[CaptainCPS-X]

[Research] JC Preloader / multiMAN - NAND Flash Differences

Introduction

In this thread I want to discuss about the difference between the NAND flash dumps made by JaiCrab Preloader Advance v3.1 and multiMAN (mmCM).

Objective

The objective of this thread is simple, to explore methods to convert a Full NAND flash dump made by JC Preloader Advance into a multiMAN-compatible NAND flash dump.

If a method is found, then it could help those who just made the JC Preloader Advance flash dump, and for example if they want to re-flash a DEX converted PS3 back to CEX they could use mutliMAN for the job without going into Factory Service Mode, since it have been proven to be very dangerous at this moment, at least when going from DEX-To-CEX.

256 MB vs 239MB

I will go straight to the point, JC Preloader Advance NAND flash dump is 256MB and multiMAN (and other tools) NAND flash dump is 239MB.

What are the extra 17MB ?

In short words, it is data repeated each 2MB (0x200000 bytes), until the last 256MB offset. The first data segment begins from offset 0xEC00000 to 0xEDFFFFF (0x200000 bytes).

I will explain with details now, please continue reading.

After investigating many times with HxD hex editor both NAND flash dumps made with JC Preloader Advance and multiMAN, I found it difficult to navigate millions of bytes to find differences. I even tried loading both file on a binary comparison application but it is to much data and takes lot of resources from my PC.

So I decided to split both files in 1MB parts using HxD file tools, and then package them on a ZIP for easy and simple hash verification (CRC32).

Here you have 2 screenshots (I will explain the marks on it later), from the split JC Preloader Advance NAND flash dump and multiMAN NAND flash dump.

(A) JC Preloader Advance NAND flash dump:



(B) multiMAN NAND flash dump



Now as you can see in picture (A), beginning from segment 237-238, we can see the same data repeated until the last segment 256.

In picture (B) however, we only see the same data just once on segment 237-238, then it doesn't repeat in segment 239-240.

Other segments marked with green in both pictures (A) and (B) are the same in both flash dumps. So basically 237MB of both dumps are identical, the only difference is the last 1,835,008 bytes (0x1C0000 bytes).

What are this repetitive data segments ?

Honestly I don't know but if someone knows and can elaborate I will appreciate it.

Conclusion (for now)

At this moment, if I wanted to convert my JC Preloader Advance NAND flash dump to the identical multiMAN-compatible dump I would have to do the following:

- Trim the 256MB flash dump to 239MB
- Replace the last 1,835,008 bytes with the one from multiMAN flash dump

"IF" that last data segment was the same for every user, then I could make a simple application to convert a JC Preloader Advance flash dump into a multiMAN compatible flash dump (NAND).

How can you help ?

To help find out if the last segment from a multiMAN flash dump is the same for everyone, I will need volunteers to upload at least the last 6MB of your flash dump made with multiMAN, if you made a flash dump with JC Preloader Advance it would help as well.

You can use any file splitter to split the 256MB or 239MB file into 1MB pieces then just grab the last 6MB of each and upload them to mediafire (or any other server) for inspection.

Thanks in advance for your help!

Warning: Do not try flashing any modified flash based on this research, since it is not complete and confirmed yet.

PS: I will update this thread as I get more information on all this.

SeeYa!

[gingerbread]

Amazing explanation and findings.

I have used "File Splitter"

Code:

http://www.filesplitter.org/

Here is my last 6 splits of my NAND Dump from Preloader advance.

Code:

http://www.sendspace.com/file/5wi5ay

I hope it helps.

Thanks.

[keano]

OK here is mine taken from a CECHG03 with JC Preloader

http://netload.in/dateiZcVgsrGH52/Backuprflash.zip.htm

[deank]

mM cares for the first 264703 bytes of the NAND dump it creates (EID0 should start at 0x40800 for one sector to 0x409FF). If it finds it there (+the IDPS at 0x40870-0x40890) it will accept the 239MB dump, compare the IDPS with your console and proceed if it matches. You can try to trim the last 6MB and load NANDBIN in mM. It will ask for 4 confirmations before proceeding if the dump/IDPS is valid, so you can abort at any time.
************* [ - Post Merged - ] *************
I would also suggest that people use ProDG for "System Update" via LAN/WiFi when installing firmares in DEX mode (going to 4.** and going back to 3.55DEX downgrader).

[gingerbread]

Originally Posted by deank mM cares for the first 264703 bytes of the NAND dump it creates (EID0 should start at 0x40800 for one sector to 0x409FF). If it finds it there (+the IDPS at 0x40870-0x40890) it will accept the 239MB dump, compare the IDPS with your console and proceed if it matches. You can try to trim the last 6MB and load NANDBIN in mM. It will ask for 4 confirmations before proceeding if the dump/IDPS is valid, so you can abort at any time. ************* [ - Post Merged - ] ************* I would also suggest that people use ProDG for "System Update" via LAN/WiFi when installing firmares in DEX mode (going to 4.** and going back to 3.55DEX downgrader).

If the next update of mM supports supports full NAND will be great. Really looking forward to it!!

1. Does installing (Going up and down) DEX firmware directly hurts the systems? Whats makes using ProDG for "System Update" different?
2. So by using ProDG/TM, it bypasses "syscon hash checks" during system updates?
3. Does this mean, ALWAYS use ProDG/TM when going up and down firmware when you are on DEX?
4. Does this also mean, ALWAYS use ProDG/TM when you are switching between CEX<-->DEX?

Thanks @deank

[4DoorITR]

Does anyone know where I messed up? Bricked after dumping CEX NAND with preloader, converting to DEX, downgrading to 3.55 DEX from 4.21, then reflashing the CEX NAND backup.

Have a Progskeet on the way but now I'm questioning if the backup I made with preloader is valid.

Thanks.

[beenii]

i assume, you shut down your console after flashing the cex nand, befor installing a cex firmware. that seems to brick the console.

OT: i, aswell would like to go back from dex with multiman, but only have a jaicrab dump. please, if someone can help me, i would be greatfull. thanks

[elyman]

Originally Posted by beenii i assume, you shut down your console after flashing the cex nand, befor installing a cex firmware. that seems to brick the console. OT: i, aswell would like to go back from dex with multiman, but only have a jaicrab dump. please, if someone can help me, i would be greatfull. thanks

I have the same problem... Please help us.

[4DoorITR]

Originally Posted by beenii i assume, you shut down your console after flashing the cex nand, befor installing a cex firmware. that seems to brick the console.

No actually I didn't. I proceeded to flash 3.55 from the factory service mode, but ended up with RSOD. That's when I shut it off. I believe my issue had something to do with SYSCON and dehashing (which I didn't do).