This page is very old, archaic and only left her for documentative purposes.

missing in this old guide: Validating flash dumps

Newer proper guide is: Downgrading with Hardware_flasher

Downgrading with NAND Flasher[edit | edit source]

If your console has NOR and not NAND, look here : Downgrading with NOR flasher

This article is written based on firmware 3.60 (but also works on other firmwares) and Infectus for NAND bases consoles. See Hardware_flashing

Prerequisites[edit | edit source]

• NAND based console : CECHA, CECHB, CECHC, CECHE or CECHG. see SKU_Models
• Infectus with <3.9.9.0 firmware (allowing dual NAND flashing)

In case you need to downgrade the Infectus:

• Infectus downgrader
• Infectus_programmer_3.8_Beta_2
  • http://www.mirrorcreator.com/files/YQWKSKUU/InfectusProgrammer-3.9.3.0.rar_links
  • http://www.mirrorcreator.com/files/LKU5IYQA/InfectusProgrammer-3.9.9.0.rar_links

• FlowRebuilder v.4.1.0.0
• Hexeditor

Accessing the NAND[edit | edit source]

Power the Infectus, it crashes the PS3 and leaves the NANDs in powered mode:

Use the console to power the NANDs: power it up until the PS3 crashes and halts with red flashing LED, press power again to stop the flashing, but keeps the console powered on. The NANDs are not accessed by the PS3 in this way, so it doesn't matter if the NAND content is already messed up. After that, you can read/write the NANDs.

Use the Infectus to read the 2 different NAND chips. You get 2 files this way, one for each NAND : flash0.bin & flash1.bin

Interleave the 2 previous mentioned bin files into 1 single flash dump: flashfinal.bin (256MB)

( work in progress )

Posted on request by author: dospiedras1973

Original Spanish text[edit | edit source]

Original text :

Hola , llevo trabajando en este proyecto cerca de dos meses y ahora mismo ya que he conseguido que funcione lo publico para que todo el mundo pueda usarlo, este tutorial es para consolas con NAND flash de 256mb , no significa que no funcione en las de 16mb , en sí se modifica casi lo mismo en las que tienen nor flash , pero debido a que aún tengo jodida mi fat 80gb de 16mb no lo he podido ni probar ni verificar.

Al turrón ( la frase se la debo a algún forero de por aquí que me gustó mucho la expresión ) :

Con infectus sacamos nuestra nand flash0.bin y flash1.bin y como en el tutorial de lukin para reparar las bad nands hacemos el mismo proceso hasta que obtenemos nuestro dump flashfinal.bin de 256mb

esta nand la abrimos con un editor simple hex editor y buscamos esta parte

"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"

vereis que justo debajo ay una linea muy parecida , yo estos datos los encuentro en el offset 000C0020 , puede variar segun la nand y aqui empieza la fiesta :-D

reemplazamos INCLUSO ESA LINEA con el archivo 1patchcos.bin si usais el hxd poneros en el primer 0 de esa linea ->boton derecho y pegar escribiendo , antes teneis que tener abierto el 1patchcos.bin en el hxd y copiar en hex todo su contenido para poder pegarlo..

luego vamos a buscar el segundo archivo a parchear buscamos en el hxd en nuestro dump la parte :

"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"

y de la misma manera que se parchea el primero se parchea este también , cojemos el archivo 2patchtrvk.bin del pack y reemplazamos todo el contenido incluso el "00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"

luego cogemos con el flowrebuilder usamos la opcion reescramble this dump para que nos vuelva a generar nuestro flash0.ECC.bin y flash1.ECC.bin

y flasheamos el resultado , cuando termineis notareis que la ps3 ahora enciende pero tiene un bonito black screen , vale cojemos nuestro jig para ponerla en factory service mode y la ponemos en factory , luego cojemos el tipico lv2diag de marras y el pup que querais

( AVISO : el primer pup que metais se quedará en la consola como la versión minima que podeis downgradear luego , por si quereis bajar de 3.55 a 3.41 luego tendreís que meter el pup 3.41 antes de subir a 3.55 o se quedará en 3.55 por que si no os costará volver a escribir el dump de nuevo para poder downgradear mas bajo del pup que pusisteis la primera vez. )

luego poneis el lv2diag para salir del factory service y ya está ;-)

