Downgrading with Hardware flasher: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(Added/expanded Euss's update)
Line 1: Line 1:
[[Category:Software]][[Category:Hardware]]
<div style="float:right">[[File:NAND-downgrading-steps.png|200px|thumb|left|NAND flasher downgrader steps]]<br />[[File:NOR-downgrading-steps.png|200px|thumb|left|NOR flasher downgrader steps]]<br />[[File:Downgrading-installation-steps.png|200px|thumb|left|Downgrading installation steps ]]</div>
== Dump ==
Connect your [[Hardware flashing]] device and '''[[Validating_flash_dumps|make sure you are getting 100% correct, valid, verified dumps]].'''
== Checking console capability of running 3.55 ==
Compare the values found in your dump with those in the [[Downgrading_with_Hardware_flasher#metldr.2Bbootldr_sizes|'''metldr+bootldr sizes''']] table
If not having a dump, use the [[Talk:Playstation_Update_Package_(PUP)#Using_fake_upgrade_to_get_lowest_firmware_version_info|MinVer PUP method]]
'''Note:'''
: The mention of minimal version praxis on several other wikipages is only a rough indication.
: The two most accurate ways are to look at the actual dump and the [[Talk:Playstation_Update_Package_(PUP)#Using_fake_upgrade_to_get_lowest_firmware_version_info|MinVer PUP method]] itself, instead of flying blind on [[SKU_Models#Retail_Models|SKU tables]] and [[SKU_Models#Datecode_.2F_Manufacturing_Date|datecodes]]
=== metldr+bootldr sizes ===
{{metbootldr}}
==Patch the dump & Reflash it to the console ==
<div style="float:right">[[File:Flowrebuilder-Autopatcher.png|200px|thumb|left|Flowrebuilder : Autopatcher]]<br />[[File:Flowrebuilder-Autopatcher-completed.png|200px|thumb|left|Flowrebuilder : Autopatcher - completed]]</div>
For patching you can use:
* Hexeditor (e.g. [http://mh-nexus.de/en/hxd/ HxD])
* [http://www.ps3devwiki.com/files/flash/Tools/Flowrebuilder/ Flowrebuilder] (both NOR + unified NAND)
* in case of Progskeet, latest Winskeet/iSkeet/YASkeet (both NOR + unified NAND)
* [http://www.tortuga-cove.com/forums/viewtopic.php?t=3485 PS3 Nor Dump Auto-Patcher v0.01] [http://www.ps3devwiki.com/files/flash/patches/!Alternative/PS3%20Nor%20%20Dump%20Patcher%20v0.01.rar PS3 Nor  Dump Patcher v0.01.rar] [[http://www.mediafire.com/?a250qvc3c88bcka mirror] (NOR only)
[http://pastie.org/5400071 NAND + NOR patchfile.txt]
=== NAND ===
Use [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/ NAND patches] only on NAND consoles, not on NOR!
{|class="wikitable"
|-
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x0C0030 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch1-0x0C0030.bin patch1&nbsp;(7&nbsp;MB)] || 0x7C0020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0&nbsp;(0x91800)<br />trvk_prg1&nbsp;(0x92810)<br />trvk_pkg&nbsp;(0x93800) || [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade/NAND-patch2-0x91800.bin patch2&nbsp;(16&nbsp;KB)] || 0x91800 || 0x4000 || one big patch overlapping several revoke area's
|-
|}
(above patches in a single package + autopatcher file: [http://www.ps3devwiki.com/files/flash/patches/NAND%20downgrade.rar NAND downgrade.rar] [http://www.mirrorcreator.com/files/ADUPAMIU/NAND_downgrade.rar_links mirror])
=== NOR ===
Use [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/ NOR patches] only on NOR consoles, not on NAND!
{|class="wikitable"
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
|-
| ROS0 || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
| ROS1 || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/patch1 patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade/rvk-040000 rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
|-
|}
(above patches in a single package + autopatcher file: [http://www.ps3devwiki.com/files/flash/patches/NOR%20downgrade.rar NOR downgrade.rar] [http://www.mirrorcreator.com/files/1BOYLZOO/NOR_downgrade.rar_links mirror])
==== E3 Flasher ====
Use these instead, otherwise you get into a maze of bytereversing: [[E3#Manual_E3_downgrade_v2|E3 Manual downgrade patches]]
==Reinstall firmware in Factory Service Mode==
==Reinstall firmware in Factory Service Mode==
For this step it is required to have the console assembled (connected PSU, harddrive, wifi/bt board etc)
For this step it is required to have the console fully assembled (connected PSU, harddrive, wifi/bt board, blu-ray drive etc).


