PS3Hax Network - Playstation 3 Hacks and Mods - View Single Post - Ultimate Fool Proof Guide: Ps3 Hardware Downgrading

baileyscream · 07-05-2012

wiring the TEENSY++ to ps3

wiring the TEENSY++ to ps3
first the TEENSY++

the new recommended way to have the TEENSY++ is NOT to use the voltage regulator and bridge 3.3v pads and break the 5v track

now connect +5V to 3.3v (VCC) pad on ps3 as this method will allow any ps3 to keep the teensy++ connected to ps3 while using the teensy as a jig as the ps3 now powers the TEENSY++

when ordering the TEENSY++ then get the pins pre-soldered if you’re not fitting it like judges hard / case mod

ask when ordering to solder 2 pins to the E4 & E5 and no pins to 3 pads next to the switch= RST & GND & Vcc

order a set of jumper wires (there are lots of sellers on eBay or your local computer store) this will make your life easier.

Second the PS3:-

printed on the edge of the ps3's motherboard you will see your board number mine is DNY-001

now follow the diagram to solder your Progskeet to your board

DNY-001

Connecting the TEENSY++ with the 56pin NOR 360CLIP

the 360CLIP (you dont use the flat cable with "*SUNKEY Connect FPC")

wiring diagram

connected to the ps3

Downloading & Installing

Needed Downloads

Needed Downloads

download NORway programs.rar from HERE and put then into c:/ your main hdd found in My Computer
Download BwE validator from HERE or HERE
and put that in the NORway programs folder you just downloaded above

1 install python 2.7.2

1 install python-2.7.2

2 click run

3 click next

4 click next again

5 click next again

6 wait for it to install

7 click finish

2 install pyserial-2.5.win32

1 install pyserial-2.5.win32

2 click run

3 click next

4 click next

5 click next again

6 it will install

7 click finish

3 install serial_install

1 from hjudges-NORway-972958d file that we changed the name to NORway

2 click next

3 click done

4 The Teensy Loader Application

4 The Teensy Loader Application
you need the TEENSY++ conected to the ps3 and the ps3 turned on (insure the fan & heatsink is connected)

2 run the TEENSY++ loader installer

3 click RUN

4 the TEENSY++ main GUI press the button on the TEENSY++

5 the screen will change to this

6 press 'file' then 'open hex file'

7 now go to c > NORway programs > NORway > teensy > default > and select NORway.hex

8 select PROGRAM it’s the green arrow pointing down

9 then you will see this now reboot the TEENSY++ by pressing the green "pointing right" arrow

10 now you will see this

11 found new wizard will open select not this time and click next

12 click next again

13 click continue anyway

14 it will install the driver

15 click finish

16 go into device manager and you should see the above (this is from win xp) WRITE DOWN THE "COM NUMBER" YOU NEED THIS. ALSO ALWAYS USE THE SAME USB PORT FROM NOW ON Nb the one above is COM4 so you know what you’re looking for

5 create the dumps

1 go to start and click on RUN (win xp shown) in win7 type cmd in the search bar and right click the cmd icon and select RUN AS ADMINISTRATOR

2 in the search box type 'cmd' then click OK (you won’t see this in win7)

3 you will now have the cmd window

4 now type cd c:\NORway programs\NORway

5 press enter and you will see the same as above (you have just changed directory)

6 now type NORway.py

7 press ENTER and you should now see the above

8 type NORway.py COM (and your com port number)

9 press ENTER and you should see the same as above. plug in your ps3 and power it on. it should turn on (green light) but not boot (hdd light wont flash)

10 type NORway.py COM (your port number) dump flash.bin

11 press ENTER and you will see the same as above (in the red box is the progress)

12 when it is done you will see the same as above (I have kept the red box over the progress so you can see what’s what)

now repeat step 10 five times and change the name each time like so:
dump flash2.bin
dump flash3.bin
dump flash4.bin
dump flash5.bin

13 type NORway.py COM (your com port number) release

14 press ENTER and you should see the above. then power off the PS3 and unplug the TEENSY++ and close the cmd window.

