Talk:Downgrading with NOR flasher: Difference between revisions
Jump to navigation
Jump to search
| Line 160: | Line 160: | ||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ||
0021D0B0 9E 00 48 38 60 00 00 2F 83 00 ž.H8`../ƒ. | 0021D0B0 9E 00 48 38 60 00 00 2F 83 00 ž.H8`../ƒ. | ||
Original ofw355: | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
0021D260 38 60 00 00 48 01 8E AD 8`..H.Ž | |||
Patched 355checkoff: | |||
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||
0021D260 38 60 00 01 48 01 8E AD 8`..H.Ž | |||
====dev_flash_010.tar.aa.2010_11_27_051337==== | ====dev_flash_010.tar.aa.2010_11_27_051337==== | ||
Revision as of 02:09, 16 September 2011
NOR patches
355checkoff.PUP
PS3 CFW Kmeaw by dospiedra - 355checkoff.PUP
('kmeaw' + lv1 nocheck (see below, V1/V2 etc)
Patches included (using PS3MFW Builder and Patches naming) :
- Patch LV1 hypervisor (lv1_function_114 mmap) lv1.self
- Allow mapping of any memory area (Needed for LV2 Poke)
- Patch LV2 kernel (lv2 peek/lv2 poke) lv2_kernel.self
- Patch to add Peek&Poke system calls to LV2
- Patch package installer (debug pkg/pseudo-retail pkg) nas_plugin.sprx
- Patch to allow installation of pseudo-retail package
- Patch to allow installation of debug packages
- Patch Application Launcher (unsigned app) vsh.self
- Patch to allow running of unsigned applications
- Add new icons to the XMB Game category (install pkgs/app_home) category_game.xml
- Add "Install Package Files" icon to the XMB Game Category
- Add "/app_home" icon to the XMB Game Category
Extracting pup and comparing
to see the actual patches/changes done:
CORE_OS_PACKAGE.pkg
default.spp
emer_init.self
lv1.self
lv2_kernel.self
emer_init.elf
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0005B5A0 79 27 F0 82 y'ð‚
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0005B5A0 38 E9 FF F8 8éÿø
lv1.elf
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00093490 39 20 00 4F 7C 00 F8 9 .O|.ø
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00093490 39 20 00 5F 7C 00 F8 9 ._|.ø
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000F5A40 39 20 00 00 38 60 00 9 ..8`.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000F5A40 39 20 00 01 38 60 00 9 ..8`.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000F5EB0 41 DA 00 54 AÚ.T
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000F5EB0 60 00 00 00 `...
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FD5C0 E8 1E 00 18 è...
000FD5D0 E9 5E 00 20 E9 1E 00 28 E8 FE 00 30 EB EB 00 50 é^. é..(èþ.0ëë.P
000FD5E0 F8 01 00 ø..
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FD5C0 E8 1E 00 20 è..
000FD5D0 E9 5E 00 28 E9 1E 00 30 E8 FE 00 38 EB FE 00 18 é^.(é..0èþ.8ëþ..
000FD5E0 F8 01 00 ø..
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FD850 E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 E9 1E 00 30 è...é>. é^.(é..0
000FD860 E8 FE 00 38 E8 DE 00 40 EB EB 00 50 90 A1 00 70 èþ.8èÞ.@ëë.P.¡.p
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FD850 E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 E9 1E 00 38 è.. é>.(é^.0é..8
000FD860 E8 FE 00 40 E8 DE 00 48 EB FE 00 18 90 A1 00 70 èþ.@èÞ.Hëþ...¡.p
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FDCF0 E8 1E 00 18 E9 3E 00 è...é>.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FDCF0 E8 1E 00 20 E9 3E 00 è.. é>.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FDCF0 E8 1E 00 18 E9 3E 00 20 E9 5E 00 28 è...é>. é^.(
000FDD00 E9 1E 00 30 E8 FE 00 38 E8 DE 00 40 EB EB 00 50 é..0èþ.8èÞ.@ëë.P
000FDD10 90 A1 00 .¡.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000FDCF0 E8 1E 00 20 E9 3E 00 28 E9 5E 00 30 è.. é>.(é^.0
000FDD00 E9 1E 00 38 E8 FE 00 40 E8 DE 00 48 EB FE 00 18 é..8èþ.@èÞ.Hëþ..
