Downgrade BluRay Playback Issue

From PS3 Developer wiki
Revision as of 20:16, 8 July 2011 by Euss (talk | contribs)
Jump to navigation Jump to search

PS3 BLU-RAY PLAYBACK PROHIBITED ROOT CAUSE ANALYSIS

Introduction

Many users have experienced the loss of blu-ray playback on the PS3 after performing a system firmware downgrade to a previous version. Little was known about the cause of this prohibition early on, but this document will outline the causes and effects.


Overview

By the end of this document you will know the issue, the causes, and what is affected.


Reproducing Issue

To reproduce the issue a few pre-requisites must be met:


Pre-requisites for Issue

  1. Service JIG device
    1. PSGrade
  2. Lv2diag.self (stage 1)
    1. DGF.rar archive "File 1"
  3. Lv2diag.self (stage 2)
    1. DGF.rar archive "File 2"
  4. PS3UPDAT.PUP
    1. 3.15 version is best
    2. 3.41 modified version in the DGF.rar is not recommended but is not at issue
  5. PS3 with large NAND (fat models CECHA-CECHG)
    1. Keep in mind there are CECHG systems with small NAND non-volatile memory that rely on HDD volatile memory for dev_flash3 and are unaffected
  6. USB flash device
    1. Any freshly-formatted (BLANK) usb-based flash drive can be utilized


Steps to Reproduce Issue

Steps required to reproduce the issue is the same methodology used to downgrade.

  1. Insert service jig
    1. Use the right-most port closest to the blu-ray drive
  2. jailbreak power sequence
    1. Power then eject within 200 milliseconds
  3. power off via XMB
    1. System will boot and toggle service-mode
    2. Shutdown properly
  4. remove service jig
  5. insert flash drive
    1. Be sure the flash drive has only these 2 files
      1. Lv2diag.self
      2. PS3UPDAT.PUP
  6. power on PS3 normally
    1. No need for the jailbreak sequence
  7. once shutdown remove flash drive
    1. PS3 will load the Lv2diag.self
      1. Create non-volatile memory storage regions (partitions)
      2. Format non-volatile memory partitions
      3. Install update_files from PS3UPDAT.PUP
      4. Update blu-ray revoke list
      5. Write DRL1 and DRL2
      6. Adjust blu-ray drive firmware
      7. UPDATE_LOG.TXT is left behind outlining what was done
  8. insert flash drive with stage 2 Lv2diag.self
    1. PS3 will load the Lv2diag.self
      1. Lv2diag.self will toggle off service mode
  9. power on ps3 normally
    1. unknown additional settings in this reboot
  10. will shutdown automatically
    1. downgrade is now completed
  11. remove flash drive
  12. power on ps3 normally
    1. no jailbreak sequence or dongles
  13. setup ps3, verify firmware version
    1. As a result of the non-volatile memory being created anew, all system settings stored in flash are wiped out
  14. power off ps3 via XMB, then remove power completely
  15. insert jailbreak device
  16. power on ps3
  17. verify DRL1/DRL2
    1. Use DRLinfo (releasing for PS3 soon)


Analyzing UPDATE_LOG.TXT

An analysis of the UPDATE_LOG.TXT follows: 

manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...

The PS3UPDAT.PUP file was found on the usb-based device, and "vflash" (virtual flash) is disabled because the device uses real "flash". 

creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)

All non-volatile memory regions have been created, if they had previously existed with data that data is gone. 

Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 58 msec
check UPL
Check UPL elapsed time = 51 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 30
Update packages total size = 162260220

30 packages included for updating in the update_files.tar archive in the PS3UPDAT.PUP 

Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 22 msec
update package revoke list elapsed = 107 msec
Update Package Revoke list done(0x8002f000)

Package revoke list has been updated 

Update Core OS Package
read core os package (5182047 bytes) elapsed = 305 msec
update core os package elapsed = 1806 msec
Update Core OS Package done(0x8002f000)

Core OS package has been installed and compared 

Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/22
read vsh package (1847 bytes) elapsed = 9 msec
decrypt and verify vsh package elapsed = 26 msec
write vsh package elapsed = 8953 msec
compare vsh package elapsed = 0 msec
...
Update VSH's package : 22/22
read vsh package (5315230 bytes) elapsed = 329 msec
decrypt and verify vsh package elapsed = 223 msec
write vsh package elapsed = 1955 msec
compare vsh package elapsed = 381 msec
Update VSH Package done(0x8002f000)

