC_SHA1 |
---|---|---|---|---|---|
0 file (do not use) | MD5::1f5039e50bd66b290c56684d8550c6c2 | SHA1::7b91dbdc56c5781edf6c8847b4aa6965566c5c75 | CRC32::2A0E7DBB | CRC16::0 | HMAC_SHA1:: |
3.41 RETAIL/CEX PSJB | MD5::6f1ef9144c43c9a6f00f7ee7464a6689 | SHA1::f3c19e06c0e7b8cc550bb3244f5f88356173fa6d | CRC32::8A1E7548 | CRC16::7FFC | HMAC_SHA1::9F7001A6A93AE03A61ED7CFB7156A68DF0740708 |
Repositories
stoker25 - specialises in debug/DEX and DECR/TOOL firmwares (self hosted)
Remark @ Installation
ps3d storage region 3 on the internal harddisk (ps3dc) is used by the PS3 as temp for installing updates. When installing PUP files, the PUP content gets unpacked there, checked - the system flags the update bit and prompts for reboot. After reboot it sees the update bit set and installs the files from ps3dc without rechecking (!) -> possible attack vector for circumventing checks, like down-/crossgrading). edit-note: doesn't seem to be true, it is still checked.
ps3d - 4 possible regions :
ps3da : whole disk ps3db : UFS2 : GameOS ps3dc : FAT (2GB) : Update ps3dd : EXT3 : OtherOS (in the <=3.15 way)
Factory Service Mode - Installation log breakdown
Explaination from rms: http://rmscrypt.wordpress.com/2011/02/01/the-downgrade-process/
Sample logs:
- http://pastebin.com/XhcjfAjw (downgrade 3.66 -> 3.15)
- http://pastebin.com/SAN7Z3Dq (UPL 3.15)
log | Explaination | Notes |
---|---|---|
manufacturing bit detection in Syscon eeprom, manufacturing mode enabled, looking for lv2_diag.self | ||
manufacturing updating start |
lv2_diag.self initialised | |
PackageName = /dev_usb000/PS3UPDAT.PUP |
PUP file used for FSM reinstall on USB root | |
settle polling interval success |
||
vflash is disabled... boot from nand flash... |
NAND system detected, vflash disabled | |
creating flash regions... create storage region: (region id = 2) format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT) create storage region: (region id = 3) format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT) create storage region: (region id = 4) format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT) create storage region: (region id = 5) create storage region: (region id = 6) |
creating and formatting FLASH regions 2, 3, 4, 5, 6 | |
Initializing taking a while... start Updating Proccess Initialize elapsed time = 61 msec |
Initializing + Start Updating Proccess | |
check UPL Check UPL elapsed time = 34 msec check Package Size get package size elapsed time = 8 msec start Updating Package Update packages num = 29 Update packages total size = 160699026 |
UPL.xml.pkg from PUP unpkg'ed and read | |
Update Package Revoke list read package revoke list package (576 bytes) elapsed = 6 msec update package revoke list elapsed = 331 msec Update Package Revoke list done(0x8002f000) |
RL_FOR_PACKAGE.img copied from PUP to trvk_pkg | |
Update Core OS Package read core os package (5193774 bytes) elapsed = 324 msec update core os package elapsed = 1965 msec Update Core OS Package done(0x8002f000) |
Core OS package (CORE_OS_PACKAGE.pkg) is unpkg'ed from PUP and written to ros | |
Update VSH Package sys_memory_container_create() success(id = 0xc0effffe) Update VSH's package : 1/21 read vsh package (2070 bytes) elapsed = 8 msec decrypt and verify vsh package elapsed = 23 msec write vsh package elapsed = 9259 msec compare vsh package elapsed = 0 msec Update VSH's package : 2/21 read vsh package (5616383 bytes) elapsed = 351 msec decrypt and verify vsh package elapsed = 341 msec write vsh package elapsed = 1725 msec compare vsh package elapsed = 402 msec Update VSH's package : 3/21 read vsh package (3357780 bytes) elapsed = 214 msec decrypt and verify vsh package elapsed = 227 msec write vsh package elapsed = 2926 msec