Talk:Playstation Update Package (PUP)

From PS3 Developer wiki
Revision as of 19:33, 4 July 2020 by CelesteBlue (talk | contribs) (Reverted edits by Ziom1309 (talk) to last revision by CelesteBlue)
Jump to navigation Jump to search

Changelogs

Wikipedia is removing firmware changelogs, last complete version:

PSVita: https://en.wikipedia.org/w/index.php?title=PlayStation_Vita_system_software&oldid=668447442

PSP: https://en.wikipedia.org/w/index.php?title=PlayStation_Portable_system_software&oldid=672507694

PS3 talk

What is the part that defines, what firmware it really is?. I mean, for firmwares below 3.55 we have all the keys so whe can forge any PUP and make it appear as a +3.55, that would be a way to downgrade, without the need of a dongle and recovery mode.

I know there are version strings in pupheader, version.txt, info0, and in vsh.self.. but what is missing? What isn´t correctly set in mfw to make it pass the checks of a legit +3.55 fw?.

We are using recovery mode to downgrade because we haven´t found a way to create a legit +3.55.

Unpacking a Playstation Update Package

Unpack the PUP

Dots.txt
license.xml
ps3swu.self
ps3swu2.self
spkg_hdr.tar
Update_Files.tar
update_flags.txt
Version.txt
VSH.tar

Untar the Update_Files.tar

BDIT_FIRMWARE_PACKAGE.pkg
BDPT_FIRMWARE_PACKAGE_301R.pkg
BDPT_FIRMWARE_PACKAGE_302R.pkg
BDPT_FIRMWARE_PACKAGE_303R.pkg
BDPT_FIRMWARE_PACKAGE_304R.pkg
BDPT_FIRMWARE_PACKAGE_306R.pkg
BDPT_FIRMWARE_PACKAGE_308R.pkg
BDPT_FIRMWARE_PACKAGE_310R.pkg
BDPT_FIRMWARE_PACKAGE_312R.pkg
BDPT_FIRMWARE_PACKAGE_314R.pkg
BDPT_FIRMWARE_PACKAGE_316R.pkg
BLUETOOTH_FIRMWARE.pkg
CORE_OS_PACKAGE.pkg
dev_flash3_023.tar.aa.2013_06_20_055817
dev_flash_000.tar.aa.2013_06_20_055817
dev_flash_001.tar.aa.2013_06_20_055817
dev_flash_002.tar.aa.2013_06_20_055817
dev_flash_003.tar.aa.2013_06_20_055817
dev_flash_004.tar.aa.2013_06_20_055817
dev_flash_005.tar.aa.2013_06_20_051337
dev_flash_006.tar.aa.2013_06_20_051337
dev_flash_007.tar.aa.2013_06_20_051337
dev_flash_008.tar.aa.2013_06_20_051337
dev_flash_009.tar.aa.2013_06_20_051337
dev_flash_010.tar.aa.2013_06_20_051337
dev_flash_011.tar.aa.2013_06_20_051337
dev_flash_012.tar.aa.2013_06_20_051337
dev_flash_013.tar.aa.2013_06_20_051337
dev_flash_014.tar.aa.2013_06_20_051337
dev_flash_015.tar.aa.2013_06_20_051337
dev_flash_016.tar.aa.2013_06_20_051337
dev_flash_017.tar.aa.2013_06_20_051337
dev_flash_018.tar.aa.2013_06_20_051337
dev_flash_019.tar.aa.2013_06_20_051337
dev_flash_020.tar.aa.2013_06_20_051337
dev_flash_021.tar.aa.2013_06_20_051337
dev_flash_022.tar.aa.2013_06_20_055817
MULTI_CARD_FIRMWARE.pkg
RL_FOR_PACKAGE.img
RL_FOR_PROGRAM.img
SYS_CON_FIRMWARE_01000006.pkg
SYS_CON_FIRMWARE_01010303.pkg
SYS_CON_FIRMWARE_01020302.pkg
SYS_CON_FIRMWARE_01030302.pkg
SYS_CON_FIRMWARE_01040402.pkg
SYS_CON_FIRMWARE_01050002.pkg
SYS_CON_FIRMWARE_01050101.pkg
SYS_CON_FIRMWARE_S1_00010002083E0832.pkg
UPL.xml.pkg

unpkg CORE_OS_PACKAGE.pkg

content
info0
info1
cosunpkg content from CORE_OS_PACKAGE.pkg
aim_spu_module.self
appldr
creserved_0
default.spp
emer_init.self
eurus_fw.bin
hdd_copy.self
isoldr
lv0
lv1.self
lv1ldr
lv2ldr
lv2_kernel.self
manu_info_spu_module.self
mc_iso_spu_module.self
me_iso_spu_module.self
sb_iso_spu_module.self
sc_iso.self
sdk_version
spp_verifier.self
spu_pkg_rvk_verifier.self
spu_token_processor.self
spu_utoken_processor.self
sv_iso_spu_module.self
unself the self's

...

unpkg dev_flash*

content
info0
info1
untar dev_flash* content

...