15 your NOR dump has been put in c\NORway programs\NORway

6 verify the dumps

1st step

1 open cmd again like you did above (start > run > type cmd > press enter)
then type cd c:\NORway programs\NORway

2 type norpatch.exe

3 press enter and you will see the above screen

4 type norpatch flash.bin (this is to verify the dump)

5 press enter and you should see the same as in the red box above and ros0 & ros1 should have a f/w number in the blue box (I’m on 4.20 which is based on 4.11 so you know why there is 2 different f/w's in the image) IF YOU DONT HAVE A F/W NUMBER OR GET ANY ERRORS RE-DO YOUR WIRING AND RE-DUMP AS THIS IS A CORRUPT DUMP AND WILL BRICK IF USED.

6 close the cmd window

From judges:-

- verify dump: the described way is certainly a safe way, but you can also use the provided tool "norpatch.exe". If you were running on OFW, then norpatch is able to recognize the core_os areas of the dump, which make up 86% of the whole dump. If it successfully verifies you can be sure that at least all data and address lines are connected properly and working properly. And it's easy to use.

now do the next step so you know 100% that your dump is valid
I DONOT recommend skipping it

2nd step

In the “NORway programs” folder find the HxD hex editor install it and then run it.

1 first time opening

2 click file click open

3 select all your dumps and select compare

4 leave the top as it is and change the bottom as you check each dump.

5 you should see this message after each dump has been checked. If you don’t delete all your dumps and try dumping again. If you still get errors at this point check your wiring.
When there all the same just have 1 dump open (we will use this all the time now)

6 get a statistics.

7 The fine blue bars at either side are what need checking (the one to the left is highlighted in red put your mouse on the left line and you should get a reading between 18.38% - 29.01% (in the area circled in blue) and the line on the right should be between 10.42% - 10.48%
Now close the statistics tab

8 The first thing you should see at offset 00000010 is FACEOFF , DEADBEEF

9 if you see AC OF FF EO , AD DE EF BE then your dumps need byte reversing (see below the next 2 images for byte reverse steps) if you don’t see either then you have a bad dump. Re-do all your wiring and start again

10 you should see at offset 00000200 is IFI

11 if you see FI.I then your dump’s needs byte reversing. again if you don’t see either then you have a bad dump. Re-do all your wiring and start again

If you did see FI.I in your dump then you need to use flow rebuilder with the byte reverse option if it says IFI then you can skip this step

Byte reverse

Byte reverse

Inside NORway programs folder find FlowRebuilder run it

1 this is the main screen

2 select byte reverse a dump

3 click the box next to brows, drag & drop, drop down

4 select your dump

5 click execute operation

6 and it’s done it is in the same place as the dump and its added “swap” to the name = flash.swap.bin
create a folder called original dumps and put all your flash.bin files in it
now rename the flash.swap.bin to flash.bin (this will make it easier to follow the rest of the guide)

First find the IDPS/TARGET ID & METLDR and then BOOTLDR (were still using the hex editor)
The area to find these depends on your ps3 model

12IDPS/TARGET ID is at 0002F077 (scroll down to 0002F070 then the top row of numbers is your last digit)

CECH-20xx (DYN-001 boards) it should have the value 09 (this is what is in the image)

CECH-21xx (SUR-001 boards) it should have the value 0A

CECH-25xx (JTP-001 boards) it should have the value 0B

CECH-25xx (JSD-001 boards) it should have the value 0B

CECHHxx (DIA-001 boards) it should have the value 05 or 06 or 07

CECHJxx (DIA-002 boards) it should have the value 06 or 07

CECHKxx (DIA-002 boards) it should have the value 07

CECHLxx (VER-001 boards) it should have the value 07 or 08 or 09

CECHMxx (DIA-001 boards) it should have the value 03 or 06

CECHPxx (VER-001 boards) it should have the value 07 or 08

13 METLDR is at 0000081E & 00000842

CECH-20xx (DYN-001 boards) it should have the value
E9 20 at 0000081E & 0E 8E at 00000842 “OR”
E8 90 at 0000081E & 0E 85 at 00000842 (this is what’s shown in the picture)