000FDD10 90 A1 00 .¡.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00103CF0 38 00 00 0B 7F E9 00 8....é.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00103CF0 38 00 00 0F 7F E9 00 8....é.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00112670 10 39 20 00 09 E9 43 00 .9 ..éC.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00112670 10 39 20 FF FF E9 43 00 .9 ÿÿéC.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001225E0 38 00 00 00 64 00 FF FF 8...d.ÿÿ
001225F0 60 00 FF EC F8 03 00 C0 4E 80 00 20 38 00 00 00 `.ÿìø..ÀN€. 8...
00122600 64 00 FF FF 60 00 FF EC F8 03 00 C0 4E 80 00 d.ÿÿ`.ÿìø..ÀN€.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
001225E0 38 00 00 00 E8 83 00 18 8...èƒ..
001225F0 E8 84 00 00 F8 83 00 C8 4E 80 00 20 38 00 00 00 è„..øƒ.ÈN€. 8...
00122600 E8 A3 00 20 E8 83 00 18 F8 A4 00 00 4E 80 00 è£. èƒ..ø¤..N€.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D0B0 9E 00 48 48 00 D7 15 2F 83 00 ž.HH.×./ƒ.
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D0B0 9E 00 48 38 60 00 00 2F 83 00 ž.H8`../ƒ.
Original ofw355:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D260 38 60 00 00 48 01 8E AD 8`..H.Ž
Patched 355checkoff:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D260 38 60 00 01 48 01 8E AD 8`..H.Ž
dev_flash_010.tar.aa.2010_11_27_051337
dev_flash\vsh\module\nas_plugin.sprx
dev_flash_016.tar.aa.2010_11_27_051337
dev_flash\vsh\resource\explore\xmb\category_game.xml
V1
Tasks
MFW Task::patch_lv1.tcl with the following patches selected:
- --patch-lv1-storage-skip-acl-check
- --patch-lv1-sysmgr-disable-integrity-check
Patches
http://pastebin.com/aNehMfGi :
Downgrade patches http://www.multiupload.com/O0TZGNP92M DIFF: ------------- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 54 63 06 3E Tc.> PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 60 00 01 8`.. ----- patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued) ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 E8 01 00 70 è..p PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0007B340 38 00 00 01 8... ----- patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager ORIGINAL Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 48 00 D7 15 H.×. PATCHED Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0021D0B0 38 60 00 00 8`.. ------------- Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware
Combining patches
There is a difference between the patches on the Talk:Downgrading with NOR flasher and Talk:Downgrading with NAND flasher
what if you combine those together? 1st try: selecting both patch tasks manually:
<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9 <keperfear> could you check if i patched everything correctly <keperfear> anyway i really need to sleep now <keperfear> good luck everyone * keperfear left <eussNL> oh dear, keperfear is already gone ... anyhow, this was my version : patched355coreos.rar (4.84 MB) (no "Patch In product mode erase standby bank skipped" selected)
<keperfear> Eussnl try with this one
# In product mode erase standby bank skipped
log "Patch In product mode erase standby bank skipped"
set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"
(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\x38 instead of \x41\x9E\x00\x0C\xE8\xA2\x8A\x30)
Combined TCL
2nd try, Combined single TCL "patch-lv1checks.tcl" :
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) PsiColeO # Copyright (C) glevand ([email protected]) # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 300 # Description: Patch LV1 checks # Option --patch-lv1checks: Disables many checks in lv1 # Type --patch-lv1checks: boolean namespace eval ::patch_lv1checks { array set ::patch_lv1checks::options { --patch-lv1checks true } proc main { } { set self "lv1.self" ::modify_coreos_file $self ::patch_lv1checks::patch_self } proc patch_self {self} { if {!