VSH packages have been installed and compared 

Bul-ray Disc Player Revoke
read bdp revoke package (1905 bytes) elapsed = 24 msec
decrypt and verify bdp revoke package elapsed = 33 msec
write bdp revoke package elapsed = 2747 msec
compare bdprevoke package elapsed = 58 msec
Bul-ray Disc Player Revoke done(0x8002f000)

Bul-ray (sic) disc player revoke package installed and compared 

Update Program Revoke list
read program revoke list package (736 bytes) elapsed = 23 msec
update program revoke list elapsed = 317 msec
Update Program Revoke list done(0x8002f000)

Program revoke list updated 

move_2block_status_into_the_region(): region id = 3

??? unknown 

rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1103 msec

DRL1 has been written 

touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1422 msec

??? unknown, perhaps verification of write 

rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1103 msec

DRL2 has been written 

Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 120 msec
update BD firmware elapsed = 186 msec
...
read BD firmware package (1639296 bytes) elapsed = 102 msec
update BD firmware elapsed = 153 msec
Update BD firmware done(0x8002f000)

Drive firmware has been updated 

Update Multi-Card controller firmware
read MCC package (28636 bytes) elapsed = 24 msec
update MCC elapsed = 28 msec
Update Multi-Card controller firmware done(0x8002f000)

MC firmware has been updated 

Update BlueTooth firmware
read BT package (644322 bytes) elapsed = 44 msec
update BT elapsed = 59 msec
Update BlueTooth firmware done(0x8002f000)

BT firmware has been updated 

Update System controller firmware
read SC patch package (4864 bytes) elapsed = 23 msec
read SC patch package (4864 bytes) elapsed = 22 msec
read SC patch package (4864 bytes) elapsed = 22 msec
Update System controller firmware done(0x8002f000)

SC firmware has been updated 

update package elapsed time = 262119 msec
post processiong...
post processiong done
cleanup update status (ret = 0)

Post processing and cleanup 

os version = 03.4100
build_version = 45039,20100721
region of core os package = 0x40000000
build_target = CEX-ww
build target id = 0x83
manufacturing updating SUCCESS(0x8002f000)
set product mode (ret = 0)
Total Elapsed time = 264647 msec

Details of the system downgraded


Restoring Service

There are two different methods of restoring service as it was from backup, real backup, and derived backup. The two methods only differ in the origination of the backup files to be utilized, both methods ultimately will utilize the same files.
Backup
Playback is easily restored by copying a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) of DRL1 and DRL2 to /dev_flash3/data-revoke/drl directory.
Derived backup
When a current backup (current in this case means no new MKB has been loaded by the drive since the backup was created) is not available it is possible to derive the DRL1 and DRL2 files from the AACS protected title that was used by the system to create the DRL1 and DRL2 files.
This method requires precise knowledge of the following:
  • all blu-ray titles the drive has loaded
  • the order they were loaded
  • MKB versions of each disc loaded
If the above conditions have been met, deriving the DRL1 and DRL2 files only requires the MKB, which is stored as /AACS/MKB_RO.inf on the AACS protected blu-ray disc.
Link to DRLgen instructions here.


Fixing

With the root cause of the issue understood, potential methods of fixing the issue can be brain stormed and the original source of the issue can be outright blamed.

The following fixes have been postulated:

  1. Fix the Lv2diag.self
    1. The Lv2diag.self (stage 1) file in the DGF.rar is a manufacturing service tool, and assumes the non-volatile memory either does not exist or has been corrupted beyond repair. Of the first steps it performs is the creation and formatting of all storage regions, dev_flash, dev_flash2, and dev_flash3.
  2. Patch the blu-ray player to not perform the HRL <--> DRL sanity check
    1. Before the AACS drive-host authentication begins (reading the MKB version to determine if it is newer) the player performs a sanity check to determine if the DRL and HRL are a matched set.
    2. If the DRL and HRL are not a matched set playback is prohibited
    3. If the "drl" directory (and therefore DRL1 and DRL2) or DRL1 or DRL2 are not found the error message (8002???) indicates playback is not possible
  3. Reset the HRL on the drive to match the DRL1 and DRL2 files
    1. This third Lv2diag.self should have been included in the DGF.rar package by the original creators to prevent this whole issue.
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Downgrade_BluRay_Playback_Issue&oldid=2557"