<ol>
<ol>
<li> Use the PSGrade/JIG dongle to trigger Factory Service Mode
<li>Use the PSGrade/JIG dongle to trigger Factory Service Mode
<ul>
<ul>
<li>Remove power from the console (switch on back or removing powercord)</li>
<li>Remove power from the console (rear power switch or remove powercord)</li>
<li>Put PSGrade/JIG dongle in the rightmost USB port (closest to the Blu-Ray reader)</li>
<li>Put PSGrade/JIG dongle in the right-most USB port (closest to the Blu-Ray drive)</li>
<li>Put power on (switch on back or reattaching powercord)</li>
<li>Power on the console so it is in standby (rear power switch or remove powercord)</li>
<li>Press powerbutton on front then immediately press eject within ~200ms.</li>
<li>Press power button on front of the PS3 then immediately press eject within ~100ms</li>
<li>Console will poweron, trigger Factory Service Mode and turn off the console when done.</li>
<li>If powered on correctly your dongle will light up (usually green) and trigger Factory Service Mode. The PSGrade will then power off the console. If it boots into the XMB with a red FSM logo in the corner you are using an old PSGrade.</li>
</ul>
</ul>
<li> After triggering Factory Service Mode, put the Lv2diag.self (see below) and prepatched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).</li>
<li> Put the Lv2diag.self (see below) and a [http://www.ps3devwiki.com/index.php?title=Downgrading_with_Hardware_flasher&action=submit#PUP_to_use pre-patched firmware] to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (in the same port as the PSGrade).</li>
<li> Turn PS3 on, it will install the firmware you had put there (even though you have no screenoutput, you can see it is busy by looking at the activity led of the harddrive and of your USB Mass Storage Device).</li>
<li> Turn PS3 on and it will automatically install the firmware you had put there. You will not have anything on the screen, you can only tell it is installing by the flashing USB and PS3's HDD light</li>
<li> PS3 will turn itself off after finishing the firmware installation.<br />A logfile should be present in root of the USB Mass Storage Device with no errors</li>
<li> PS3 will turn itself off after finishing the firmware installation (If it flashes red the firmware did not install correctly).<br />A logfile should be present in root of the USB Mass Storage Device with no errors</li>
</ol>
</ol>


Line 79: Line 19:


=== PUP to use ===
=== PUP to use ===
{{RogeroFirmware}} or any firmware with prepatched lv1 (no syscon hash checks)
Any firmware with pre-patched Lv1 (no syscon hash checks).
 
Example:
 
OFW 3.55
Kmeaw 3.55 (Lv1 Patched)
[http://www.tortuga-cove.com/forums/viewtopic.php?f=127&t=4137&p=17076#p17076 Rogero 4.30 v2.03]
 
Recommended:
 
[http://www.tortuga-cove.com/forums/abbcode_page.php?mode=click&id=591 Rogero 3.55 v3.7] (Can be installed without blu-ray drive)


=== Different Factory Service Mode SELFs ===
=== Different Factory Service Mode SELFs ===
Line 96: Line 46:
* <span style="text-decoration: line-through; background-color:#FFDDDD;">use the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below
* <span style="text-decoration: line-through; background-color:#FFDDDD;">use the jaicrab NoBD lv2diag : Use the Rogero normal PUP -</span> see note below


'''note:''' since V3 Rogero is only available as noBD, us that one with normal lv2diag.self  
'''note:''' since V3.7 Rogero is only available as noBD, use that one with normal lv2diag.self  


{|class="wikitable"
{|class="wikitable"
Line 128: Line 78:
|-
|-
|}
|}
== Dehashing ==
{{Dehashing}}
=== QA dehashing ===
{{QA dehashing}}
=== reFSM dehashing ===
{{reFSM dehashing}}
==== Remarks ====
'''ReFSM''' way is strongly recomended over '''QA''' if you do NOT install a nonpatched firmware
Both ways ''require'' installing nonpatched firmware to dehash syscon bank. QA-flag can be removed/reset after succesfull dehash, without bricking.
  <domelec> dehash procedure: fsm install ofw
            after console turns off take out usb stick and look at log file,
            if log is ok then reinsert usb stick and turn on console,
            ofw will then reinstall, after console turns off again
            take out usb stick and check log, if ok then exit fsm
  <eussNL> do double FSM OFW, then get out of service mode.
  <eussNL> check everything is working
  <eussNL> THEN and only THEN, you can install whatever you want, in recovery.
  <eussNL> there is no need for factory mode after dehashing complete
  <eussNL> in fact, if everything works on OFW 3.55 after dehashing,
  <eussNL> you can install [http://www.ps3devwiki.com/files/firmware/MFW-CEX/Downgrader/Rogero-V3.2/ Rogero V3.2] in recovery and [http://www.ps3devwiki.com/files/flash/Tools/toggle-qa/ QA-extra] flag it 
  <eussNL> if OFW 3.55 works then you proven that you dehashed
  <eussNL> so after that you can install whatever MFW 3.55 you want
  <eussNL> If for some reason you cannot dehash because of BD or BT errors
          then you can use PS3MFW Builder and the broken Blueray / broken Bluetooth
          tasks. Do not select downgrader patches, or you will not dehash!
  <eussNL> BD error can be persistant if flasher is still attached,
          see: http://www.ps3devwiki.com/wiki/Talk:Hardware_flashing#BD_drive_not_found_problem
  <eussNL> 3 options: 1. open R7/R8  /  2. remove flasher control lines / 3. remove all flasher wiring
  <playonlcd> i  think you can update on wiki "dehashing with jaicrab is not recommended
              and will not dehash as needed and thus semibrick by syscon hash panic

