Downgrading with NOR flasher
3.7x Downgrade for PS3 Slim's with NOR
If your console has NAND and not NOR, look here : Downgrading with NAND flasher
V1 Dospiedra
Google translate
3.7x Downgrade for Slim's with normal fat and flash
11 minutes ago dospiedras1973 Mensajepor hello all, I got it at the end we have a downgrader for slim consoles this time is different than it has done with consoles fat, I've got the two flashers progskeet Teensy + + and Al nougat!
We need:
- fat or slim console with updated standards to 3.70 "DO NOT TRY TO ANOTHER VERSION"
- Solution to write and read the rules of the console (or flasher progskeet teensy + +)
- hxd program (which I use to edit hex)
- FlowRebuilder v.4.1.3.2
- a beer (Here it is important)
- Http://pastebin.com/yuvJ5Leh Downgrade.bin
First dumped our NOR flash, the file must accurately measure "16,777,216 bytes" neither more nor less Draw out several to be absolutely sure of what you do
cojemos the dump "example josejuan.bin"
and we have to introduce it in a file flowrebuilder to make it readable (bytereverse) the option is called bytereverse dump and extract rules
what we do and we will create a file but the extension ends in. bin.REV
open it with the hxd and took our personal data to the console EID, BOOTLOADER, CSID and METLDR no need to put any more
take them out as follows: choose for example in this case to stick our METLDR prepatched to downgrade the image attached to this tutorial
inside the folder where we put the flowrebuilder. rev also has created another folder called "nombredeldump.EXT" then there are our personal archives of our console and we need to introduce them to catch some pre-patched image that I have since opened the hxd and open the file and metldr downgrade.bin is inside the folder asecure_loader choose the tab on the hxd metldr and copy the entire contents into HEX and enter the downgrade.bin press control + 820 g write position is that of METLDR right-click on the first line of position 820 to give to "stick type" and so the same way we introduce others to enter the files are:
- METLDR: Position "810" size "E960"
- BOOTLOADER_0 Position "FC0000" size "40000"
- EID: Position "2F000" size "10000"
- CISD: Position "3F000" size "800"
then we take the downgrade.bin with saved changes and we put in the option flowrebuilder bytereverse dump and extract rules PROGRAM THIS TIME WE WILL GIVE AN ERROR but is a normal error, if error occurs is that okay done and you create a file named downgrade.bin.REV will be the file you have to enter in the console "flash"
if all went well to finish writing you kindle the console and will press the button or English ps ps push buttonNO NOTHING PULSEIS apagais the console and put it in factory service mode once this is done we need to the correct file system for the lv2diag of 3.55 jaicrab cfw without reader and a special
lv2diag: http://www.logic-sunrise.com/telechargement-225750-lv2diag-patche-par-jaicrab.html
cfw: http://pastebin.com/03MFDLGV
kindle the console with the stick with these two files on the usb device into the far right of the console and shut down one to 10 / 15 minutes, kindle the console without any usb connected to verify that you correctly leads to xmb If all went well apagais the console and you put your lv2diag FILE2 of this pack: http://pastebin.com/gGETcxMR
the console will turn on and 20 seconds will turn itself off and CONGRATULATIONS you have your console in functional kmeaw cfw 3.55 100% 100
Thanks:
- DiGiTaLAnGeL (Tester with progskeet)
- Glevand & mfw builder team (cfw)
- NDT (Assistant) is a very good person ;-)
- JaiCraB (lv2diag without reader)
- Robs1 (my guide with the normal flash)
- EussNL (his great support in the wiki that I use every day PS3DEVWIKI.COM)
- Defyboy (to create ps3devwiki)
- A whole channel # irc-hispano.org darkps3 for their support and many hours of testing we have hit bastards eh!
- DemonHades (because if you had not put the cover on your website with the lie that contastes on me, I had not met or uf6667 *DigitalAngel and these two helped me a lot)
and finally the people have asked me for a private place to donate paypal button, because here it is: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QJN5EYNQJ6H62
greetings and set aside now will resume my work with the dual nand and dump 3.6x gives me so many problems jejej
certainly take the opportunity to put that I advise you not bring forth your console to a store called chipdress because two people will have been contacted to repair the destruction they did on their consoles those that store, BEWARE HE UPDATED THE POSITION THAT WAS WRONG METLDR BY POSITION
update 2 We have made an application to perform the process without using the HEX editor
transplante v1.rar (431.11 KB)
bytereversed you put your flash in donor and recipient downgrade.bin on ..