compare vsh package elapsed = 312 msec Update VSH's package : 4/21 read vsh package (5240122 bytes) elapsed = 328 msec decrypt and verify vsh package elapsed = 309 msec write vsh package elapsed = 2776 msec compare vsh package elapsed = 399 msec Update VSH's package : 5/21 read vsh package (24029 bytes) elapsed = 9 msec decrypt and verify vsh package elapsed = 24 msec write vsh package elapsed = 1185 msec compare vsh package elapsed = 9 msec Update VSH's package : 6/21 read vsh package (9831317 bytes) elapsed = 599 msec decrypt and verify vsh package elapsed = 279 msec write vsh package elapsed = 11830 msec compare vsh package elapsed = 466 msec Update VSH's package : 7/21 read vsh package (8662380 bytes) elapsed = 539 msec decrypt and verify vsh package elapsed = 272 msec write vsh package elapsed = 16532 msec compare vsh package elapsed = 474 msec Update VSH's package : 8/21 read vsh package (8657372 bytes) elapsed = 541 msec decrypt and verify vsh package elapsed = 361 msec write vsh package elapsed = 5911 msec compare vsh package elapsed = 448 msec Update VSH's package : 9/21 read vsh package (10445426 bytes) elapsed = 635 msec decrypt and verify vsh package elapsed = 255 msec write vsh package elapsed = 5408 msec compare vsh package elapsed = 467 msec Update VSH's package : 10/21 read vsh package (10252830 bytes) elapsed = 641 msec decrypt and verify vsh package elapsed = 262 msec write vsh package elapsed = 8646 msec compare vsh package elapsed = 476 msec Update VSH's package : 11/21 read vsh package (9922968 bytes) elapsed = 621 msec decrypt and verify vsh package elapsed = 252 msec write vsh package elapsed = 6950 msec compare vsh package elapsed = 467 msec Update VSH's package : 12/21 read vsh package (8214459 bytes) elapsed = 505 msec decrypt and verify vsh package elapsed = 199 msec write vsh package elapsed = 5843 msec compare vsh package elapsed = 386 msec Update VSH's package : 13/21 read vsh package (9428094 bytes) elapsed = 594 msec decrypt and verify vsh package elapsed = 244 msec write vsh package elapsed = 5238 msec compare vsh package elapsed = 442 msec Update VSH's package : 14/21 read vsh package (7973335 bytes) elapsed = 498 msec decrypt and verify vsh package elapsed = 346 msec write vsh package elapsed = 13617 msec compare vsh package elapsed = 456 msec Update VSH's package : 15/21 read vsh package (9766737 bytes) elapsed = 603 msec decrypt and verify vsh package elapsed = 360 msec write vsh package elapsed = 17267 msec compare vsh package elapsed = 529 msec Update VSH's package : 16/21 read vsh package (9199234 bytes) elapsed = 583 msec decrypt and verify vsh package elapsed = 407 msec write vsh package elapsed = 23189 msec compare vsh package elapsed = 689 msec Update VSH's package : 17/21 read vsh package (7260896 bytes) elapsed = 466 msec decrypt and verify vsh package elapsed = 286 msec write vsh package elapsed = 14751 msec compare vsh package elapsed = 689 msec Update VSH's package : 18/21 read vsh package (6563380 bytes) elapsed = 422 msec decrypt and verify vsh package elapsed = 155 msec write vsh package elapsed = 1906 msec compare vsh package elapsed = 357 msec Update VSH's package : 19/21 read vsh package (6092245 bytes) elapsed = 373 msec decrypt and verify vsh package elapsed = 227 msec write vsh package elapsed = 1457 msec compare vsh package elapsed = 405 msec Update VSH's package : 20/21 read vsh package (9859067 bytes) elapsed = 590 msec decrypt and verify vsh package elapsed = 238 msec write vsh package elapsed = 2187 msec compare vsh package elapsed = 498 msec Update VSH's package : 21/21 read vsh package (6492084 bytes) elapsed = 419 msec decrypt and verify vsh package elapsed = 321 msec write vsh package elapsed = 17509 msec compare vsh package elapsed = 674 msec Update VSH Package done(0x8002f000) |