$::patch_lv1checks::options(--patch-lv1checks)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_lv1checks::patch_elf } } proc patch_elf {elf} { if {$::patch_lv1checks::options(--patch-lv1checks)} { log "Patching LV1 Checks" # ss_server1 # Patch core OS Hash check // product mode always on log "--------------- Patching ss_server1.fself ----------------------------" log "Patch core OS Hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patch check_revoke_list_hash check // product mode always on log "Patch check_revoke_list_hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # In product mode erase standby bank skipped log "Patch In product mode erase standby bank skipped" set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching System Manager to disable integrity check log "Patching System Manager to disable integrity check" set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00" set replace "\x38\x60\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching LV1 to enable skipping of ACL checks for all storage devices log "Patching LV1 to enable skipping of ACL checks for all storage devices" set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe" append search "\x2f\x80\x00\x00\x40\x9e\x00\x18" set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" } } }
download: patch_lv1checks.rar (1.29 KB) (2.88-3.42 / 3.50-3.55)
PreAlpha v1 smoketest - offsets
patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
| No. | Description | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Patch core OS Hash check // product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
| 2 | Patch check_revoke_list_hash check // product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
| 16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | 2911100 | 2911100 |
| 23 | Patching System Manager to disable integrity check | 2211164 | 2211424 | 2211424 | 2217608 | 2217608 | 2218192 | 2218120 | 2215760 | 2216052 | 2216052 | 2216052 | 2216052 | 2216096 | 2216096 |
| 24 | Patching LV1 to enable skipping of ACL checks for all storage devices | 498208 | 500212 | 500212 | 505304 | 505420 | 506032 | 506032 | 505112 | 504568 | 504568 | 504568 | 504568 | 504640 | 504640 |
<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: coreos355nandandnordowngradepatches.rosx (7 MB)
Status
MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.
Update:
[01:43:10] <Ryd3R> RSOD x_x
[01:44:41] <Ryd3R> i hate when it show up
[01:45:20] <Ryd3R> @eussNL: are you there ?
[01:46:41] <eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden
and what did you do to make it bitch like that?
[01:47:36] <Ryd3R> i did the 3.70 downgrade using a teensy++
[01:48:42] <Ryd3R> it works well when i revert back to 3.70
[01:49:23] <Ryd3R> i think it have something to do whith the fuckin syscon
[01:49:37] <eussNL> ok, did you patch lv1 ?
[01:49:43] <Ryd3R> yeah
[01:50:09] <Ryd3R> the No hash check patch right ?
[01:51:50] <Ryd3R> for some fuckin reason any version perior 3.70 gave me an rsod
[01:52:41] <Ryd3R> i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod
[01:53:15] <eussNL> yes and then some... Ryd3R> the No hash check patch right ?
[01:53:46] <eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL
[01:55:47] <Ryd3R> i'll give it a try
[02:16:19] <Ryd3R> thanks eussNL you'r the man, the patch works like charm
[02:22:53] <eussNL> good to hear, hope it stays flawless now :)
V2
http://darkconsoles.com/foro/viewtopic.php?f=7&t=16
NOR offsets used
| target area | patch no. | NOR Offset | Paste length | Remarks |
|---|---|---|---|---|
| ROS0 | patch1 (7 MB) | 0x0C0010 | 0x6FFFE0 | version string not changed? |
| ROS1 | patch2 (7 MB) | 0x7C0010 | 0x6FFFE0 | same as patch1? |
| trvk_pkg0 | patch3 (128 KB) | 0x80000 | 0x20000 | |
| trvk_pkg1 | patch4 (128 KB) | 0xA0000 | 0x20000 | |
| trvk_prg0 | patch5 (128 KB) | 0x40000 | 0x20000 | |
| trvk_prg1 | patch6 (128 KB) | 0x60000 | 0x20000 |
LV1 patches used
Downgrade patches v2
http://www.multiupload.com/DVFD9AZGO5
DIFF:
-------------
patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
ORIGINAL
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0007B340 54 63 06 3E Tc.>
PATCHED
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0007B340 38 60 00 01 8`..
-----
patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
ORIGINAL
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0007B340 E8 01 00 70 è..p
PATCHED
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0007B340 38 00 00 01 8...
-----
???? Patch sys_mgr integrity lv1 and lv0 integrity check ????
ORIGINAL
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D0B0 48 00 D7 15 H.×.
PATCHED
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0021D0B0 38 60 00 00 8`..