CECH-21xx (SUR-001 boards) it should have the value
E9 20 at 0000081E & 0E 8E at 00000842

CECH-25xx (JTP-001 boards) it should have the value
E9 20 at 0000081E & 0E 8E at 00000842 “OR”
E9 60 at 0000081E & 0E 92 at 00000842
WARNING IF IT HAS THIS F9 20 at 0000081E & 0F 8E at 00000842 STOP NOW YOU CANNOT DOWNGRADE THIS PS3 MODEL

CECH-25xx (JSD-001 boards) it should have thE value
E9 20 at 0000081E & 0E 8E at 00000842
WARNING IF IT HAS THIS F9 20 at 0000081E & 0F 8E at 00000842 STOP NOW YOU CANNOT DOWNGRADE THIS PS3 MODEL

CECHHxx (DIA-001 boards) should have the value
E7 B0 at 0000081E & 0E 77 at 00000842 “OR”
E8 C0 at 0000081E & 0E 88 at 00000842 “OR”
E8 E0 at 0000081E & 0E 8A at 00000842 “OR”
EA 60 at 0000081E & 0E A2 at 00000842

CECHJxx (DIA-002 boards) should have the value
E8 E0 at 0000081E & 0E 8A at 00000842 "OR"
EA 60 at 0000081E & 0E A2 at 00000842

CECHKxx DIA-002 BOARD
EA 60 at 0000081E & 0E A2 at 00000842

CECHLxx VER-001 BOARD
E8 D0 at 0000081E & 0E 89 at 00000842 or:-
E8 90 at 0000081E & 0E 85 at 00000842

CECHMxx DIA-001 BOARD
EA 60 at 0000081E & 0E A2 at 00000842

CECHPxx VER-001 BOARD
E8 D0 at 0000081E & 0E 89 at 00000842

14BOOTLDR is at 00FC0002 & 00FC0012

CECH-20xx (DYN-001 boards) should have the value
2F 3B at 00FC0002 & 2F 3B at 00FC0012 “OR”
2F 13 at 00FC0002 & 2F 13 at 00FC0012 (this is what’s shown in the picture)

CECH-21xx (SUR-001 boards) should have the value
2F 4B at 00FC0002 & 2F 4B at 00FC0012

CECH-25xx (JTP-001 boards) should have the value
2F 4B at 00FC0002 & 2F 4B at 00FC0012 “OR”
2F 53 at 00FC0002 & 2F 53 at 00FC0012
WARNING IF IT HAS THIS 2F 5B at 00FC0002 & 2F 5B at 00FC0012 OR
2F FB at 00FC0002 & 2F FB at 00FC0012 STOP NOW YOU CANNOT DOWNGRADE THIS PS3 MODEL

CECH-25xx (JSD-001 boards) should have this value
2F 4B at 00FC0002 & 2F 4B at 00FC0012
WARNING IF IT HAS THIS 2F FB at 00FC0002 & 2F FB at 00FC0012 STOP NOW YOU CANNOT DOWNGRADE THIS PS3 MODEL

CECHHxx (DIA-001 boards) should have the value
2F 1C at 00FC0002 & 2F 1C at 00FC0012 “OR”
2E F4 at 00FC0002 & 2E F4 at 00FC0012 “OR”
2E E3 at 00FC0002 & 2E E3 at 00FC0012

CECHJxx (DIA-002 boards) should have the value
2E F4 at 00FC0002 & 2E F4 at 00FC0012 “OR”
2E E3 at 00FC0002 & 2E E3 at 00FC0012

CECHKxx (DIA-002 boards) should have the value
2E E3 at 00FC0002 & 2E E3 at 00FC0012

CECHLxx (VER-001 boards) should have the value
2E AB at 00FC0002 & 2E AB at 00FC0012 “OR”
2E B3 at 00FC0002 & 2E B3 at 00FC0012 “OR”
2F 13 at 00FC0002 & 2F 13 at 00FC0012