dev_flash_000.tar.aa.* files from PUP are unpkg'ed to dev_flash | |
Bul-ray Disc Player Revoke read bdp revoke package (1904 bytes) elapsed = 23 msec decrypt and verify bdp revoke package elapsed = 29 msec write bdp revoke package elapsed = 2240 msec compare bdprevoke package elapsed = 57 msec Bul-ray Disc Player Revoke done(0x8002f000) |
dev_flash3_024.tar.aa.* files from PUP are unpkg'ed to dev_flash3 | |
Update Program Revoke list read program revoke list package (704 bytes) elapsed = 7 msec update program revoke list elapsed = 331 msec Update Program Revoke list done(0x8002f000) |
RL_FOR_PROGRAM.img from PUP is copied to trvk_prg | |
move_2block_status_into_the_region(): region id = 3 rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 rewrite region done (ret = 0x8002f000) rewrite region elapsed time = 1262 msec touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 touch_1st_sector() done (ret = 0x8002f000) touch_1st_sector() elapsed time = 1121 msec rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000 rewrite region done (ret = 0x8002f000) rewrite region elapsed time = 1262 msec |
||
Update BD firmware read BD firmware package (1966992 bytes) elapsed = 142 msec update BD firmware elapsed = 184 msec read BD firmware package (951040 bytes) elapsed = 78 msec update BD firmware elapsed = 142 msec read BD firmware package (951040 bytes) elapsed = 80 msec update BD firmware elapsed = 13959 msec Update BD firmware done(0x8002f000) |
Appropiate BD firmware for that Bluray Drive is flashed to BD eeprom | |
Update Multi-Card controller firmware read MCC package (28636 bytes) elapsed = 25 msec update MCC elapsed = 24 msec Update Multi-Card controller firmware done(0x8002f000) |
If SKU with MultiCardReader then Multi-Card controller firmware is flashed to SST 1mbit Flash | |
Update BlueTooth firmware read BT package (639368 bytes) elapsed = 62 msec update BT elapsed = 56 msec Update BlueTooth firmware done(0x8002f000) |
Bluetooth NOR flash is updated with | |
Update System controller firmware read SC patch package (4864 bytes) elapsed = 24 msec read SC patch package (4864 bytes) elapsed = 24 msec read SC patch package (4864 bytes) elapsed = 23 msec Update System controller firmware done(0x8002f000) |
Syscon Hardware is updated with appropiate System controller firmware | |
update package elapsed time = 228361 msec |
||
post processiong... post processiong done cleanup update status (ret = 0) |
||
os version = 03.1500 build_version = 38031,20091206 |
||
region of core os package = 0x40000000 |
||
build_target = CEX-ww build target id = 0x83 |
||
manufacturing updating SUCCESS(0x8002f000) |
||
set product mode (ret = 0) |
||
Total Elapsed time = 230556 msec |
old crossgrading Retail/CEX to Debug/DEX
Note
For this to work your system must be below or at 1.80 for the 1.80 debug update and below or on 2.01 for the 2.15 debug update. Just use the next version up from your current firmware version for the retail update.
It's not very usefull, esp. nowadays, added for historic reasons
How to install debug firmware on retail PS3
Tools needed
- 1 PS3 system
- 2 PS3 hard drives that are the same size
- 1 retail firmware upgrade
- 1.80 Or 2.15 debug firmware
Instructions
- Format both hard drives on the PS3 system.
- Download a debug PS3 firmware and place it in USB stick, and start the update. This will copy all the debug firmware files to the PS3's HDD-A.
- After copied the PS3 will restart and you will see the normal update menu which prompts you to click the button to start update. Do NOT update your PS3, but power it off.
- Next remove the HDD-A, and place in the second HDD, HDD-B in the PS3.