Notas : esto vale para reparar el brick de waninkoko SIN NAND DONADA incluso en las placas sem-001 ( probado ) ( y de paso downgradeas xD )

agradecimientos :

a todo el canal #darkps3 de irc-hispano por apoyarme durante tanto tiempo ;-)
a austaquio32 por donar el infectus que lograra que siguiera con mi proyecto
a Nodial2ne por la ayuda que prestó localizando archivos en la nand
a robs1 por ayudarme en todo el proceso con ideas para que esto fuera posible

y a todo el que tuvo paciencia y no me atosigó por privado xD


pack :

http://pastebin.com/7tmtcdNN

Desagradecimientos :

er_poty : post que hago , post que viene a crear peleas y a mandarme privados diciendome que le llego a la suela de los zapatos a PDNKED

pd: llevo 4 años en paro , quien quiera donar algo desinteresadamente pueden ponerse en contacto conmigo via privado ( lo siento pero tengo 2 hijos y la ps3 no me da de comer ni a mi ni a ellos xD )
o eso o dadme un trabajo leñe!

Improved google translate based English text[edit | edit source]

256 with 3.6x downgrade INFECTUS nands [and other consoles repair waninbrick]

Hi, I've been working on this project for about 2 months now and, now that I know it works, I'm making it public so everyone can use it, this tutorial is for PS3s with 256mb NAND flashes, this doesn't mean it might not work on 16mb ones, the modification part is almost the same with NOR flashes, but since my 80gb PS3, which has a 16mb, is still ****ed up, I haven't had the opportunity to try it or verify it.

Let's go to the point (Translator's Note: a jargon is being used here, "turron" is replaced for "grano" since both are hard things):

With infectus, we extract our NAND flash0.bin and flash1.bin and, just like in lukin's tutorial for repairing bad NANDs, we do the same process until we get our 256mb flashfinal.bin dump.

We open this NAND with a simple hex editor and search for this part:
"00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0"

You'll see that right below there's a very similar line, I found this data in the 000C0020 offset, it might vary depending on the NAND. Ok, so here's where the fun starts :D

Replace, INCLUDING THAT LINE with the 1patchcos.bin file.
If you're using hxd, put it in the first 0 (zero) of that line -> right click and paste while writing. Before that you need to have open 1patchcos.bin in hxd and you need to copy all its content to be able to paste it.

Next, we're going to patch the second file, let's search in our dump with hxd the following part:

"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"

Just like with the first file, you need to patch this one the same way. We grab the 2patchtrvk.bin from the pack and replace all its content, including

"00 00 00 00 00 00 10 10 00 00 00 00 00 00 10 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 40"


After that, open them with flowrebuilder and use the "reescramble this dump" option so we can have generated our flash0.ECC.bin and flash1.ECC.bin again.

Flash the results. When you're done, you'll notice that when you start up your PS3, you'll have in front of you a nice little black screen. So now, grab your jig and put it in factory service mode, choose factory. Then, grab your good old lv2diag and whatever PUP you want.



(WARNING: The first PUP you put, will remain as the lowest downgradable version (Translator's note: does that make sense? Lol), now if you want to downgrade from 3.55 to 3.41, you'll need to put the 3.41 PUP before upgrading to 3.55, if not, it will stay at 3.55 because, otherwise, you'll have to go and write the dump all over again to be able to downgrade lower than the first PUP you put.)


Now, put lv2diag to get out of factory service and you're done.

Notes:
this also goes for repairing Waninkoko's brick without a donated NAND including sem-001 boards (proved) (and were downgraded that in the process xD)

Thanks:

to everyone at #darkps3 from irc-hispano for supporting me all this time.
to austaquio32 for donating infectus that made me finish this project.
to Nodial2ne for his help tracing files in the NAND.
to robs1 for helping in all this process with his idea that made this possible.

and to everyone that was patient and did not annoyed me with PMs.