If at any time during the OS SALE DISPLAY RED (RSOD) PARAD PROCESS IMMEDIATELY BECAUSE I'M GOING TO GET A PROBLEM WITH THAT Downgrade fixeado V2
Original Spanish text
Downgrade 3.7x para Slim y fat's con nor flash
Mensajepor dospiedras1973 hace 11 minutos hola a todos , al final lo conseguí tenemos un downgrader para consolas slim esta vez es diferente de como se ha hecho con las consolas fat , yo lo he conseguido por los dos flashers Teensy ++ y progskeet , Al turron!
Necesitamos :
- consola slim o fat con nor actualizada a 3.70 "NO INTENTAR EN OTRA VERSIÓN"
- Solución para poder escribir y leer en la nor de la consola ( flasher teensy ++ o progskeet )
- programa hxd ( el que uso yo para editar archivos hex )
- FlowRebuilder v.4.1.3.2
- una cerveza fresca ( este punto es importante )
- Downgrade.bin http://pastebin.com/yuvJ5Leh
Primero dumpeamos nuestra nor con un flasher , el archivo tiene que medir exactamente "16.777.216 bytes" ni uno mas ni uno menos sacad varios para estar completamente seguros de lo que haceis
cojemos el dump "ejemplo josejuan.bin"
y tenemos que introducirlo en el flowrebuilder para volverlo un archivo legible ( bytereverse ) la opcion se llama bytereverse and extract nor dump
lo hacemos y nos creará un archivo PERO que la extensión termina en .bin.REV
lo abrimos con el hxd y sacamos nuestros datos personales de la consola EID, BOOTLOADER , CSID Y METLDR no hace falta poner ninguno más
los sacamos de la siguiente manera : elegimos por ejemplo en este caso meteremos nuestro METLDR a la imagen preparcheada para downgrade que adjunto en este tutorial
dentro de la carpeta donde el flowrebuilder nos ha puesto el .rev también nos ha creado otra carpeta llamada "nombredeldump.EXT" pues ahí están nuestros archivos personales de nuestra consola y hace falta coger algunos para introducirlos a la imagen pre parcheada que he puesto , pues abrimos el hxd y abrimos el downgrade.bin y el archivo metldr que está dentro de la carpeta asecure_loader elegimos la pestaña en el hxd del metldr y copiamos todo su contenido en HEX y para introducirlo en el downgrade.bin pulsamos control + g escribimos la posición 820 que es la del METLDR pulsamos boton derecho en la primera linea de la posición 820 y le damos a "pegar escribiendo" y así de la misma manera introducimos los demás , los archivos a introducir son los siguientes :
- METLDR : Posición "810" tamaño "E960"
- BOOTLOADER_0 Posición "FC0000" tamaño "40000"
- EID : Posición "2F000" tamaño "10000"
- cISD : Posición "3F000" tamaño "800"
luego cogemos el downgrade.bin con los cambios guardados y lo metemos en el flowrebuilder con la opción bytereverse and extract nor dump ESTA VEZ EL PROGRAMA NOS VA A DAR UN ERROR pero es un error normal es más , si da el error es que está bien hecho y os creará un archivo llamado downgrade.bin.REV que será el archivo que tenemos que introducir en la consola "flash"
si todo ha ido bien al terminar de escribir encendeis la consola y os saldrá presione el boton ps o en inglés push ps button NO PULSEIS NADA apagais la consola y la ponemos en factory service mode una vez hecho esto necesitamos poner el sistema de archivos correcto para 3.55 con el lv2diag de jaicrab sin lector y un cfw especial
lv2diag: http://www.logic-sunrise.com/telechargement-225750-lv2diag-patche-par-jaicrab.html
cfw : http://pastebin.com/03MFDLGV
encendeis la consola con el pendrive con esos dos archivos en el pendrive en el usb de la derecha del todo de la consola y se apagará sola a los 10 / 15 minutos , encendeis la consola sin ningun usb conectado para comprobar que os lleva al xmb correctamente , si todo ha ido bien apagais la consola y poneis el lv2diag FILE2 de este pack: http://pastebin.com/gGETcxMR
la consola se encenderá y a los 20 segundos se apagará sola y FELICIDADES ya tienes tu consola en 3.55 cfw kmeaw funcional 100%100
agradecimientos :
- DiGiTaLAnGeL (Tester con progskeet)
- Glevand & mfw builder team( cfw )
- NDT ( Ayudante ) Es muy buena persona ;-)
- JaiCraB ( lv2diag sin lector )
- Robs1 ( mi guia con las nor flash)
- EussNL (su gran apoyo en la wiki que utilizo todos los dias PS3DEVWIKI.COM)
- Defyboy (por crear ps3devwiki)
- A todo el canal #darkps3 de irc-hispano.org por sus apoyos y tantas horas de pruebas que nos hemos pegado eh cabrones!!!