3.55 example

PSUPDATE.PUP
├── dots.txt
├── license.txt
├── ps3swu.self 
├── update_files.tar
│   ├── BDIT_FIRMWARE_PACKAGE.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_301R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_302R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_303R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_304R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_306R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BDPT_FIRMWARE_PACKAGE_308R.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── BLUETOOTH_FIRMWARE.pkg
│   │   ├── content
│   │   │   ├── RC29_firmware_footer.dfu
│   │   │   ├── usb8780-5.0.1-A1-A2.dfu
│   │   │   └── usb8781-20.0.12.0.dfu
│   │   ├── info0
│   │   └── info1
│   ├── CORE_OS_PACKAGE.pkg
│   │   ├── aim_spu_module.self
│   │   ├── appldr
│   │   ├── creserved_0
│   │   ├── default.spp
│   │   ├── emer_init.self
│   │   ├── eurus_fw.bin
│   │   ├── hdd_copy.self
│   │   ├── isoldr
│   │   ├── lv0
│   │   ├── lv1ldr
│   │   ├── lv1.self
│   │   ├── lv2_kernel.self
│   │   ├── lv2ldr
│   │   ├── manu_info_spu_module.self
│   │   ├── mc_iso_spu_module.self
│   │   ├── me_iso_spu_module.self
│   │   ├── sb_iso_spu_module.self
│   │   ├── sc_iso.self
│   │   ├── sdk_version
│   │   ├── spp_verifier.self
│   │   ├── spu_pkg_rvk_verifier.self
│   │   ├── spu_token_processor.self
│   │   ├── spu_utoken_processor.self
│   │   └── sv_iso_spu_module.self
│   ├── dev_flash_XXX.tar.aa.DATE/TIME
│   ├── dev_flash3_XXX.tar.aa.DATE/TIME
│   ├── MULTI_CARD_FIRMWARE.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── RL_FOR_PACKAGE.img
│   ├── RL_FOR_PROGRAM.img
│   ├── SYS_CON_FIRMWARE_01000006.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01010303.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01020302
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01030302.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01040402.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01050002.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_01050101.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   ├── SYS_CON_FIRMWARE_S1_00010002083E0832.pkg
│   │   ├── content
│   │   ├── info0
│   │   └── info1
│   └── UPL.xml.pkg
│       ├── content
│       ├── info0
│       └── info1
├── update_flags.txt
├── version.txt
└── vsh.tar
    └──a

Adding new keys to older firmwares

patch the loaders
add keys to appldr keys index & tables
there are also npdrm keys inside appldr as well, add the 3.56++ ones
appldr,. lv2.self and game_ext_plugin need patching for new games support
vsh.self maybe too

Creating a MFW? (3.41/3.55 with 3.56 keys)


Proof of concept with added keys to appldr (and none of the other mentioned files above) : appldr 3.55 add 3.56/3.60 keys

Using fake upgrade to get lowest firmware version info

PS3 MinVerChk PUP on USB

http://ps3devwiki.com/files/firmware/MFW-CEX/MinVerCheck/ // MinVerChk.rar (1.28 KB) / mirror --- mirror 2 

CRC-16: 9A11
CRC-32 (Ethernet and PKZIP): 50EE9A92
SHA-1: 1B60E0ADE8E698D9796AA78B7AD54B10E05A9B0B
MD-5: BB39828156BC7DF144E4D06D81C801AB
  1. Unrar and copy this MinVerChk PUP to your USB stick (/PS3/UPDATE/PS3UPDAT.PUP), the same way as if it was an firmware upgrade.
  2. Insert the USB stick into the PS3.
  3. Start a firmware update like normal from XMB (Don’t worry, it will not update!)
  4. It will shortly fail and display the Firmware Base Value

Note: console needs to run at least FW 2.50? (2.30 didn't work); This only works when the minimum update version is 1.00, otherwise any minimum value lower than 1.00 reports as 1.00 using this method. DECR-1000 (0.08), DEH-H1000A-E (??0.92??), DEH-H1001-D (??0.92??), DECHA00A (??0.92??) are effectively affected by this.

  • PS3 MinVerChk on the CECHC04

    PS3 MinVerChk on the CECHC04

  • PS3 MinVerChk on the CECHG04

    PS3 MinVerChk on the CECHG04

Hashes

Version MD5 SHA1 CRC32 CRC16 HMAC_SHA1
0 file (do not use) MD5::1f5039e50bd66b290c56684d8550c6c2 SHA1::7b91dbdc56c5781edf6c8847b4aa6965566c5c75 CRC32::2A0E7DBB CRC16::0 HMAC_SHA1::
3.41 RETAIL/CEX PSJB MD5::6f1ef9144c43c9a6f00f7ee7464a6689 SHA1::f3c19e06c0e7b8cc550bb3244f5f88356173fa6d CRC32::8A1E7548 CRC16::7FFC HMAC_SHA1::9F7001A6A93AE03A61ED7CFB7156A68DF0740708


PS3UPDAT.SHA

Some BluRay-Movie Discs contain firmware updates for the Playstation 3 Console. Inside the /PS3/UPDATE folder can be a file called "PS3UPDAT.SHA".

example

This is an example from the movie "Priest" with 3.50 firmware

0x002F070 - 0x002F8CF 
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000  61 7F 7F 6B 07 07 07 0B 00 00 00 00 00 00 00 00  a..k............
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  B8 19 86 1F 75 D5 08 82 14 2C BE C8 AF 54 B0 00  ....u....,...T..
00000030  12 BC 04 9D 00 00 00 00 00 00 00 00 00 00 00 00  ................

structure

Address Size Value Description Observations
0x0 0x8 61 7F 7F 6B 07 07 07 0B Unknown
0x8 0x18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Padding
0x20 0x14 B8 19 86 1F 75 D5 08 82 14 2C BE C8 AF 54 B0 00 12 BC 04 9D SHA1 hash of PS3UPDAT.PUP
0x34 0xC 00 00 00 00 00 00 00 00 00 00 00 00 Padding
Rest Rest Rest Encrypted Data


Repositories

stoker25 - specialises in debug/DEX and DECR/TOOL firmwares (self hosted)

Remark @ Installation

ps3d storage region 3 on the internal harddisk (ps3dc) is used by the PS3 as temp for installing updates. When installing PUP files, the PUP content gets unpacked there, checked - the system flags the update bit and prompts for reboot. After reboot it sees the update bit set and installs the files from ps3dc without rechecking (!) -> possible attack vector for circumventing checks, like down-/crossgrading). edit-note: doesn't seem to be true, it is still checked.

ps3d - 4 possible regions : 

ps3da : whole disk
  ps3db : UFS2 : GameOS
  ps3dc : FAT (2GB) : Update
  ps3dd : EXT3 : OtherOS (in the <=3.15 way)


No applicable data found - technical pov

Reasons why the playstation updating process does not recognize a pup.

