Tortuga Cove

[Rogero]

Last night I had the chance to try and downgrade a Slim Ps3 (JSD-001 board with Spansion NOR) version 3.70 to CFW 3.55 using Dospiedra's downgrade v2 patches.

I managed to get a clean dump of the NOR using my ProgSkeet (latest QT port used), created a patched Downgrade.bin image
using the 6 patched files from Dospiedra and a hex editor, then I flashed the image to the PS3 NOR, dumped the NOR another
time and verified that all was written fine.

Then I continued with the normal downgrade procedure, go into service mode, update using the 3.55_no_check.PUP, then exit
service mode and all was good, it was back into CFW 3.55.

Here the problems started, I tried to start a game and I got the famous Trophy error, so I decided to update it to my
personal Modified Firmware, so I started the update and after installing the firmware, the PS3 turned off by itself,
I tried to turn it on again, It turned on for almost 2 or 3 seconds then turned off completely ( No Screen Output, No Red Led either )
so I knew-ed at this point that the PS3 was Bricked

N.B: this was never mentioned in any of the downgrade tutorials floating on the net, although this is a very important point
to warn the users who are downgrading their Ps3 machines not to update using usual Modified firmwares unless the firmware
have the LV1.self file patched to Disable all checks, anything else will result into a Bricked PS3, and this is not good at
all especially if the Hardware flasher used to downgrade was removed from the Ps3's NOR or Nand Flash.

After doing some research and discussing the issue with my friend eussNL <-- a wiki by himself
I realized what happened to the Ps3, after the downgrade procedure, the machine's syscon still had a version > 3.55
(3.56 or higher) and this needs a Patched LV1.self (checks disabled) in the NOR for the PS3 to be able to boot fine, and when
I updated it to my own MFW, the LV1.self file in the NOR was replaced with a non-patched version (checks enabled) and the PS3
detected the higher syscon version (3.56+) and Bricked.

To Fix it, I had to re-flash the NOR again with the patched Downgrade.bin image (to get rid of the un-patched LV1.self)
then the Ps3 was fixed and booting fine again.

N.B: in case you're using ProgSkeet, make sure you are using the Latest released flasher (QT port) as of 11 Sep 2011 from this link :
WinSkeet40000.zip
This one have Preset parameter values for each NOR type, I used it on Win7 and it flashed my Spansion NOR just fine.


At this point, the Ps3 was working again, but the Trophy problem was always there, so I prepared another Modified firmware with
3.70 spoof, Privacy Patch and this time the LV1.self Checks Disabled
(the patches were provided by eussNL too so Credits here goes to him),
then while still having Progskeet soldered to the NOR flash, I updated the Ps3 with the new MFW, everything
went fine, and it rebooted fine into the XMB, did some tests and the Trophy problem was gone for good and all games working fine.

For all the users who had successfully downgraded their PS3 machines to 3.55 again, I share with you my MFW with Lv1 Checks patched to bypass the 3.56+ syscon version and prevent any brick after updating to it, and to get rid of the annoying Trophy problem encountered after the usual downgrade procedure.

Old Link Removed.... Please check this thread for the Updated CFW Version 2
Rogero CFW V2 with better Downgrade Compatibility

Also, I just want to point out that:

This MFW can be used directly for downgrade (instead of 3.55_no_check) after flashing the NOR and entering Factory Service Mode in order to have a final CFW3.55 working smoothly without any trophy errors (this will save some time during the process, rather then updating to it again after the downgrade)
by following Dospiedra's downgrade tutorial V2 ( NOT THE OLD V1 DOWNGRADE TUTORIAL )



( Clicked 274 times )

( Clicked 216 times )

( Clicked 212 times )

Cheers...

Rogero

[condorstrike]

You the man, Rogero...thanks
I know lots of people will love this MFW.

[bitsbubba]

Great work Rogero!!

[Rogero]

thanks guys...