- DemonHades ( gracias a que si no hubieras puesto la portada en tu web con la mentira que contastes sobre mí, no hubiera conocido a DigitalAngel ni a uf6667 y estos dos me han ayudado mucho )
y por ultimo la gente me ha pedido por privado que ponga un boton de paypal para donar , pues aqui lo teneis : https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=QJN5EYNQJ6H62
saludos y apartir de ahora reanudaré mi trabajo con la dual nand y ese dump de 3.6x que tantos problemas me da jejej
por cierto aprovecho para poner que os aconsejo que no lleveis vuestra consola a una tienda llamada chipdress , ya van dos personas se han puesto en contacto conmigo para reparar el destrozo que hicieron en sus consolas los de dicha tienda , BEWARE
HE ACTUALIZADO LA POSICION DEL METLDR POR QUE ESTABA MAL PUESTO
update 2 Hemos hecho una aplicación para realizar el proceso sin usar el editor HEX
transplante v1.rar (431.11 KB)
poneis vuestra flash bytereversed en donador y downgrade.bin en receptor ..
SI EN ALGUN MOMENTO DEL PROCESO OS SALE LA PANTALLA ROJA ( RSOD) PARAD INMEDIATAMENTE EL PROCESO YA QUE VOY A SACAR UN DOWNGRADE V2 CON ESE PROBLEMA FIXEADO
Source: http://www.elotrolado.net/hilo_downgrade-3-7x-para-slim-y-fat-s-con-nor-flash_1659475
V1a
New improved english guide based on this one: http://www.ps3hax.net/2011/08/noob-tutorial-how-to-downgradeflash-your-ps3-from-firmware-3-70-to-3-55-via-progskeetteensy-and-install-3-55-kmeaw-cfw/
V2 Dospiedra
Google translate
New method Downgrade v2 supports all NOR FLASH
Write a new method consisting of 6 patches, this time we will use to edit the dump hxd original of your PS3 (make backup)
steps:
first check if our standards Dump bytereversed, to start patching the original dump.bin file we must first ensure that the beginning of the flash at offset 200 is readable "IFI" if instead you see "FI.I "Your rules need to patch it bytereverse before (a and go back to him to put it in bytereverse the console to be read again" FI.I "when we patched the files and offset's a patch are these
patch1: OFFSET 0C0010 Patch2: OFFSET 7C0010 patch3: OFFSET 80000 patch4: OFFSET A0000 Patch5: OFFSET 40000 patch6: OFFSET 60000
easy, normal and cojemos the patch1 for example, copy content and paste it patch1 0C0010 writing and so the rest (the file size does not vary after the stripe)
the rest of the downgrade is the same as before, factory mode, and pup jaicrab lv2diag nochecks.pup of the previous release.