Ungrateful to:

er_poty : every post I make, he starts a flame, and annoys me with PMs saying I'm not even at the same level of PDNKED

PS: I've being unemployed for 4 years. If anyone wants to donate anyways, you can contact me via PM (I'm sorry but I have 2 child and the PS3 doesn't feed them or me xD)
Either that or give me an f'n job! xD

PS3s compatibles with this method (Thanks pdnked):
PS3 Fat:
CECHA = 256MB
CECHB = 256MB
CECHC = 256MB
CECHE = 256MB
CECHG = 256MB

Reposted on :

• http://www.ps3hax.net/2011/06/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix/
• http://psx-scene.com/forums/content/phat-ps3-firmware-3-6x-downgrade-via-infectus-waninkoko-brick-fix-63/

Addition:

• http://www.elotrolado.net/hilo_fix-instalacion-infectus-en-sem-001-funcional_1639311

hola , este tuto es pequeñito pero lo pongo en un hilo nuevo por que va a traer miga y no quiero mezclar contenidos :

el infectus se instala de la misma manera que en las demas consolas la unica diferencia es que en esta consola tenemos una nand a un lado de la consola y otro al otro , imaginad que esa nand que cambia de sitio es la segunda nand , en la que en el esquema oficial está por encima del conector del hdd los puntos a soldar son iguales , PERO

el infectus tiene un punto de 5v , NO LO SOLDEIS DEJADLO NO HACE FALTA

hace falta colocar un diodo zener en la nand que está en la otra vuelta de la placa para darle corriente a las 2 nands directamente con el infectus aqui las fotos :
aqui el zener a utilizar para alimentar las nands
Imagen

aqui el punto a donde va el diodo soldado directamente sin cables preferiblemente :

Imagen

el GND que está al lado de los 5v del infectus porfavor soldadlo con un cable gruesín eh ...

y la parte roja del diodo con un cablecito lo conectamos aqui en el infectus :

Imagen


vale , con eso y el resto de la instalación como era , la ps3 la teneis que leer y escribir perfectamente SIN DARLE CORRIENTE a la fuente , no hace falta ya con el infectus alimentas las nands lo suficiente para leer y escribir , porsupuesto he de decir que nunca tengais conectado con este metodo la fuente a la corriente y el infectus al usb , por que podría pasar algo malo xD

gracias al que subió las fotos xD

PD: el diodo lo podeis sacar de muchas placas rotas que tengais por ahi , casi todos los aparatejos calzan un zener de esos xD

por cierto el unico programa compatible con sem-001 es el infectus nand flasher 1.03 ay que instalar otros drivers del libusb que vienen incluidos con el programa que está por ahí xD

When downgrading from 3.66 to 3.15 on NAND:

manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...
creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 61 msec
check UPL
Check UPL elapsed time = 33 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 29
Update packages total size = 160699026
Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 7 msec
update package revoke list elapsed = 331 msec
Update Package Revoke list done(0x8002f000)
Update Core OS Package
read core os package (5193774 bytes) elapsed = 320 msec
update core os package elapsed = 1950 msec
Update Core OS Package done(0x8002f000)
Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/21
read vsh package (2070 bytes) elapsed = 8 msec
decrypt and verify vsh package elapsed = 23 msec
write vsh package elapsed = 9193 msec
compare vsh package elapsed = 0 msec
Update VSH's package : 2/21
read vsh package (5616383 bytes) elapsed = 351 msec
decrypt and verify vsh package elapsed = 340 msec
write vsh package elapsed = 1722 msec
compare vsh package elapsed = 402 msec
Update VSH's package : 3/21
read vsh package (3357780 bytes) elapsed = 212 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 2903 msec
compare vsh package elapsed = 312 msec
Update VSH's package : 4/21
read vsh package (5240122 bytes) elapsed = 328 msec
decrypt and verify vsh package elapsed = 308 msec
write vsh package elapsed = 2757 msec
compare vsh package elapsed = 399 msec
Update VSH's package : 5/21
read vsh package (24029 bytes) elapsed = 10 msec
decrypt and verify vsh package elapsed = 24 msec
write vsh package elapsed = 1171 msec
compare vsh package elapsed = 9 msec
Update VSH's package : 6/21
read vsh package (9831317 bytes) elapsed = 597 msec
decrypt and verify vsh package elapsed = 280 msec
write vsh package elapsed = 11705 msec
compare vsh package elapsed = 466 msec
Update VSH's package : 7/21
read vsh package (8662380 bytes) elapsed = 533 msec
decrypt and verify vsh package elapsed = 272 msec
write vsh package elapsed = 16403 msec
compare vsh package elapsed = 474 msec
Update VSH's package : 8/21
read vsh package (8657372 bytes) elapsed = 542 msec
decrypt and verify vsh package elapsed = 360 msec
write vsh package elapsed = 5872 msec
compare vsh package elapsed = 448 msec
Update VSH's package : 9/21
read vsh package (10445426 bytes) elapsed = 639 msec
decrypt and verify vsh package elapsed = 254 msec
write vsh package elapsed = 5374 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 10/21
read vsh package (10252830 bytes) elapsed = 642 msec
decrypt and verify vsh package elapsed = 261 msec
write vsh package elapsed = 8594 msec
compare vsh package elapsed = 476 msec
Update VSH's package : 11/21
read vsh package (9922968 bytes) elapsed = 621 msec
decrypt and verify vsh package elapsed = 253 msec
write vsh package elapsed = 6913 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 12/21
read vsh package (8214459 bytes) elapsed = 514 msec
decrypt and verify vsh package elapsed = 197 msec
write vsh package elapsed = 5812 msec
compare vsh package elapsed = 387 msec
Update VSH's package : 13/21
read vsh package (9428094 bytes) elapsed = 593 msec
decrypt and verify vsh package elapsed = 245 msec
write vsh package elapsed = 5217 msec
compare vsh package elapsed = 443 msec
Update VSH's package : 14/21
read vsh package (7973335 bytes) elapsed = 483 msec
decrypt and verify vsh package elapsed = 346 msec
write vsh package elapsed = 13579 msec
compare vsh package elapsed = 456 msec
Update VSH's package : 15/21
read vsh package (9766737 bytes) elapsed = 589 msec
decrypt and verify vsh package elapsed = 359 msec
write vsh package elapsed = 17261 msec
compare vsh package elapsed = 528 msec
Update VSH's package : 16/21
read vsh package (9199234 bytes) elapsed = 583 msec
decrypt and verify vsh package elapsed = 407 msec
write vsh package elapsed = 23183 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 17/21
read vsh package (7260896 bytes) elapsed = 465 msec
decrypt and verify vsh package elapsed = 284 msec
write vsh package elapsed = 14740 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 18/21
read vsh package (6563380 bytes) elapsed = 423 msec
decrypt and verify vsh package elapsed = 155 msec
write vsh package elapsed = 1905 msec
compare vsh package elapsed = 357 msec
Update VSH's package : 19/21
read vsh package (6092245 bytes) elapsed = 376 msec
decrypt and verify vsh package elapsed = 226 msec
write vsh package elapsed = 1457 msec
compare vsh package elapsed = 406 msec
Update VSH's package : 20/21
read vsh package (9859067 bytes) elapsed = 592 msec
decrypt and verify vsh package elapsed = 238 msec
write vsh package elapsed = 2189 msec
compare vsh package elapsed = 498 msec
Update VSH's package : 21/21
read vsh package (6492084 bytes) elapsed = 413 msec
decrypt and verify vsh package elapsed = 321 msec
write vsh package elapsed = 17483 msec
compare vsh package elapsed = 674 msec
Update VSH Package done(0x8002f000)
Bul-ray Disc Player Revoke
read bdp revoke package (1904 bytes) elapsed = 22 msec
decrypt and verify bdp revoke package elapsed = 30 msec
write bdp revoke package elapsed = 2235 msec
compare bdprevoke package elapsed = 57 msec
Bul-ray Disc Player Revoke done(0x8002f000)
Update Program Revoke list
read program revoke list package (704 bytes) elapsed = 8 msec
update program revoke list elapsed = 330 msec
Update Program Revoke list done(0x8002f000)
move_2block_status_into_the_region(): region id = 3
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1265 msec
touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1128 msec
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1264 msec
Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 141 msec
update BD firmware elapsed = 29828 msec
Update BD firmware done(0x8002f14e)
update package elapsed time = 238316 msec
Updating or Verifying failure 0x8002f14e
UpMng.UpdatePackage() failure
manufacturing updating FAILURE(0x8002f14e)
Total Elapsed time = 239526 msec