  • 2) update_files.tar
    • unable to open PUP (rb)
    • unable to read first 0x30 Bytes (header)
    • unable to read further 0x20 Bytes sized segment_table (aka file tables)
    • unable to find core os package.pkg inside update_files.tar
  • 3) Unable to open Storage Region 1/2 on HDD.
  • 4) No Media present. (no success when fstat)

Sample Logs normal installation

http://pastie.org/10059999 

cellFsUtilMount: /dev_hdd0
Configuration read. bd_video_region=0,dvd_video_region=0
spoof_version = 0000, spoof_revision = 0
BDemulator: disabled
real disc type = ff71
effective disc type = ff71, fake disc type = 0
probe hdd
(v)HDD found.
probe hdd done
vflash is enabled. search system region.
search system region
device_id = 0x101000000000007, system_region_id = 0x1
ACL[0]: LAID = 0x1070000001000001 : ACL =0xb
system region found(mode = 0).
search system region done.
search flash regions
cellFsUtilMount: /dev_flash
/dev_flash is clean.
[(v)flash]
        info.vendor_id = 0x0
        info.device_id = 0x0
        info.sector_size = 0x200
        info.media_count = 0x1
        info.capacity = 0x80000
[device_id = 0x100000200000001]
        info.capacity = 0x63e00
flash region 0x2 found.
expected: start sectors = 0x7800, n_sectors = 0x63e00
start sector = 0x7800.
start sector is correct
region size is correct
[device_id = 0x100000300000001]
        info.capacity = 0x8000
flash region 0x3 found.
expected: start sectors = 0x6b600, n_sectors = 0x8000
start sector = 0x6b600.
[device_id = 0x100000400000001]
        info.capacity = 0x400
flash region 0x4 found.
expected: start sectors = 0x73600, n_sectors = 0x400
start sector = 0x73600.
[device_id = 0x100000500000001]
        info.capacity = 0x2000
flash region 0x5 found.
expected: start sectors = 0x73a00, n_sectors = 0x2000
start sector = 0x73a00.
found all flash regions.
search normal region
normal region 1 found.
search normal region done.
normal region 2 found.
Storage event: 7  0  10300000000000a
Storage event: 3  0  10300000000000a
search update package
seach update package in GAME disc
Disc auth: 5004 29 (process: 01000200_main_mer_init.self)
set drive policy success
profile = 0xff71
umount BDVD
umount /dev_bdvd failure = 0x80010002
mount BDVD
cellFsUtilMount: /dev_bdvd
mount /dev_bdvd success
/dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP found
verify /dev_bdvd/PS3_UPDATE/PS3UPDAT.PUP
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 3325 msec
check UPL
Check UPL elapsed time = 79 msec
check Package Size
get package size elapsed time = 25 msec
start Verifying Package only
update package elapsed time = 1731 msec
Updating or Verifying failure 0x8002f169
USB storage: id = 0x10300000000000a
        lun = 0x0
        info.capacity = 0xffffffffe8df8800
lun = 0x0, dev_index = 0xa
index = 0x0, pkg_index = 0x2
mount USB storage 0
mp_name = /dev_usb000
umount /dev_usb000 failure = 0x80010002
mount USB storage 0(LUN=0x0)
dev_name = CELL_FS_IOS:USB_MASS_STORAGE000, mp_name = /dev_usb000
cellFsUtilMount: /dev_usb000
mount /dev_usb000 success
/dev_usb000/PS3/UPDATE/PS3UPDAT.PUP found
verify /dev_usb000/PS3/UPDATE/PS3UPDAT.PUP
Storage event: 4  0  101000000000006
Disc removed.
Storage event: 8  0  101000000000006
Initialize elapsed time = 547 msec
Check UPL elapsed time = 148 msec
get package size elapsed time = 17 msec
update package elapsed time = 18979 msec
post processiong...
post processiong done
search update package done
not to be skipped formatting system region.
re-use old partitions.
re-use old flash partitions.
cellFsUtilMount: /dev_hdd1
setup environment for ps3updater
mount game cache
mount game cache success
mkdir /dev_hdd1/PS3UPDATE success
mkdir /dev_hdd1/PS3UPDATE/vsh success
mkdir /dev_hdd1/PS3UPDATE/vsh/etc success
mkdir /dev_hdd1/PS3UPDATE/data success
mkdir /dev_hdd1/PS3UPDATE/data/font success
Initialize elapsed time = 582 msec
Check UPL elapsed time = 160 msec
update package elapsed time = 20137 msec
copy /dev_usb000/PS3/UPDATE/PS3UPDAT.PUP to /dev_hdd1/PS3UPDATE/PS3UPDAT.PUP
copy id = 0x100, dst = /dev_hdd1/PS3UPDATE/ps3version.txt
copy id = 0x601, dst = /dev_hdd1/PS3UPDATE/ps3swu.self
extarct id = 0x201, dst = /dev_hdd1/PS3UPDATE
segment = 0x300, offset = 0x56f5b0, size = 0xc0e4c00
file_num = 51
required patch_name : /BDIT_FIRMWARE_PACKAGE.pkg.spkg_hdr.1
segment = 0x501, offset = 0xc6541b0, size = 0x14000
file_num = 49
patch found: offset = 0xc6543b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_301R.pkg.spkg_hdr.1
patch found: offset = 0xc6549b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_302R.pkg.spkg_hdr.1
patch found: offset = 0xc654fb0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_303R.pkg.spkg_hdr.1
patch found: offset = 0xc6555b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_304R.pkg.spkg_hdr.1
patch found: offset = 0xc655bb0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_306R.pkg.spkg_hdr.1
patch found: offset = 0xc6561b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_308R.pkg.spkg_hdr.1
patch found: offset = 0xc6567b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_310R.pkg.spkg_hdr.1
patch found: offset = 0xc656db0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_312R.pkg.spkg_hdr.1
patch found: offset = 0xc6573b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_314R.pkg.spkg_hdr.1
patch found: offset = 0xc6579b0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_316R.pkg.spkg_hdr.1
patch found: offset = 0xc657fb0, size = 0x280
required patch_name : /BDPT_FIRMWARE_PACKAGE_318R.pkg.spkg_hdr.1
patch found: offset = 0xc6585b0, size = 0x280
required patch_name : /BLUETOOTH_FIRMWARE.pkg.spkg_hdr.1
patch found: offset = 0xc658bb0, size = 0x280
required patch_name : /CORE_OS_PACKAGE.pkg.spkg_hdr.1
patch found: offset = 0xc6591b0, size = 0x280
required patch_name : /MULTI_CARD_FIRMWARE.pkg.spkg_hdr.1
patch found: offset = 0xc6597b0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01000006.pkg.spkg_hdr.1