CECHMxx (DIA-001 boards) should have the value
2E E3 at 00FC0002 & 2E E3 at 00FC0012

CECHPxx (VER-001 boards) should have the value
2E AB at 00FC0002 & 2E AB at 00FC0012

If you’re not getting some or none of these then you need to check your wiring and re-dump

Ok now we need to take a look and check there are no malformed headers / file names / region names. This is what we are looking for:-

[tr]

[td]Correct[/td]

[td]Malformed[/td]

[td]location[/td]

[/tr]

[tr]

[td]IFI[/td]

[td]IJI[/td]

[td]00000200[/td]

[/tr]

[tr]

[td]asecure_loader[/td]

[td]asecure_loaher[/td]

[td]00000420[/td]

[/tr]

[tr]

[td]eEID[/td]

[td]eIIH[/td]

[td]00000450[/td]

[/tr]

[tr]

[td]cISD[/td]

[td]cESH[/td]

[td]00000480[/td]

[/tr]

[tr]

[td]cCSD[/td]

[td]cCSH[/td]

[td]000004B0[/td]

[/tr]

[tr]

[td]trvk_prg0[/td]

[td]trvg_prk0[/td]

[td]000004E0[/td]

[/tr]

[tr]

[td]trvk_prg1[/td]

[td]trvg_prk1[/td]

[td]00000510[/td]

[/tr]

[tr]

[td]trvk_pkg0[/td]

[td]trvg_pkk0[/td]

[td]00000540[/td]

[/tr]

[tr]

[td]trvk_pkg1[/td]

[td]trvg_pkk1[/td]

[td]00000570[/td]

[/tr]

[tr]

[td]cvtrm[/td]

[td]cztrm[/td]

[td]00000600[/td]

[/tr]

[tr]

[td]metldr[/td]

[td]mitldr[/td]

[td]00000820[/td]

[/tr]

Now find the same positions as shown in blue in the following pictures yours should match

15 ASECURE LOADER

16 eEID

17 cISD

18 cCSD

Look for SCE on the line below the blue in the following pictures

19 trvk_prg0

20 trvk_prg1

21 trvk_pkg0

22 trvk_pkg1

Make sure all the words below the blue in the following pictures match yours

23 ros0

24 ros1

Make sure the following in blue matches

25 or

25 cvtrm

26 0FACEOFF DEADFACE

27 CELL EXTNOR AREA

28 bootldr

7 extracting your dump

go to FlowRebuilder for extracting your dump

1 Click extract a byte reversed NOR dump or an interleaved and unscrambled NAND dump
I know it says NAND at the end but this is to extract your NOR dump

2 click button next to input file

3 select your nor dump

4 click execute program

5 dump extraction complete. It will put the extracted files into a folder called i.e. (dump.ext) in the same folder where you selected the original one

6 You should now have these files

If any are missing try extracting again.

now go to the ps3devwiki's validating flash dumps pages and do the checks there
MAIN VALIDATE PAGE
DISCUSSION PAGE WITH MORE CHECKS

Once it all checks out ok upload your dump NOT the file you just created. to a file share site copy the link and CLICK HERE and follow the instructions on that thread.
Once it comes back ok it’s time to patch it (don’t forget to thank the person or persons who checked it for you)

8 Patching the dump

Patching the dump

1 Open flow rebuilder and select “PATCH a Byte reversed NOR dump or an interleaved and unscrambled NAND dump”.

2 Select your nor dump (the one you just had checked)

3 Select the patch file (progskeet_patch.txt) inside NOR downgrade folder that’s inside the NORway programs folder

4 Click execute

5 completed it will put the patched dump in the same folder as your original dump called flash.patch.bin (you won’t see the word .bin at the end)