manufacturing updating start
PackageName = /dev_usb000/PS3UPDAT.PUP
settle polling interval success
vflash is disabled...
boot from nand flash...
creating flash regions...
create storage region: (region id = 2)
format partition: (region_id = 2, CELL_FS_IOS:BUILTIN_FLSH1, CELL_FS_FAT)
create storage region: (region id = 3)
format partition: (region_id = 3, CELL_FS_IOS:BUILTIN_FLSH2, CELL_FS_FAT)
create storage region: (region id = 4)
format partition: (region_id = 4, CELL_FS_IOS:BUILTIN_FLSH3, CELL_FS_FAT)
create storage region: (region id = 5)
create storage region: (region id = 6)
Initializing
taking a while...
start Updating Proccess
Initialize elapsed time = 61 msec
check UPL
Check UPL elapsed time = 34 msec
check Package Size
get package size elapsed time = 8 msec
start Updating Package
Update packages num = 29
Update packages total size = 160699026
Update Package Revoke list
read package revoke list package (576 bytes) elapsed = 6 msec
update package revoke list elapsed = 331 msec
Update Package Revoke list done(0x8002f000)
Update Core OS Package
read core os package (5193774 bytes) elapsed = 324 msec
update core os package elapsed = 1965 msec
Update Core OS Package done(0x8002f000)
Update VSH Package
sys_memory_container_create() success(id = 0xc0effffe)
Update VSH's package : 1/21
read vsh package (2070 bytes) elapsed = 8 msec
decrypt and verify vsh package elapsed = 23 msec
write vsh package elapsed = 9259 msec
compare vsh package elapsed = 0 msec
Update VSH's package : 2/21
read vsh package (5616383 bytes) elapsed = 351 msec
decrypt and verify vsh package elapsed = 341 msec
write vsh package elapsed = 1725 msec
compare vsh package elapsed = 402 msec
Update VSH's package : 3/21
read vsh package (3357780 bytes) elapsed = 214 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 2926 msec
compare vsh package elapsed = 312 msec
Update VSH's package : 4/21
read vsh package (5240122 bytes) elapsed = 328 msec
decrypt and verify vsh package elapsed = 309 msec
write vsh package elapsed = 2776 msec
compare vsh package elapsed = 399 msec
Update VSH's package : 5/21
read vsh package (24029 bytes) elapsed = 9 msec
decrypt and verify vsh package elapsed = 24 msec
write vsh package elapsed = 1185 msec
compare vsh package elapsed = 9 msec
Update VSH's package : 6/21
read vsh package (9831317 bytes) elapsed = 599 msec
decrypt and verify vsh package elapsed = 279 msec
write vsh package elapsed = 11830 msec
compare vsh package elapsed = 466 msec
Update VSH's package : 7/21
read vsh package (8662380 bytes) elapsed = 539 msec
decrypt and verify vsh package elapsed = 272 msec
write vsh package elapsed = 16532 msec
compare vsh package elapsed = 474 msec
Update VSH's package : 8/21
read vsh package (8657372 bytes) elapsed = 541 msec
decrypt and verify vsh package elapsed = 361 msec
write vsh package elapsed = 5911 msec
compare vsh package elapsed = 448 msec
Update VSH's package : 9/21
read vsh package (10445426 bytes) elapsed = 635 msec
decrypt and verify vsh package elapsed = 255 msec
write vsh package elapsed = 5408 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 10/21
read vsh package (10252830 bytes) elapsed = 641 msec
decrypt and verify vsh package elapsed = 262 msec
write vsh package elapsed = 8646 msec
compare vsh package elapsed = 476 msec
Update VSH's package : 11/21
read vsh package (9922968 bytes) elapsed = 621 msec
decrypt and verify vsh package elapsed = 252 msec
write vsh package elapsed = 6950 msec
compare vsh package elapsed = 467 msec
Update VSH's package : 12/21
read vsh package (8214459 bytes) elapsed = 505 msec
decrypt and verify vsh package elapsed = 199 msec
write vsh package elapsed = 5843 msec
compare vsh package elapsed = 386 msec
Update VSH's package : 13/21
read vsh package (9428094 bytes) elapsed = 594 msec
decrypt and verify vsh package elapsed = 244 msec
write vsh package elapsed = 5238 msec