-----
Combined TCL V2
Combined single TCL "patch-lv1checks.tcl" with added new patch :
#!/usr/bin/tclsh # # ps3mfw -- PS3 MFW creator # # Copyright (C) PsiColeO # Copyright (C) glevand ([email protected]) # Copyright (C) Anonymous Developers (Code Monkeys) # # This software is distributed under the terms of the GNU General Public # License ("GPL") version 3, as published by the Free Software Foundation. # # Priority: 300 # Description: Patch LV1 checks # Option --patch-lv1checks: Disables many checks in lv1 # Type --patch-lv1checks: boolean namespace eval ::patch_lv1checks { array set ::patch_lv1checks::options { --patch-lv1checks true } proc main { } { set self "lv1.self" ::modify_coreos_file $self ::patch_lv1checks::patch_self } proc patch_self {self} { if {!$::patch_lv1checks::options(--patch-lv1checks)} { log "WARNING: Enabled task has no enabled option" 1 } else { ::modify_self_file $self ::patch_lv1checks::patch_elf } } proc patch_elf {elf} { if {$::patch_lv1checks::options(--patch-lv1checks)} { log "Patching LV1 Checks" # ss_server1 # Patch core OS Hash check // product mode always on log "--------------- Patching ss_server1.fself ----------------------------" log "Patch core OS Hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patch check_revoke_list_hash check // product mode always on log "Patch check_revoke_list_hash check // product mode always on" set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # In product mode erase standby bank skipped log "Patch In product mode erase standby bank skipped" set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching System Manager to disable integrity check log "Patching System Manager to disable integrity check" set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00" set replace "\x38\x60\x00\x00" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # Patching LV1 to enable skipping of ACL checks for all storage devices log "Patching LV1 to enable skipping of ACL checks for all storage devices" set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe" append search "\x2f\x80\x00\x00\x40\x9e\x00\x18" set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" # LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?) log "?Patch sys_mgr integrity lv1 and lv0 integrity check?" set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\x01" set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\x01" catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" } } }
download: patch_lv1checks.rar (1.53 KB) (3.40-3.42 / 3.50-3.55)
PreAlpha v2 smoketest - offsets
patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)
| No. | Description | 2.80 | 3.00 | 3.01 | 3.10 | 3.15 | 3.20 | 3.21 | 3.30 | 3.40 | 3.41-BAD | 3.41-FIX | 3.42 | 3.50 | 3.55 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Patch core OS Hash check // product mode always on | 2958632 | 2958452 | 2958452 | 2958984 | 2958984 | 2959072 | 2891632 | 2891556 | 2891596 | 2891596 | 2891596 | 2891596 | 2891684 | 2891684 |
| 2 | Patch check_revoke_list_hash check // product mode always on | 2961708 | 2961528 | 2961528 | 2962060 | 2962060 | 2962148 | 2894708 | 2894632 | 2894672 | 2894672 | 2894672 | 2894672 | 2894836 | 2894836 |
| 16 | Patch In product mode erase standby bank skipped | 2977960 | 2977780 | 2977780 | 2978324 | 2978324 | 2978412 | 2910972 | 2910896 | 2910936 | 2910936 | 2910936 | 2910936 | 2911100 | 2911100 |
| 23 | Patching System Manager to disable integrity check | 2211164 | 2211424 | 2211424 | 2217608 | 2217608 | 2218192 | 2218120 | 2215760 | 2216052 | 2216052 | 2216052 | 2216052 | 2216096 | 2216096 |
| 24 | Patching LV1 to enable skipping of ACL checks for all storage devices | 498208 | 500212 | 500212 | 505304 | 505420 | 506032 | 506032 | 505112 | 504568 | 504568 | 504568 | 504568 | 504640 | 504640 |
| 25 | ?Patch sys_mgr integrity lv1 and lv0 integrity check? | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern | no pattern 2215780? |
2216072 | 2216072 | 2216072 | 2216072 | 2216088 | 2216116 |
Status
MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.
Rogero and VAL_ tested, no problems with games/trophy's and bluray movies
Premade MFW
Rogero MFW355_370_spoof_Internet_Blocked_LV1_Checks_Patched.PUP (170.59 MB)