In case someone is wondering about the patches applied to LV1.self,

here they are, the 25 patches used:

# Description: Patch LV1 checks

# Option --patch-lv1checks: Disables many checks in lv1

# Type --patch-lv1checks: boolean

namespace eval :: patch_lv1checks {

array set :: patch_lv1checks:: options {
--patch-lv1checks true
}

proc main { } {
set self "lv1.self"

::modify_coreos_file $self :: patch_lv1checks:: patch_self
}

proc patch_self {self} {
if {!$:: patch_lv1checks:: options(--patch-lv1checks)} {
log "WARNING: Enabled task has no enabled option" 1
} else {
::modify_self_file $self :: patch_lv1checks:: patch_elf
}
}

proc patch_elf {elf} {
if {$:: patch_lv1checks:: options(--patch-lv1checks)} {
log "Patching LV1 Checks"

# ss_server1
# Patch core OS Hash check // product mode always on
log "--------------- Patching ss_server1.fself ----------------------------"
log "Patch core OS Hash check // product mode always on"

set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"
set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patch check_revoke_list_hash check // product mode always on
log "Patch check_revoke_list_hash check // product mode always on"

set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"
set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# In product mode erase standby bank skipped
log "Patch In product mode erase standby bank skipped"

set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\ x7B\xFD\x00\x20"
set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\ x7B\xFD\x00\x20"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patching System Manager to disable integrity check
log "Patching System Manager to disable integrity check"

set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\ x2f\x80\x00\x00"
set replace "\x38\x60\x00\x00"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patching LV1 to enable skipping of ACL checks for all storage devices
log "Patching LV1 to enable skipping of ACL checks for all storage devices"

set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\ xe8\x01\x00\x70\x54\x00\x07\xfe"
append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\ x38\x00\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?)
log "?Patch sys_mgr integrity lv1 and lv0 integrity check?"

set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\ x01"
set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\ x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

}
}
}

[Rogero]

Also, I just want to point out that:

This MFW can be used directly for downgrade (instead of 3.55_no_check) after flashing the NOR and entering Factory Service Mode in order to have a final CFW3.55 working smoothly without any trophy errors (this will save some time during the process, rather then updating to it again after the downgrade)
by following Dospiedra's downgrade tutorial V2 ( NOT THE OLD V1 DOWNGRADE TUTORIAL )

[FromTheXboxDays]

I have been able to get your cfw v2 to install as well as the first 3.70 spoof. I am still running into the trophy error though. I have done a fair amount of reading and I am not sure if there is a step I am missing or maybe I am seeing a bug because I am on older hardware (CECHL VER-001). There is a ton of good information from you and others out there but I'm hoping that being a developer is what is killing me here. Does your firmware actually write over the syscon values in the NOR or is that something that I need to prepatch in the binary before I flash it? I think that is where I am having the problem. I used Dospiedra's V2 for building my current downgrade.bin. I just repatched my downgrade in an attempt to see if the issue was with the kmeaw based firmware. I attempted to utilize rebug firmware but couldn't get it to load. I found an additional patch section @ http://www.ps3devwiki.com/index.php?tit ... OR_flasher to fix the trophy error, and while that let me try with the rebug firmware, I was still experiencing the trophy issue. I just switched back to your latest version and I am still floundering. Any ideas as to what I am missing?

[bo.smsm]

hay Rogero
i am Mohammed from Libya ... so sorry for my bad English

i was on dex and then i decide to back to cex but when did that i brick my console

and made it work again with downgrade by ps3 break from this site

http://www.sudburymods.com/psdowngrade.html

and every thing work fine ... my console on 3.41 i try to insall 3.55 from recovery mode but gave me an error with red screen .... i fix the red screen but when i power my ps3 on it gave me that ... the ps3 console can not start please install update 3.56 or later !!!!!!!

what can i do because the downgrade make my ps3 3.41 read as 3.56 .. and i can't downgrade my console again

when i power my ps3 on it just gave the same thing .......... even in recovery mode .......... as you know i can't update my console to 3.56 ... because i don't want to lose my jailbreak

please help me because my son is crying he wants to play sonic