compare vsh package elapsed = 442 msec
Update VSH's package : 14/21
read vsh package (7973335 bytes) elapsed = 498 msec
decrypt and verify vsh package elapsed = 346 msec
write vsh package elapsed = 13617 msec
compare vsh package elapsed = 456 msec
Update VSH's package : 15/21
read vsh package (9766737 bytes) elapsed = 603 msec
decrypt and verify vsh package elapsed = 360 msec
write vsh package elapsed = 17267 msec
compare vsh package elapsed = 529 msec
Update VSH's package : 16/21
read vsh package (9199234 bytes) elapsed = 583 msec
decrypt and verify vsh package elapsed = 407 msec
write vsh package elapsed = 23189 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 17/21
read vsh package (7260896 bytes) elapsed = 466 msec
decrypt and verify vsh package elapsed = 286 msec
write vsh package elapsed = 14751 msec
compare vsh package elapsed = 689 msec
Update VSH's package : 18/21
read vsh package (6563380 bytes) elapsed = 422 msec
decrypt and verify vsh package elapsed = 155 msec
write vsh package elapsed = 1906 msec
compare vsh package elapsed = 357 msec
Update VSH's package : 19/21
read vsh package (6092245 bytes) elapsed = 373 msec
decrypt and verify vsh package elapsed = 227 msec
write vsh package elapsed = 1457 msec
compare vsh package elapsed = 405 msec
Update VSH's package : 20/21
read vsh package (9859067 bytes) elapsed = 590 msec
decrypt and verify vsh package elapsed = 238 msec
write vsh package elapsed = 2187 msec
compare vsh package elapsed = 498 msec
Update VSH's package : 21/21
read vsh package (6492084 bytes) elapsed = 419 msec
decrypt and verify vsh package elapsed = 321 msec
write vsh package elapsed = 17509 msec
compare vsh package elapsed = 674 msec
Update VSH Package done(0x8002f000)
Bul-ray Disc Player Revoke
read bdp revoke package (1904 bytes) elapsed = 23 msec
decrypt and verify bdp revoke package elapsed = 29 msec
write bdp revoke package elapsed = 2240 msec
compare bdprevoke package elapsed = 57 msec
Bul-ray Disc Player Revoke done(0x8002f000)
Update Program Revoke list
read program revoke list package (704 bytes) elapsed = 7 msec
update program revoke list elapsed = 331 msec
Update Program Revoke list done(0x8002f000)
move_2block_status_into_the_region(): region id = 3
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1262 msec
touch_1st_sector_in_block() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
touch_1st_sector() done (ret = 0x8002f000)
touch_1st_sector() elapsed time = 1121 msec
rewrite_region() region id = 0x3, start_lba = 0x0, end_lba = 0x4000
rewrite region done (ret = 0x8002f000)
rewrite region elapsed time = 1262 msec
Update BD firmware
read BD firmware package (1966992 bytes) elapsed = 142 msec
update BD firmware elapsed = 184 msec
read BD firmware package (951040 bytes) elapsed = 78 msec
update BD firmware elapsed = 142 msec
read BD firmware package (951040 bytes) elapsed = 80 msec
update BD firmware elapsed = 13959 msec
Update BD firmware done(0x8002f000)
Update Multi-Card controller firmware
read MCC package (28636 bytes) elapsed = 25 msec
update MCC elapsed = 24 msec
Update Multi-Card controller firmware done(0x8002f000)
Update BlueTooth firmware
read BT package (639368 bytes) elapsed = 62 msec
update BT elapsed = 56 msec
Update BlueTooth firmware done(0x8002f000)
Update System controller firmware
read SC patch package (4864 bytes) elapsed = 24 msec
read SC patch package (4864 bytes) elapsed = 24 msec
read SC patch package (4864 bytes) elapsed = 23 msec
Update System controller firmware done(0x8002f000)
update package elapsed time = 228361 msec
post processiong...
post processiong done
cleanup update status (ret = 0)
os version = 03.1500
build_version = 38031,20091206
region of core os package = 0x40000000
build_target = CEX-ww
build target id = 0x83
manufacturing updating SUCCESS(0x8002f000)
set product mode (ret = 0)
Total Elapsed time = 230556 msec