9 Flashing the ps3

Flashing the ps3

If you Byte reversed your dump earlier then click here

Byte reverse the dump back to how it was

Inside NORway programs folder find FlowRebuilder run it

1 this is the main screen

2 select byte reverse a dump

3 click the box next to brows, drag & drop, drop down

4 select your dump

5 click execute operation

6 and it’s done it's in the same place as the dump and its added “swap” to the name = flash.patch.swap.bin
put your flash.patch.bin into the "original dumps" folder and rename the flash.patch.swap.bin to flash.patch.bin (this will make it easier to follow the rest of the guide)

1 go to start and click on RUN (win xp shown) in win7 type cmd in the search bar and right click the cmd icon and select RUN AS ADMINISTRATOR

2 in the search box type 'cmd' then click OK (you won’t see this in win7)

3 you will now have the cmd window

4 now type cd c:\NORway programs\NORway

5 press enter and you will see the same as above (you have just changed directory)

6 now type NORway.py

7 press ENTER and you should now see the above

now plug in the TEENSY++ to your pc

8 type NORway.py COM(and your com port number)

9 press ENTER and you should see the same as above. plug in your ps3 and power it on. it should turn on (green light) but not boot (hdd light wont flash)

10 type NORway.py COM(your port number) write flash.patch.bin

11 press ENTER and you will see the same as above (in the blue is a change in the NORway.py v0.5 final if you have the Samsung K8Q NOR chip then it changes the write command to writewordubm for you) (in the red box is the progress)

12 if received an error then type NORway.py COM(your port number) writeword flash.patch.bin
if you didn’t then skip to step 13

This is from the changes.txt file that comes with NORway

NORway.py COMx writeword dump.bin

Programs the NOR in word programming mode. It's a four-bus-cycle operation (per word), i.e. it's the slowest, but most compatible programming mode. A full write takes about 9 minutes. Supported by all NOR types. Use this as a last resort if nothing else works.

13 when it is done you will see the same as above (I have kept the red box over the progress so you can see what’s what) check that it has verified the whole flash (in blue box)

changes in v0.5

NORway will retry to write a sector up to 20 times (you'll get a message if this happens).

i.e.:
1. Retry
2. Retry
3. Retry
4. Retry
5. Retry
6. Retry
7. Retry
8. Retry
9. Retry
10. Retry
11. Retry
12. Retry
13. Retry
14. Retry
15. Retry
16. Retry
17. Retry
18. Retry
19. Retry
if it gets to:
20. Retry then you may get a "Verification failed" exception.
At the end you might get:
"Verification failed! Please repeat command [NORway.py COMx write mydump.bin]!

The command is just an example, it's actually substituted with the command you have used for writing
so try the writeword command (step 12)

If the content on the NOR for one sector is the same as content of your flash file, it'll automatically skip that sector and doesn't write at all (called differential programming). If the content is different, it'll erase that sector one time and tries up to 20 times to write that sector (called incremental programming). The written sector is verified after each write attempt.

If the complete writing process is finished, it does a final verification of the entire nor at the end (it happened that written bytes verified correctly, but content wasn't persistent for more than a couple of seconds). If final verification fails, you'll get a message to repeat the programming process.

I just released v0.5 final. See first post of NORway thread for updated download links. You can now also use the "write" command for Samsung K8Q, NORway automatically switches to "writewordubm" then.

this is from judges via a pm to me

14 type NORway.py COM(your com port number) release

14 press ENTER and you should see the above. then power off the PS3 and close the cmd window.

10 Finishing the down grade in service mode

Finishing the down grade in service mode

1st re-flash the teensy++ with psgrade files

2 run the TEENSY++ loader installer

3 click RUN

4 the TEENSY++ main GUI press the button on the TEENSY++

5 the screen will change to this

6 press 'file' then 'open hex file'

7 now go to c > NORway programs > NORway > psgrade_at90usb1286_8Mhz_teensy++_2.0_noLED > and select psgrade_at90usb1286_8Mhz_teensy++_2.0_noLED.hex

8 select PROGRAM it’s the green arrow pointing down

9 then you will see this now reboot the TEENSY++ by pressing the green "pointing to right" arrow

10 now you will see this

10b then this (don’t worry its now programmed to use in the ps3 not pc) un-plug the usb from the pc.