- Download and copy a retail PS3 firmware to a USB stick.
- Again as before place USB in PS3 and update the PS3 as normal but when you get to the screen where it asks for you to press button, do that but stop when it asks you to AGREE to Terms and Condition Page.
- While the system is still powered on and on the update screen, REMOVE HDD-B, and insert HDD-A.
- After swapping the HDD's continuie to update the PS3 as normal and the PS3 will install the debug PS3 firmware=
- Go to the settings and check firmware version and there you will also see the debugging PS3 options :)
Ancient preproduction / prototype
CEB-201x, DEH-R1030 etc. old SDKs contain these binairy files in \cell\target\bootrom, while knowledge about previous version existance can be revealed by the documentation in \cell\info\old\XXX
ebootrom structure
Header
Offset | Length | Type | Information |
---|---|---|---|
0x0 | 0x4 | unsigned long | Unknown |
0x4 | 0x4 | unsigned long | File Count |
0x8 | 0x8 | unsigned long | File Length |
0x10 | 0x30 * File Count | File Table | File Table |
File Table
The file table consists of a number of file entries determined by File Count, with the format below:
Offset | Length | Type | Information |
---|---|---|---|
0x0 | 0x8 | unsigned long | Data Offset |
0x10 | 0x8 | unsigned long | Data Length |
0x20 | 0x20 | unsigned long | Data FileName (see below) |
Filename IDs
File Entry ID | Filename |
---|---|
0x1 | sdk_version |
0x2 | version.txt |
0x3 | ros (CORE_OS_PACKAGE.pkg) |
0x4 | trvk_prg |
0x5 | trvk_pkg |
0x6 | nand_update |
0x7 | bdit_firmware |
0x8 | bdpt_301r_firmware |
0x9 | bdpt_303r_firmware |
bdit_firmware / bdpt_301r_firmware / bdpt_303r_firmware / nand_update / ros / trvk_pkg / trvk_prg
Header
Offset | Length | Type | Information |
---|---|---|---|
0x0 | 0x4 | unsigned long | Unknown |
0x4 | 0x4 | unsigned long | File Count |
0x8 | 0x8 | unsigned long | File Length |
0x10 | 0x30 * File Count | File Table | File Table |
File Table
The file table consists of a number of file entries determined by File Count, with the format below:
Offset | Length | Type | Information |
---|---|---|---|
0x0 | 0x8 | unsigned long | Data Offset |
0x10 | 0x8 | unsigned long | Data Length |
0x20 | 0x20 | unsigned long | DataName
|
0x40 | Data Length | unsigned long | SCE signed package data |
CORE_OS_PACKAGE.pkg
File Entry ID | Filename |
---|---|
aim_spu_module.self | |
appldr | |
creserved_0 | |
default.spp | |
isoldr | |
lv0 | |
lv1.self | |
lv1ldr | |
lv2_kernel.self | |
lv2ldr | |
mc_iso_spu_module.self | |
me_iso_spu_module.self | |
sb_iso_spu_module.self | |
sc_iso.self | |
sdk_version | |
spp_verifier.self | |
spu_pkg_rvk_verifier.self | |
spu_token_processor.self | |
sv_iso_spu_module.self |
known updates
0.2 ebootrom
0.3 ebootrom
0.60 ebootrom
0.60: lv0 contains string : 'Sony CXD9823 NAND Controller'
Boot Loader SE Version 0.6 2006-01-31_13:53:04
0.80 ebootrom
key: rev 0x00
0.84 ebootrom
0.84: lv0 doesnt contain previous mentioned string
from decrypted lv0 0.84: Boot Loader SE Version 0.8.4 (Build ID: 822,8517, Build Data: 2006-05-16_17:50:21)
0.85 ebootrom
0.90 ebootrom
0.92 ebootrom
key: rev 0x01 + NP rev 0x01
0.93 ebootrom
0.94 ebootrom
0.95 PUP
0.95: PS3UPDAT.PUP format was implemented since 0.95