How to Fix Waninkoko PS3 CFW Bricked Consoles[edit | edit source]

After being investigating nand's I found a solution. Let's patch a functional nand OFW 3.55 with our "keys" (bootloader_0, bootloader_1, IED, ISD, and metldr vtrm) console. This will enable USB ports and will begin factory mode.

Attention! If you have not much experience with the soldering iron, start practicing with old motherboards. . I am not responsible for any damage that may occur in your console.

I use two infectus because it failed to detect both nands me. (Just go twice as fast in read / write) xD.

Materials[edit | edit source]

-Tester (recommended)

Soldering iron 15-30W.

-Modchip Infectus (v1 or v2.)

-Cable Wrapping.

-Tin.

-Flux

-Stripper.

desoldering braid (optional but surely going to have to use xD)

Double-sided tape or hot melt gun (to fix the cables).

S.O-PC with Windows (better Xp)

-PSGRADE / PSKEY [..] JIG mode.

-Pen (with lv2diag.self [file1] and PS3UPDAT.PUP [waninkoko v2])

Programs[edit | edit source]

-PS3NANDProgrammer1_41

Flow Rebuilder 230.

Flow Rebuilder 350. [BETA]

-NANDECC 130.

Infectus-USB drivers (v3.1).

-Nand Functional OFW 3.55 (256MB). (Any model 256mb)

Hex-Editor (I used Hex Workshop Editor)

For legal reasons can not distribute the nand OFW 3.55.

Soldering infectus[edit | edit source]

We are going to follow this outline: http://img94.imageshack.us/img94/3746/ps3inf.jpg Very soothing and helps the soldier we all flux in both nands cables.

Note: With the +5 V, the infectus usb now work correctly, so no need to feed them.

Powering the nands[edit | edit source]

Items in purple is where you put the nands approximately 1.80V. I've used a solution somewhat "mikey mouse" using 4 diodes to reduce the +5 V which gives one of the outputs of the source.

Reading the nands[edit | edit source]

"I have evidence that there is no need to feed the nands as the flashing red light is sufficient, however I failed to detect without food for another site. Turning on the power-supply source. "We connect the pc infectus.

"We opened PS3NANDProgramer 1.41 (" LOAD DLL "then" connect "and we choose flash0 or flash1). If the solders are correct, we will leave the data nands "Flash info" (otherwise check with tester soldering points in the nand). "The process of reading is around 15 minutes approx. "It is advisable to take more than two dump's of nands. (In case you have bad blocks, but infectus say no bad blocks).

Compare nands (flash0 and flash1) with Hex workshop program: TOOLS -> compare (select two of the same nand dumps) and found that they are identical. (Repeat the same with flash1). Guard well the CFW nands Wanin like gold brick. xD

Preparation of new Nand's[edit | edit source]

First of all we will extract the contents of nand brick, then will patch our "keys" in the new nand.

"We opened FlowRebuilder350 "We selected the two nand CFW extracted in step 2 and select the output file. We would like to "dump" if the order of nands is right we will create a peak of 264 megawatts and a series of folders.

In one of these we find (FDI, CSD, metldr, bootloader_0, bootloader_1, ISD, vtrm) and core_os. (LV0, lv2, lv2_kernel.self .... spu's and others.)

OFW nands Patching[edit | edit source]

"We opened FlowRebuilder230 "We selected the two nand's (flash0 and flash1) OFW and choose the output file (interpolate nand's).

"Now we need to patch "We opened the nand nand WFC ofw and brick with hex editor that you like best. "Now we are copying the sectors of our nand to nand functional. (Find and replace). [With Hex workshop 6 you can see what you have checked, bottom right [cursor / caret / sel]

IED (Starts "0000000600001DD000000000000000000000007000000 8") SEL: 10000

ISD (We "000000030000027000000000000000000000004000000 0") SEL: 800

metldr (you seek "metldr" begins with "00 00 0E DA .." SEL: EDE0.

bootloader_1 (You have to look in your nand WFC (has the same header that bootloader_0). SEL: 400000.

bootloader_0 (found in the first offset, sel: 400000).

Vtrm (this look in HexEdit "sceivtrm" and replace them). SEL: 400000.

Once the changes, you keep the new patched nand.