patch found: offset = 0xc659db0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01010303.pkg.spkg_hdr.1
patch found: offset = 0xc65a3b0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01020302.pkg.spkg_hdr.1
patch found: offset = 0xc65a9b0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01030302.pkg.spkg_hdr.1
patch found: offset = 0xc65afb0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01040402.pkg.spkg_hdr.1
patch found: offset = 0xc65b5b0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01050002.pkg.spkg_hdr.1
patch found: offset = 0xc65bbb0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_01050101.pkg.spkg_hdr.1
patch found: offset = 0xc65c1b0, size = 0x280
required patch_name : /SYS_CON_FIRMWARE_S1_00010002083E0832.pkg.spkg_hdr.1
patch found: offset = 0xc65c7b0, size = 0x280
required patch_name : /UPL.xml.pkg.spkg_hdr.1
patch found: offset = 0xc65cdb0, size = 0x280
required patch_name : /RL_FOR_PACKAGE.img.spkg_hdr.1
patch for /RL_FOR_PACKAGE.img not found. skipped
required patch_name : /RL_FOR_PROGRAM.img.spkg_hdr.1
patch for /RL_FOR_PROGRAM.img not found. skipped
required patch_name : /dev_flash3_024.tar.aa.2015_02_05_035051.spkg_hdr.1
patch found: offset = 0xc65d3b0, size = 0x280
required patch_name : /dev_flash_000.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65d9b0, size = 0x280
required patch_name : /dev_flash_001.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65dfb0, size = 0x280
dir_num = 1
dirname = /dev_flash/data/font/
dstname = /dev_hdd1/PS3UPDATE/data/font/
file_num = 20
filename = /dev_flash/data/font/SCE-PS3-RD-R-LATIN2.TTF, offset = 0400, size = 0xd67c
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-R-LATIN2.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-R-LATIN.TTF, offset = 0de00, size = 0x95f4
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-R-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-VR-R-LATIN2.TTF, offset = 017600, size = 0x218b0
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-VR-R-LATIN2.TTF
filename = /dev_flash/data/font/SCE-PS3-SR-R-LATIN2.TTF, offset = 039200, size = 0x12ee8
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-SR-R-LATIN2.TTF
filename = /dev_flash/data/font/SCE-PS3-MT-B-LATIN.TTF, offset = 04c400, size = 0x12184
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-MT-B-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-L-LATIN.TTF, offset = 05e800, size = 0x9714
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-L-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-YG-R-KOR.TTF, offset = 068200, size = 0x79728
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-YG-R-KOR.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-I-LATIN.TTF, offset = 0e1c00, size = 0x9ea4
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-I-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-BI-LATIN.TTF, offset = 0ebe00, size = 0x9c80
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-BI-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-LI-LATIN.TTF, offset = 0f5e00, size = 0xa038
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-LI-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-NR-L-JPN.TTF, offset = 0100200, size = 0x2f0eb4
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-NR-L-JPN.TTF
filename = /dev_flash/data/font/SCE-PS3-CP-R-KANA.TTF, offset = 03f1400, size = 0xf27c
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-CP-R-KANA.TTF
filename = /dev_flash/data/font/SCE-PS3-MT-BI-LATIN.TTF, offset = 0400a00, size = 0x13128
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-MT-BI-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-MT-I-LATIN.TTF, offset = 0413e00, size = 0x133d8
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-MT-I-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-SR-R-EXT.TTF, offset = 0427400, size = 0x43450
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-SR-R-EXT.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-L-LATIN2.TTF, offset = 046ac00, size = 0xd7fc
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-L-LATIN2.TTF
filename = /dev_flash/data/font/SCE-PS3-SR-R-LATIN.TTF, offset = 0478600, size = 0xd1b0
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-SR-R-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-NR-R-JPN.TTF, offset = 0485a00, size = 0x2f5c38
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-NR-R-JPN.TTF
filename = /dev_flash/data/font/SCE-PS3-YG-B-KOR.TTF, offset = 077ba00, size = 0x78ec8
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-YG-B-KOR.TTF
filename = /dev_flash/data/font/SCE-PS3-NR-R-EXT.TTF, offset = 07f4c00, size = 0x443b8
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-NR-R-EXT.TTF
required patch_name : /dev_flash_002.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65e5b0, size = 0x280
dir_num = 0
file_num = 3
filename = /dev_flash/data/font/SCE-PS3-SR-R-JPN.TTF, offset = 0200, size = 0x47380c
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-SR-R-JPN.TTF
filename = /dev_flash/data/font/SCE-PS3-NR-B-JPN.TTF, offset = 0473e00, size = 0x2d9724
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-NR-B-JPN.TTF
filename = /dev_flash/data/font/SCE-PS3-MT-R-LATIN.TTF, offset = 074d800, size = 0x1202c
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-MT-R-LATIN.TTF
required patch_name : /dev_flash_003.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65ebb0, size = 0x280
dirname = /dev_flash/data/font/SONY-CC/
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/
file_num = 12
filename = /dev_flash/data/font/SCE-PS3-DH-R-CGB.TTF, offset = 0200, size = 0x7d8884
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-DH-R-CGB.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-B-LATIN2.TTF, offset = 07d8e00, size = 0xd328
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-B-LATIN2.TTF