http://www.multiupload.com/ZJINMAKAEP
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7QWF9TNAPVVY4
Original Spanish text
Downgrade v2 Nuevo metodo compatible con todas las NOR FLASH
Notapor TwoStone » Mié, 31 Ago 2011, 16:13 Escribo un nuevo metodo que consisten en 6 parches , esta vez vamos a usar hxd para editar el dump original de vuestra ps3 ( haced copia de seguridad )
pasos:
primero revisar si nuestra nor dumpeada está bytereversed , para poder empezar a parchear el archivo dump.bin original primero tenemos que asegurarnos que al principio de la flash en el offset 200 se pueda leer "IFI" si en vez de eso veis "FI.I" vuestra nor necesita bytereverse antes de parchearla ( ay que volver a hacerle bytereverse al meterla en la consola para que se pueda leer nuevamente "FI.I" cuando la tengamos parcheada los archivos y offset's a parchear son estos
patch1 : OFFSET 0C0010 patch2 : OFFSET 7C0010 patch3 : OFFSET 80000 patch4 : OFFSET A0000 patch5 : OFFSET 40000 patch6 : OFFSET 60000
es facil , cojemos la nor y el patch1 por ejemplo , copiamos el contenido de patch1 y lo pegamos escribiendo en 0C0010 y así con el resto , ( el tamaño del archivo no puede variar despues de los parcheos )
el resto del downgrade es igual que antes , factory mode , lv2diag de jaicrab y pup nochecks.pup del anterior release.
http://www.multiupload.com/ZJINMAKAEP
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7QWF9TNAPVVY4
Source: http://darkconsoles.com/foro/viewtopic.php?f=7&t=16
NOR offsets used
| target area | patch no. | NOR Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | version string 3.55 |
| ROS1 | patch2 (7 MB) | 0x7C0010 | 0x6FFFE0 | same as patch1? |
| trvk_pkg0 | patch3 (128 KB) | 0x80000 | 0x20000 | |
| trvk_pkg1 | patch4 (128 KB) | 0xA0000 | 0x20000 | |
| trvk_prg0 | patch5 (128 KB) | 0x40000 | 0x20000 | |
| trvk_prg1 | patch6 (128 KB) | 0x60000 | 0x20000 |
V2a
Improved english guide by damox based on v2: http://blog.damox.net/?p=6
Simplyfied V2 downgrade
| Target area | Patchfile | NOR Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | version string 3.55 |
| ROS1 | patch1 (7 MB) | 0x7C0010 | 0x6FFFE0 | SAME as ros0 |
| trvk_prg0 (0x40000) trvk_prg1 (0x60000) trvk_pkg0 (0x80000) trvk_pkg1 (0xA0000) |
rvk-040000 (512 KB) | 0x40000 | 0x80000 | one big patch overlapping several revoke area's |
downgrade v2 patcher
Source: http://www.digitalangel.it/2011/09/release-progskeet-patchers-ps3-nor-downgrade-v2-patchfile/
Just extract the folder “downgrade v2 ProgSkeet” anywhere on your PC. Open WinSkeet40000/LinuxKeet/iSkeet on your computer. Create a dump of your 3.70 OFW if you haven’t already done it. Call it “OFW370.bin” -IT MUST BE A BYTESWAPPED DUMP!- Open the “Patcher” tab and select “OFW370.bin” as the input file. Select the progskeet_patch.txt as the patch file. This release is based on the patchset of the downgrade v2 released by dospiedra, and you should check BYTESWAP while reading NOR and when you flash your downgrade.bin file back. Go for it :) Now you have a fully working downgrade.bin to flash
E3 Nor dump checker
E3 Nor Dump Checker V1.0.exe (521.7 KB)
Article: http://www.ps3hax.net/2011/11/released-e3-nor-dump-checker-v1-0-released-tested/
Quick bulletproof test
does not test:
- bootldr (corrupted binary not detected)
- metldr (corrupted binary not detected)
- bootldr size (both under- and oversize not detected)
- metldr size (both under- and oversize not detected)
- cISD (didn't catch brick-byte error)
- cCSD (didn't catch brick-byte error)
- trvk_prg0 (didn't catch brick-byte error)
- trvk_prg1 (didn't catch brick-byte error)
- trvk_pkg0 (didn't catch brick-byte error)
- trvk_pkg1 (didn't catch brick-byte error)
- eEID (didn't catch brick-byte error)
- cvtrm (didn't catch brick-byte error)
- CELL_EXTNOR_AREA (didn't catch brick-byte error)
partly test:
- ROS0 (but didn't catch brick-byte error)
- ROS1 (but didn't catch brick-byte error)
does test:
- headerprefix ("00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")
- header ("00 00 00 00 AC 0F FF E0 00 00 00 00 AD DE EF BE")
- header ("FI.I")
- headersuffix "(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF")
- filetable ("saceru_eoldare.." etc.)