Restoring ECC[edit | edit source]

We open with 230 NandFlowRebuilder selecionamos "Desinterpolate in new Flashes." -You select flash0 and flash1 (with the same order as in step 3b) and finally your arhiva patched. The third tab, select the file that previously we had saved. -Tight "Do Process" (we hope to complete successfully) XD finish and now having the dumps XXX2.NEW XXXX.NEW and proceed to repair the ECC. "We opened 1.30 NANDECC select the input file and the output, then click the" do process ". (We do this twice, once for each nand). The ECC has to be repaired in the order of (450-550) if it is the wrong patched nand.

Writing nand's patched[edit | edit source]

"We opened PS3NandProgrammer 1.41 and delete [ERASE] on the nand's content. (Repeat the process two or three times removed) "Then write the [WRITE] the two nands. (How the process of writing takes about 45minutes). (We found no bad blocks, if any, check solering).

Factory mode[edit | edit source]

Now infectus disconnecting the pc, if you turn on the console, the LED should flash orange hd. (If it is not patched review and write nand nand.) (Because you have a bug)

Our console still does not work, however well-lit and read the usb ports. Nand has encrypted a file system (not yours). So let's create the new file system from nand. By having the correct keys on the console so you can enter factory mode and install the 3.55 v2 waninkoko frimware. (Do not probeis OFW factory when they leave you will have a nice brick mode again.)

"Once we introduce written PSGRADE / PSKEY ... etc, JIG mode, turn on the console (power + eject), will shut down to 20sec, then enter the pen with lv2diag.self and waninkoko update v2.

"After 10 minutes the console will turn off and will return to life. Then enter the pen with lv2diag.self [file2] and out of factory mode.

And this xD, the console and is alive! [Desoldering infectus and mount the console]

Update[edit | edit source]

Update from rms here: http://rms.dukio.com/?p=35

OK, so we all know about how the original Waninkoko firmware broke the older large NAND consoles, that was due to him overwriting some portions of Cell-OS Lv2 and the segment boundaries, god knows about the signature also. He also zeroed out a good section of the kernel, and also breaks some NAND consoles due to that. Now, you want to fix this issue? Well, you have to have:

1) A NAND Dumper 2) CORE_OS_PACKAGE.PKG patched to remove signature checks or Official Core OS/PS3 in Service Mode 3) A NAND Flasher 4) Flow Rebuilder 5) Hex editor 6) PS3 with firmware less than 3.55

OK, so you first have to dump both NAND chips (2 128MB NANDs for a total of 256MB) and interleave them using Flow Rebuilder, then decrypt the CORE_OS package to give you a raw core OS image, then open your combined NAND dump in a hex editor and search for “6F FF E0″ in the search for hex section. Once there, you should see:

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 6f ff e0  |.............o..|
00000010  00 00 00 01 00 00 00 17  00 00 00 00 00 6f ff e0  |.............o..|

Right after the second “6F FF E0″, remove the next 7,340,000 bytes, then, insert the unpacked Core OS (7,340,000 bytes). Then split the image using Flow Rebuilder (use ECC!) and flash. Hopefully it should work, and then you can just Lv2diag your way out.

Do not overwrite anything else.

This guide should help you fix any NAND console with Core OS fail.

Source: http://www.elotrolado.net/hilo_tutorial-reparar-brick-waninkoko-v1-by-lukin_1572743

v e Hardware Flashers Prerequisition Overview · Comparison · Warnings Hardware flashing Infectus · Noraliser · Teensy++ 2.0 · Progskeet 1.0 / 1.1 · Progskeet 1.2 · Progskeet 1.21 · PNM · PIC32MX · E3 Pin/pad layouts NAND COK-001 · COK-002 · COK-002W · SEM-001 NOR layout 1 DIA-001 · DIA-002 layout 2 VER-001 layout 3 DYN-001 layout 4 SUR-001 · JTP-001 · JSD-001 · KTE-001 layout 5 MSX-001 · MPX-001 · NPX-001 · PQX-001 Downgrading Software Dumping · Hardware Dumping · Validating flash dumps · Downgrading with Hardware flasher · Dual Firmware · Problem Solving Old reference Downgrade BluRay Playback Issue · Downgrading with PSgrade Dongle · Downgrading with NOR flasher · Downgrading with NAND flasher · E3 Nor dump checker