Talk:Downgrading with NOR flasher

From PS3 Developer wiki
Jump to navigation Jump to search

NOR patches

V1

Tasks

MFW Task::patch_lv1.tcl with the following patches selected:

  • --patch-lv1-storage-skip-acl-check
  • --patch-lv1-sysmgr-disable-integrity-check

Patches

http://pastebin.com/aNehMfGi :

   Downgrade patches
          
   http://www.multiupload.com/O0TZGNP92M
          
   DIFF:
          
   -------------
   patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices
      
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340  54 63 06 3E                                      Tc.>
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340  38 60 00 01                                      8`..
          
   -----
   patch-lv1-storage-skip-acl-check : Patching LV1 to enable skipping of ACL checks for all storage devices (continued)
          
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340                                      E8 01 00 70              è..p
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0007B340                                      38 00 00 01              8...
          
   -----
   patch-lv1-sysmgr-disable-integrity-check: Disable integrity check in System Manager
          
   ORIGINAL
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0021D0B0              48 00 D7 15                              H.×.
          
   PATCHED
   Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
   0021D0B0              38 60 00 00                              8`..
          
   -------------
      
   Reference: http://www.ps3devwiki.com/index.php?title=Talk:Dual_Firmware




Combining patches

There is a difference between the patches on the Talk:Downgrading with NOR flasher and Talk:Downgrading with NAND flasher

what if you combine those together? 1st try: selecting both patch tasks manually:

<keperfear> eussnl http://www.multiupload.com/6AZN5DOCM9
<keperfear> could you check if i patched everything correctly
<keperfear> anyway i really need to sleep now
<keperfear> good luck everyone
* keperfear left
<eussNL> oh dear, keperfear is already gone ...  anyhow, this was my version : patched355coreos.rar (4.84 MB) (no "Patch In product mode erase standby bank skipped" selected)

<keperfear> Eussnl try with this one

      # In product mode erase standby bank skipped
     
      log "Patch In product mode erase standby bank skipped"
     
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
 
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

(difference is \x41\x9E\x00\x0C\xE8\xA2\x8A\x38 instead of \x41\x9E\x00\x0C\xE8\xA2\x8A\x30)


Combined TCL

2nd try, Combined single TCL "patch-lv1checks.tcl" :

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) PsiColeO
# Copyright (C) glevand ([email protected])
# Copyright (C) Anonymous Developers (Code Monkeys)

#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch LV1 checks

# Option --patch-lv1checks: Disables many checks in lv1

# Type --patch-lv1checks: boolean

namespace eval ::patch_lv1checks {

    array set ::patch_lv1checks::options {
        --patch-lv1checks true
    }

    proc main { } {
        set self "lv1.self"

        ::modify_coreos_file $self ::patch_lv1checks::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_lv1checks::options(--patch-lv1checks)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_lv1checks::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_lv1checks::options(--patch-lv1checks)} {
            log "Patching LV1 Checks"
    
      # ss_server1
      # Patch core OS Hash check // product mode always on
      log "--------------- Patching  ss_server1.fself ----------------------------"
      log "Patch core OS Hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      
      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # Patch check_revoke_list_hash check // product mode always on
      log "Patch check_revoke_list_hash check // product mode always on"
      
      set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"
      set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

      
      # In product mode erase standby bank skipped
      log "Patch In product mode erase standby bank skipped" 
      
      set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"
      set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\x7B\xFD\x00\x20"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  


      # Patching System Manager to disable integrity check
      log "Patching System Manager to disable integrity check"

      set search  "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\x2f\x80\x00\x00"
      set replace "\x38\x60\x00\x00"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"  
      
      
      # Patching LV1 to enable skipping of ACL checks for all storage devices
      log "Patching LV1 to enable skipping of ACL checks for all storage devices"

      set search  "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\xe8\x01\x00\x70\x54\x00\x07\xfe"
	  append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
      set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\x38\x00\x00\x01"

      catch_die {::patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]" 
      