Conclusion : USELESS, brickdumps will still show as 'valid'.
Recommendation: use Flowrebuilder instead and common sense like mentioned on Hardware flashing page.
Added 22 nov 2011
New E3 flasher update released, it will backup bios 3 times automatically. We suggest user verify those bios with E3 Nor dump checker, to assure the backup bios is no erro.
Conclusion: Anyone with a flasher (should) know that you can dump it 1 to 1000's times the same bad. Comparing CRC/MD5/SHA1 is not any secure way to validate flash (as mentioned on Hardware flashing). Letting the dumper do it x times, only gives endusers/customers a false sense of reassurance, always a bad idea.
manual E3 downgrade v2
E3 dumps are byte reversed, and so must our patches (otherwise we have to reverse, paste the v2 in the REV, reverse back again - using byte reversed patches shortcuts that 'reversing confusion' :P)
Dump the flash with the E3, you will end up with a .bin file (e.g. bkpps3.bin)
Patches to insert for v2 downgrade:
| target area | patch no. | NOR Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1.REV (7 MB) | 0x0C0010 | 0x6FFFE0 | version string 3.55 |
| ROS1 | patch1.REV (7 MB) | 0x7C0010 | 0x6FFFE0 | same as patch1.REV |
| trvk_prg0 (0x40000) trvk_prg1 (0x60000) trvk_pkg0 (0x80000) trvk_pkg1 (0xA0000) |
rvk-040000.REV (512 KB) | 0x40000 | 0x80000 | one big patch overlapping several area's |
save file and use that file to flash the ps3. Afterwards, use RogeroV2, or any prepatched PUP that has the lv1/hypervisor syscon hashchecks patched out - or use the TCL from the talk/discussion page to patch one yourself) and reinstall the firmware in service mode like any V2 downgrade.
Note: If you wish to extract an E3 dump: Flowrebuilder can bytereverse and extract the NOR dump for you.
normal E3 downgrade
Update and dump
- Update your playstation 3 to the latest firmware 3.73
- Make a backup onto a blank micro SD card, use the following flasher settings: switch 1 & 2 should be down, switch 3 should be in the up position, switch 4, 5 & 6 should also be down
- Turn on your playstation 3 console
- Once in the xmb press start on the flasher and i will begin to backup (you will see a progess indicator on the flasher and once finished it will flash alternatively)
- Switch your console off and remove the micro SD card from the e3 flasher, put the SD card into your computer and you should see two files bkpps3.bin and a e3flasher text file.
- Check that the backup was sucessfull. The file size of the backup should be 16.0 MB (16,777,216 bytes) exactly. Copy the files onto your computer and keep them safe.
Downgrade flash
- You need to download the downgrade files from the e3 website and copy them to your micro SD Card
- Power off your playstation and change the flasher settings. Switch 1, 2, 3, 4, 5 should be down and switch 6 should be up.
- Hold the start button on the flasher and turn on your console it will begin flashing the downgrade files. When the flash has completed the lights will flash alternately
Reinstall FW in factory service mode
(see also Downgrading with PSgrade Dongle)
- Switch your playstation off at the power switch unplug or what ever method you like to use
- Insert your PSGrade dongle/jig that gets you into factory service mode in the far right usb port closest to the blu ray drive, your console will turn off again, then remove your downgrade jig
- Copy the first set of downgrader files to a usb mass storage device: Lv2diag.self, PS3UPDAT.PUP
- Put your prepared usb stick in the usb port closest to the blu ray drive again and it will begin to downgrade. this takes quite a while.
- Once finished your console will turn off again.
- Delete the files from your usb and copy Lv2diag.self from the second step of the downgrader files.
- Put your usb stick back in the same port and turn on your console once again to leave factory service mode. Your console will turn off again.
- Now you can remove your usb stick and turn your console on again and it will boot you into 3.55 rogero v2 custom firmware (or any prepatched PS3UPDAT.PUP you used earlier