filename = /dev_flash/data/font/SCE-PS3-YG-L-KOR.TTF, offset = 07e6400, size = 0x78f68
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-YG-L-KOR.TTF
filename = /dev_flash/data/font/SCE-PS3-RD-B-LATIN.TTF, offset = 085f600, size = 0x9430
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-RD-B-LATIN.TTF
filename = /dev_flash/data/font/SCE-PS3-VR-R-LATIN.TTF, offset = 0868e00, size = 0x10344
dstname = /dev_hdd1/PS3UPDATE/data/font/SCE-PS3-VR-R-LATIN.TTF
filename = /dev_flash/data/font/SONY-CC/k006004ds.ttf, offset = 0879600, size = 0xeb94
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/k006004ds.ttf
filename = /dev_flash/data/font/SONY-CC/e046323ts.ttf, offset = 0888400, size = 0xd960
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/e046323ts.ttf
filename = /dev_flash/data/font/SONY-CC/c041056ts.ttf, offset = 0896000, size = 0x116dc
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/c041056ts.ttf
filename = /dev_flash/data/font/SONY-CC/n023055ms.ttf, offset = 08a7a00, size = 0xb38c
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/n023055ms.ttf
filename = /dev_flash/data/font/SONY-CC/e046323ms.ttf, offset = 08b3000, size = 0xc25c
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/e046323ms.ttf
filename = /dev_flash/data/font/SONY-CC/n023055ts.ttf, offset = 08bf600, size = 0xc9c0
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/n023055ts.ttf
filename = /dev_flash/data/font/SONY-CC/d013013ds.ttf, offset = 08cc200, size = 0x11174
dstname = /dev_hdd1/PS3UPDATE/data/font/SONY-CC/d013013ds.ttf
required patch_name : /dev_flash_004.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65f1b0, size = 0x280
dir_num = 2
dirname = /dev_flash/vsh/etc/
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/
dirname = /dev_flash/vsh/etc/print/
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/print/
file_num = 11
filename = /dev_flash/vsh/etc/layout_factor_table_720.txt, offset = 0400, size = 0x1ff
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_factor_table_720.txt
filename = /dev_flash/vsh/etc/layout_grid_table_720.txt, offset = 0800, size = 0x3fd5
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_grid_table_720.txt
filename = /dev_flash/vsh/etc/layout_grid_table_1080.txt, offset = 04a00, size = 0x41f6
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_grid_table_1080.txt
filename = /dev_flash/vsh/etc/index.dat, offset = 08e00, size = 0x4f0
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/index.dat
filename = /dev_flash/vsh/etc/layout_factor_table_272.txt, offset = 09600, size = 0x1dd
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_factor_table_272.txt
filename = /dev_flash/vsh/etc/version.txt, offset = 09a00, size = 0x4ce
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/version.txt
filename = /dev_flash/vsh/etc/layout_grid_table_480.txt, offset = 0a200, size = 0x3dc9
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_grid_table_480.txt
filename = /dev_flash/vsh/etc/print/epson.pmd, offset = 0e400, size = 0x7154
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/print/epson.pmd
filename = /dev_flash/vsh/etc/layout_grid_table_272.txt, offset = 015800, size = 0x3df7
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_grid_table_272.txt
filename = /dev_flash/vsh/etc/layout_factor_table_480.txt, offset = 019800, size = 0x1dc
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_factor_table_480.txt
filename = /dev_flash/vsh/etc/layout_factor_table_1080.txt, offset = 019c00, size = 0x1f2
dstname = /dev_hdd1/PS3UPDATE/vsh/etc/layout_factor_table_1080.txt
required patch_name : /dev_flash_005.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65f7b0, size = 0x280
required patch_name : /dev_flash_006.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc65fdb0, size = 0x280
required patch_name : /dev_flash_007.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6603b0, size = 0x280
required patch_name : /dev_flash_008.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6609b0, size = 0x280
required patch_name : /dev_flash_009.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc660fb0, size = 0x280
required patch_name : /dev_flash_010.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6615b0, size = 0x280
required patch_name : /dev_flash_011.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc661bb0, size = 0x280
required patch_name : /dev_flash_012.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6621b0, size = 0x280
required patch_name : /dev_flash_013.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6627b0, size = 0x280
required patch_name : /dev_flash_014.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc662db0, size = 0x280
required patch_name : /dev_flash_015.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6633b0, size = 0x280
required patch_name : /dev_flash_016.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6639b0, size = 0x280
required patch_name : /dev_flash_017.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc663fb0, size = 0x280
required patch_name : /dev_flash_018.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6645b0, size = 0x280
required patch_name : /dev_flash_019.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc664bb0, size = 0x280
required patch_name : /dev_flash_020.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6651b0, size = 0x280
required patch_name : /dev_flash_021.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6657b0, size = 0x280
required patch_name : /dev_flash_022.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc665db0, size = 0x280
required patch_name : /dev_flash_023.tar.aa.2015_02_05_034359.spkg_hdr.1
patch found: offset = 0xc6663b0, size = 0x280
setup environment for ps3updater done.
umount game cache
umount game cache success
Unmount:: not call unset_storage_event_handler
UfsSysUinit2:not call ffs_uninitUnmount:: not call free