Revision as of 15:25, 2 December 2012

Reinstall firmware in Factory Service Mode

For this step it is required to have the console fully assembled (connected PSU, harddrive, wifi/bt board, blu-ray drive etc).

  1. Use the PSGrade/JIG dongle to trigger Factory Service Mode
    • Remove power from the console (rear power switch or remove powercord)
    • Put PSGrade/JIG dongle in the right-most USB port (closest to the Blu-Ray drive)
    • Power on the console so it is in standby (rear power switch or remove powercord)
    • Press power button on front of the PS3 then immediately press eject within ~100ms
    • If powered on correctly your dongle will light up (usually green) and trigger Factory Service Mode. The PSGrade will then power off the console. If it boots into the XMB with a red FSM logo in the corner you are using an old PSGrade.
  2. Put the Lv2diag.self (see below) and a pre-patched firmware to install (named PS3UPDAT.PUP) in root of your USB Mass Storage Device and plug it in the PS3 (in the same port as the PSGrade).
  3. Turn PS3 on and it will automatically install the firmware you had put there. You will not have anything on the screen, you can only tell it is installing by the flashing USB and PS3's HDD light
  4. PS3 will turn itself off after finishing the firmware installation (If it flashes red the firmware did not install correctly).
    A logfile should be present in root of the USB Mass Storage Device with no errors

See also Downgrading with PSgrade Dongle, which also contains alot of ready to use PSgrade HEX files for several dongles.

PUP to use

Any firmware with pre-patched Lv1 (no syscon hash checks).

Example:

OFW 3.55 Kmeaw 3.55 (Lv1 Patched) Rogero 4.30 v2.03

Recommended:

Rogero 3.55 v3.7 (Can be installed without blu-ray drive)

Different Factory Service Mode SELFs

NAND

For factory Service Mode install:

  • if using the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • if using the jaicrab NoBD lv2diag : Use the Rogero normal PUP - see note below (and redump flash after FSM to check both ROS)

note: since V3 Rogero is only available as noBD, use that one with normal lv2diag.self

NOR

Use the normal lv2diag and use the Rogero normal PUP

Only when having a console with a broken bluraydrive, you either:

  • use the normal lv2diag : Use a NoBD patched PUP (e.g. Rogero NoBD PUP) (to prevent error 0x8002f057)
  • use the jaicrab NoBD lv2diag : Use the Rogero normal PUP - see note below

note: since V3.7 Rogero is only available as noBD, use that one with normal lv2diag.self

Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (365.5 KB) 374272 3.55 get in FSM * 1ED037740D67FEBACA6449CABFF4E95400C9E2EE 099F33A7967F99E91C07E870FD78B3DB 9338ABF2 4FCC
Lv2diag.self (227.38 KB) 232832 jaicrab noBD patched 180823003B086D9D49BC7F83BEA9C769BF73A5EA 3615770407C0C3FA00D8CA49C8ADB362 25E85CFB EDD0

* recommended default choice, see above notes

Check the logfile

After installation of the firmware, take the created logfile in root of USB Mass Storage Device and look if it contains errors (pastie the log if you want to ask for help online on IRC)

Tip: You can boot console to XMB while still in FSM, if you want to be really sure it installed fine.

Getting out of Factory Service Mode

If everything went fine without errors, you can take the console out of service mode and enjoy your downgraded console :)

  1. Put the Lv2diag.self (see below) in root of your USB Mass Storage Device and plug it in the PS3 (again, in the rightmost USB port).
  2. Turn PS3 on, it will trigger Factory Service Mode off and shutdown.
Filename Size Remarks SHA1 MD5 CRC32 CRC16
Lv2diag.self (201.42 KB) 206256 get out FSM 329877CBD47B994EC0AFCEA6AF98114FD9E5128B 7A20BFDAE65EEFB47A4425DB1B52DCDE 72740080 502A
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Downgrading_with_Hardware_flasher&oldid=16736"