2nd re-insert the hdd then connect the ps3 to a TV the usual way.

if you have the voltage regulator then the TEENSY++ needs de-soldering from the ps3 as some ps3's wont boot with it installed.

if you don’t have the voltage regulator then you’re ok to keep the TEENSY++ soldered to the ps3.

turn on your ps3 and you should have this on screen

Turn the ps3 back off insert the TEENSY++'s usb into the right usb slot.

Unplug the ps3 from the mains. Wait 10-15 seconds then plug it back in.
(the wiki says to do this so the capacitors will discharge but as the ps3 is turned off the capacitors will actually take months to discharge)

Turn the ps3 back on then immediately press eject within ~200ms. Your console will turn on and after a moment will turn back off.

After triggering Factory Service Mode, go to the folder called “get in fsm” put the contents of that folder into your usb stick and plug it in the PS3's right most USB port (remove the TEENSY++'s usb & put your usb memory stick in its place)

Turn PS3 on, it will install the firmware you had put there (even though you have no screen output, you can see it is busy by looking at the activity led off the hard drive and of your USB Mass Storage Device).

if you get the flashing green power light then this is due to the firmware not installing. first check your hdd is plugged in properly. this is usually what I forget to do. if it still flashes remove your usb stick put it in your pc and you will see “UPDATER_LOG” as a notepad file upload this to the guide

PS3 will turn itself back off when it has finished installing the f/w (Nb this does take a while.

Now remove your usb stick put it in your pc and you will see “UPDATER_LOG” as a notepad file open it & look through it to see if it contains errors (if it does upload the log to your file to the guide) (it should say at the bottom “0x83manufacturing updating SUCCESS(0x8002f000)”)

Now you need to get the ps3 out of service mode.

Open the folder “get out of fsm” delete the 3 files inside your usb stick then copy this file to your usb stick. Put the usb stick back into your ps3 it will boot then the hdd light will flash then turn off. Remove the usb stick. (the file is Lv2diag.self (201.42 KB) get out FSM)

after that re-build your ps3

turn on your ps3 and it should now boot to this screen follow the on screen instructions
nb the firmware you now have is rogero3.55 spoofed to 4.11 (for whoever decides not to follow my instructions and decides to go looking at system infomation)

11 De-hashing

Now to DeHash the console so it is brick protected when / if you decide to upgrade the firmware

THIS IS THE RECOMENDED WAY

QA flag method

what is QA de-hash

What Dehashing basically does is it resets the PS3′s Syscon hashes back to 3.55 with both “ros0” and “ros1”, making your PS3 back into an original/non-downgraded state and you do not need to worry about disabling LV1 checks when you install any CEX/DEX or the latest PS3 Official Firmware.

Install and run QA-toggle and make sure it beeps
if you just get a blank screen and nothing happens then you have a faulty bdvd and you cannot do this step. try re-marry bdvd found in the main post then try this step again.

to check you are QA flagged Set your cursor on Network Settings and press the key combo (all at the same time):L1 + L2 + L3 (press left stick) + R1 + R2 + dpad_down
if you are QA flagged a new option will show up right below network settings

Power off console
Put unpatched official firmware (e.g. 3.55) on USB Mass Storage device as /PS3/UPDATE/PS3UPDAT.PUP and insert in PS3

Boot into Recovery Menu:
press and hold power button you get 1 beep then a wait then a second beep then the ps3 turns off
press and hold power button again you get 1 beep then 2 beeps let go of power button
select "6. System Update" to reinstall firmware.
If installation finishes without error (there will be no logs you can check!) and boots XMB OK, then dehashing was successful.
Congrats, you now finished downgrading and dehashing. Console runs 3.55 and any firmware of choice can be installed, no longer needing to be patched for downgrader.

DO NOT DO THE SERVICE MODE WAY AS I AND OTHERS GET RLOD EVERYTIME IT IS DONE

Now you should be on 3.55ofw

You can now install the 3.55cfw of your choice

that’s it simple.