Prepare to shutdown .....Going to shutdown.
Stage 2 says hello (load base = 0x8000000000540000, end = 0x8000000000558330) (version = 0104700F)
OK

###
### Software update mode

mounting the builtin HDD1 : cellFsUtilMount: /dev_hdd1
PROCESS /dev_hdd1/PS3UPDATE/ps3swu.self (01000200) loaded
PROCESS /dev_hdd1/PS3UPDATE/ps3swu.self (01000200_main_ps3swu.self) (01000200) created from parent process:
creating the initial system process : OK
cellFsUtilMount: /dev_flash2
cellFsUtilMount: /dev_flash3
Registry: running in recovery mode
Registry initialization start:............ done
We are originally in region 82

other: http://pastie.org/pastes/10056453/text?key=utexzvyefmddeddktp3og

Factory Service Mode - Installation log breakdown

Explaination from rms: http://rmscrypt.wordpress.com/2011/02/01/the-downgrade-process/

Sample logs:

log Explaination Notes
manufacturing bit detection in Syscon eeprom, manufacturing mode enabled, looking for lv2_diag.self 
 manufacturing updating start
 lv2_diag.self initialised 
PackageName = /dev_usb000/PS3UPDAT.PUP
 PUP file used for FSM reinstall on USB root 
 settle polling interval success
 
 vflash is disabled...
 boot from nand flash...
 NAND system detected, vflash disabled 
 creating flash regions...
 create storage region: (region id = 2)
 format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
 create storage region: (region id = 3)
 format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
 create storage region: (region id = 4)
 format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
 create storage region: (region id = 5)
 create storage region: (region id = 6)
 creating FLASH regions 2, 3, 4, 5, 6 and formatting regions 2, 3, 4 
 Initializing
 taking a while...
 start Updating Proccess
 Initialize elapsed time = 61 msec
 Initializing + Start Updating Proccess 
 check UPL
 Check UPL elapsed time = 34 msec
 check Package Size
 get package size elapsed time = 8 msec
 start Updating Package
 Update packages num = 29
 Update packages total size = 160699026
 UPL.xml.pkg from PUP unpkg'ed and read 
 Update Package Revoke list
 read package revoke list package (576 bytes) elapsed = 6 msec
 update package revoke list elapsed = 331 msec
 Update Package Revoke list done(0x8002f000)
 RL_FOR_PACKAGE.img copied from PUP to trvk_pkg 
 Update Core OS Package
 read core os package (5193774 bytes) elapsed = 324 msec
 update core os package elapsed = 1965 msec
 Update Core OS Package done(0x8002f000)
 Core OS package (CORE_OS_PACKAGE.pkg) is unpkg'ed from PUP and written to ros 
 Update VSH Package
 sys_memory_container_create() success(id = 0xc0effffe)
 Update VSH's package : 1/21
 read vsh package (2070 bytes) elapsed = 8 msec
 decrypt and verify vsh package elapsed = 23 msec
 write vsh package elapsed = 9259 msec
 compare vsh package elapsed = 0 msec
 Update VSH's package : 2/21
 read vsh package (5616383 bytes) elapsed = 351 msec
 decrypt and verify vsh package elapsed = 341 msec
 write vsh package elapsed = 1725 msec
 compare vsh package elapsed = 402 msec
 Update VSH's package : 3/21
 read vsh package (3357780 bytes) elapsed = 214 msec
 decrypt and verify vsh package elapsed = 227 msec
 write vsh package elapsed = 2926 msec
 compare vsh package elapsed = 312 msec
 Update VSH's package : 4/21
 read vsh package (5240122 bytes) elapsed = 328 msec
 decrypt and verify vsh package elapsed = 309 msec
 write vsh package elapsed = 2776 msec
 compare vsh package elapsed = 399 msec
 Update VSH's package : 5/21
 read vsh package (24029 bytes) elapsed = 9 msec
 decrypt and verify vsh package elapsed = 24 msec
 write vsh package elapsed = 1185 msec
 compare vsh package elapsed = 9 msec
 Update VSH's package : 6/21
 read vsh package (9831317 bytes) elapsed = 599 msec
 decrypt and verify vsh package elapsed = 279 msec
 write vsh package elapsed = 11830 msec
 compare vsh package elapsed = 466 msec
 Update VSH's package : 7/21
 read vsh package (8662380 bytes) elapsed = 539 msec
 decrypt and verify vsh package elapsed = 272 msec
 write vsh package elapsed = 16532 msec
 compare vsh package elapsed = 474 msec
 Update VSH's package : 8/21
 read vsh package (8657372 bytes) elapsed = 541 msec
 decrypt and verify vsh package elapsed = 361 msec
 write vsh package elapsed = 5911 msec
 compare vsh package elapsed = 448 msec
 Update VSH's package : 9/21
 read vsh package (10445426 bytes) elapsed = 635 msec
 decrypt and verify vsh package elapsed = 255 msec
 write vsh package elapsed = 5408 msec
 compare vsh package elapsed = 467 msec
 Update VSH's package : 10/21
 read vsh package (10252830 bytes) elapsed = 641 msec
 decrypt and verify vsh package elapsed = 262 msec
 write vsh package elapsed = 8646 msec
 compare vsh package elapsed = 476 msec
 Update VSH's package : 11/21
 read vsh package (9922968 bytes) elapsed = 621 msec
 decrypt and verify vsh package elapsed = 252 msec
 write vsh package elapsed = 6950 msec
 compare vsh package elapsed = 467 msec
 Update VSH's package : 12/21
 read vsh package (8214459 bytes) elapsed = 505 msec
 decrypt and verify vsh package elapsed = 199 msec
 write vsh package elapsed = 5843 msec
 compare vsh package elapsed = 386 msec
 Update VSH's package : 13/21
 read vsh package (9428094 bytes) elapsed = 594 msec
 decrypt and verify vsh package elapsed = 244 msec
 write vsh package elapsed = 5238 msec
 compare vsh package elapsed = 442 msec
 Update VSH's package : 14/21
 read vsh package (7973335 bytes) elapsed = 498 msec
 decrypt and verify vsh package elapsed = 346 msec
 write vsh package elapsed = 13617 msec
 compare vsh package elapsed = 456 msec
 Update VSH's package : 15/21
 read vsh package (9766737 bytes) elapsed = 603 msec
 decrypt and verify vsh package elapsed = 360 msec
 write vsh package elapsed = 17267 msec
 compare vsh package elapsed = 529 msec
 Update VSH's package : 16/21
 read vsh package (9199234 bytes) elapsed = 583 msec
 decrypt and verify vsh package elapsed = 407 msec
 write vsh package elapsed = 23189 msec
 compare vsh package elapsed = 689 msec
 Update VSH's package : 17/21
 read vsh package (7260896 bytes) elapsed = 466 msec
 decrypt and verify vsh package elapsed = 286 msec
 write vsh package elapsed = 14751 msec
 compare vsh package elapsed = 689 msec
 Update VSH's package : 18/21
 read vsh package (6563380 bytes) elapsed = 422 msec
 decrypt and verify vsh package elapsed = 155 msec
 write vsh package elapsed = 1906 msec
 compare vsh package elapsed = 357 msec
 Update VSH's package : 19/21
 read vsh package (6092245 bytes) elapsed = 373 msec
 decrypt and verify vsh package elapsed = 227 msec
 write vsh package elapsed = 1457 msec
 compare vsh package elapsed = 405 msec
 Update VSH's package : 20/21
 read vsh package (9859067 bytes) elapsed = 590 msec
 decrypt and verify vsh package elapsed = 238 msec
 write vsh package elapsed = 2187 msec
 compare vsh package elapsed = 498 msec
 Update VSH's package : 21/21
 read vsh package (6492084 bytes) elapsed = 419 msec
 decrypt and verify vsh package elapsed = 321 msec
 write vsh package elapsed = 17509 msec
 compare vsh package elapsed = 674 msec
 Update VSH Package done(0x8002f000)
 dev_flash_000.tar.aa.* files from PUP are unpkg'ed to dev_flash 
 Bul-ray Disc Player Revoke
 read bdp revoke package (1904 bytes) elapsed = 23 msec
 decrypt and verify bdp revoke package elapsed = 29 msec
 write bdp revoke package elapsed = 2240 msec
 compare bdprevoke package elapsed = 57 msec
 Bul-ray Disc Player Revoke done(0x8002f000)
 dev_flash3_024.tar.aa.* files from PUP are unpkg'ed to dev_flash3 
 Update Program Revoke list
 read program revoke list package (704 bytes) elapsed = 7 msec
 update program revoke list elapsed = 331 msec
 Update Program Revoke list done(0x8002f000)
 RL_FOR_PROGRAM.img from PUP is copied to trvk_prg 
 move_2block_status_into_the_region(): region id = 3
 rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 rewrite region done (ret = 0x8002f000)
 rewrite region elapsed time = 1262 msec
 touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 touch_1st_sector() done (ret = 0x8002f000)
 touch_1st_sector() elapsed time = 1121 msec
 rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
 rewrite region done (ret = 0x8002f000)
 rewrite region elapsed time = 1262 msec
 