        }
    }
}

download: patch_lv1checks.rar (1.29 KB) (2.88-3.42 / 3.50-3.55)

PreAlpha v1 smoketest - offsets

patch-lv1checks (Modifying CORE_OS file lv1.self - Patching LV1 Checks)

No. Description 2.80 3.00 3.01 3.10 3.15 3.20 3.21 3.30 3.40 3.41-BAD 3.41-FIX 3.42 3.50 3.55
1 Patch core OS Hash check // product mode always on 2958632 2958452 2958452 2958984 2958984 2959072 2891632 2891556 2891596 2891596 2891596 2891596 2891684 2891684
2 Patch check_revoke_list_hash check // product mode always on 2961708 2961528 2961528 2962060 2962060 2962148 2894708 2894632 2894672 2894672 2894672 2894672 2894836 2894836
16 Patch In product mode erase standby bank skipped 2977960 2977780 2977780 2978324 2978324 2978412 2910972 2910896 2910936 2910936 2910936 2910936 2911100 2911100
23 Patching System Manager to disable integrity check 2211164 2211424 2211424 2217608 2217608 2218192 2218120 2215760 2216052 2216052 2216052 2216052 2216096 2216096
24 Patching LV1 to enable skipping of ACL checks for all storage devices 498208 500212 500212 505304 505420 506032 506032 505112 504568 504568 504568 504568 504640 504640

<keperfear> coreos 3.55 with above 1,2,16,23,24 combined patches: coreos355nandandnordowngradepatches.rosx (7 MB)

Status

MFW patch_lv1checks.tcl seems to work fine. Needs testing in the field by people with hardware flasher only.

Update:

   [01:43:10]	<Ryd3R>	RSOD x_x
   [01:44:41]	<Ryd3R>	i hate when it show up
   [01:45:20]	<Ryd3R>	@eussNL: are you there ?
   [01:46:41]	<eussNL> I am, but also alot of sidestuff going on, whats the problem all of the sudden 
                         and what did you do to  make it bitch like that?
   [01:47:36]	<Ryd3R>	i did the 3.70 downgrade using a teensy++
   [01:48:42]	<Ryd3R>	it works well when i revert back to 3.70
   [01:49:23]	<Ryd3R>	i think it have something to do whith the fuckin syscon
   [01:49:37]	<eussNL> ok, did you patch lv1 ?
   [01:49:43]	<Ryd3R>	yeah
   [01:50:09]	<Ryd3R>	the No hash check patch right ?
   [01:51:50]	<Ryd3R>	for some fuckin reason any version perior 3.70 gave me an rsod
   [01:52:41]	<Ryd3R>	i tried using the recovery menu to update to 3.60 from 3.55 (lv1 patched) still rsod
   [01:53:15]	<eussNL> yes and then some... Ryd3R> the No hash check patch right ?
   [01:53:46]	<eussNL> http://www.ps3devwiki.com/index.php?title=Talk:Downgrading_with_NOR_flasher#Combined_TCL
   [01:55:47]	<Ryd3R>	i'll give it a try
   
   [02:16:19]	<Ryd3R>	thanks eussNL you'r the man, the patch works like charm
   [02:22:53]	<eussNL> good to hear, hope it stays flawless now :)


V2

http://darkconsoles.com/foro/viewtopic.php?f=7&t=16

NOR offsets used

target area patch no. NOR Offset Paste length Remarks
ROS0 patch1 0C0010 6FFFE0 version string not changed?
ROS1 patch2 7C0010 6FFFE0 same as patch1?
trvk_pkg0 patch3 80000 20000
trvk_pkg1 patch4 A0000 20000
trvk_prg0 patch5 40000 20000
trvk_prg0 patch6 60000 20000

LV1 patches used

http://www.multiupload.com/DVFD9AZGO5