 Update BD firmware
 read BD firmware package (1966992 bytes) elapsed = 142 msec
 update BD firmware elapsed = 184 msec
 read BD firmware package (951040 bytes) elapsed = 78 msec
 update BD firmware elapsed = 142 msec
 read BD firmware package (951040 bytes) elapsed = 80 msec
 update BD firmware elapsed = 13959 msec
 Update BD firmware done(0x8002f000)
 Appropiate BD firmware for that Bluray Drive is flashed to BD eeprom 
 Update Multi-Card controller firmware
 read MCC package (28636 bytes) elapsed = 25 msec
 update MCC elapsed = 24 msec
 Update Multi-Card controller firmware done(0x8002f000)
 If SKU with MultiCardReader then Multi-Card controller firmware is flashed to SST 1mbit Flash 
 Update BlueTooth firmware
 read BT package (639368 bytes) elapsed = 62 msec
 update BT elapsed = 56 msec
 Update BlueTooth firmware done(0x8002f000)
 Bluetooth NOR flash is updated with

BlueTooth firmware 

 Update System controller firmware
 read SC patch package (4864 bytes) elapsed = 24 msec
 read SC patch package (4864 bytes) elapsed = 24 msec
 read SC patch package (4864 bytes) elapsed = 23 msec
 Update System controller firmware done(0x8002f000)
 Syscon Hardware is updated with appropiate System controller firmware 
 update package elapsed time = 228361 msec
 
 post processiong...
 post processiong done
 cleanup update status (ret = 0)
 
 os version = 03.1500
 build_version = 38031,20091206
 
 region of core os package = 0x40000000
 
 build_target = CEX-ww
 build target id = 0x83
 
 manufacturing updating SUCCESS(0x8002f000)
 
 set product mode (ret = 0)
 
 Total Elapsed time = 230556 msec

old crossgrading Retail/CEX to Debug/DEX

Note
For this to work your system must be below or at 1.80 for the 1.80 debug update and below or on 2.01 for the 2.15 debug update. Just use the next version up from your current firmware version for the retail update.

It's not very usefull, esp. nowadays, added for historic reasons

How to install debug firmware on retail PS3

old source: http://www.ps3hax.net/other-misc-tutorials/4808-tutorial-how-install-debug-firmware-retail-ps3-partially-hdd-swap-method.html

Tools needed

  • 1 PS3 system
  • 2 PS3 hard drives that are the same size
  • 1 retail firmware upgrade
  • 1.80 Or 2.15 debug firmware

Instructions

  1. Format both hard drives on the PS3 system.
  2. Download a debug PS3 firmware and place it in USB stick, and start the update. This will copy all the debug firmware files to the PS3's HDD-A.
  3. After copied the PS3 will restart and you will see the normal update menu which prompts you to click the button to start update. Do NOT update your PS3, but power it off.
  4. Next remove the HDD-A, and place in the second HDD, HDD-B in the PS3.
  5. Download and copy a retail PS3 firmware to a USB stick.
  6. Again as before place USB in PS3 and update the PS3 as normal but when you get to the screen where it asks for you to press button, do that but stop when it asks you to AGREE to Terms and Condition Page.
  7. While the system is still powered on and on the update screen, REMOVE HDD-B, and insert HDD-A.
  8. After swapping the HDD's continuie to update the PS3 as normal and the PS3 will install the debug PS3 firmware=
  9. Go to the settings and check firmware version and there you will also see the debugging PS3 options :)



Ancient preproduction / prototype

ceb decrypter (works on 0.50.004.r010, may work on others)

http://pastie.org/private/al9p0vkw3g0lgat2yeazw#4,11 

 CEB-201x, DEH-R1030 etc.
 
 old SDKs contain these binairy files in \cell\target\bootrom, 
 while knowledge about previous version existance can be revealed by the documentation in \cell\info\old\XXX

ebootrom structure

Header

Offset Length Type Information
0x0 0x4 unsigned long Unknown
0x4 0x4 unsigned long File Count
0x8 0x8 unsigned long File Length
0x10 0x30 * File Count File Table File Table

File Table

The file table consists of a number of file entries determined by File Count, with the format below:

Offset Length Type Information
0x0 0x8 unsigned long Data Offset
0x10 0x8 unsigned long Data Length
0x20 0x20 unsigned long Data FileName (see below)

Filename IDs

File Entry ID Filename
0x1 sdk_version
0x2 version.txt
0x3 ros (CORE_OS_PACKAGE.pkg)
0x4 trvk_prg
0x5 trvk_pkg
0x6 nand_update
0x7 bdit_firmware
0x8 bdpt_301r_firmware
0x9 bdpt_303r_firmware
bdit_firmware / bdpt_301r_firmware / bdpt_303r_firmware / nand_update / ros / trvk_pkg / trvk_prg
Header
Offset Length Type Information
0x0 0x4 unsigned long Unknown
0x4 0x4 unsigned long File Count
0x8 0x8 unsigned long File Length
0x10 0x30 * File Count File Table File Table
File Table

The file table consists of a number of file entries determined by File Count, with the format below:

Offset Length Type Information
0x0 0x8 unsigned long Data Offset
0x10 0x8 unsigned long Data Length
0x20 0x20 unsigned long DataName
  • bdit_firmware -> BDIT_FIRMWARE_PACKAGE.pkg
  • bdpt_301r_firmware -> BDPT_FIRMWARE_PACKAGE_301R.pkg
  • bdpt_303r_firmware -> BDPT_FIRMWARE_PACKAGE_303R.pkg
  • trvk_pkg -> RL_FOR_PACKAGE.img
  • trvk_prg -> RL_FOR_PROGRAM.img
  • ros -> CORE_OS_PACKAGE.pkg
  • nand_update -> NAND_UPDATE.pkg.[01]-[28]
0x40 Data Length unsigned long SCE signed package data
CORE_OS_PACKAGE.pkg
File Entry ID Filename
aim_spu_module.self
appldr
creserved_0
default.spp
isoldr
lv0
lv1.self
lv1ldr
lv2_kernel.self
lv2ldr
mc_iso_spu_module.self
me_iso_spu_module.self
rvkldr
sb_iso_spu_module.self
sc_iso.self
sdk_version
spp_verifier.self
spu_pkg_rvk_verifier.self
spu_token_processor.self
sv_iso_spu_module.self
sys_init_app.self
sys_init_ios.self
sysctl.txt

known updates

0.2 ebootrom

0.3 ebootrom

0.60 ebootrom

   0.60: lv0 contains string : 'Sony CXD9823 NAND Controller'
Boot Loader SE Version 0.6 2006-01-31_13:53:04
Boot Loader SE Version 0.5.2005-12-28_16:10:53

0.80 ebootrom

   key: rev 0x00

0.84 ebootrom

   0.84: lv0 doesnt contain previous mentioned string
from decrypted lv0 0.84: Boot Loader SE Version 0.8.4 (Build ID: 822,8517, Build Data: 2006-05-16_17:50:21)

0.85 ebootrom

0.90 ebootrom

0.90 PUP

   ? 0.90: PS3UPDAT.PUP format was implemented since 0.90 ?

0.92 ebootrom

   key: rev 0x01 + NP rev 0x01

0.93 ebootrom

0.94 ebootrom

0.95 PUP

0.96 PUP

100.002 ebootrom

from decrypted lv0: Boot Loader SE Version 1.0.0 (Build ID: 1643,16413, Build Data: 2006-10-05_16:32:34)

ebootrom.100.002.rar (51.29 MB)

Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Talk:Playstation_Update_Package_(PUP)&oldid=56551"