[zadow28]

Originally Posted by poorguy Respect for @zadow28 .. Thanks a ton mate!!! Hope this leads to bypassing the LV1 syscon checks and allow me to upgrade to any CFW without downgrading and dehashing everytime.. (pain in the a$$)... I said it again...

i actuellly managed to dump the sysrom also.
Dont know much about it though.
but here it is.

http://rghost.net/41339141


Also the hypervisor is found in the dump.
use the PS3_HV_Dump.idc in ida pro it finds it.

Code:

lv1_allocate_device_dma_region              ROM 00000000003065A4 000001A4 R . . . . . .
lv1_clear_spe_interrupt_status              ROM 00000000002FDD40 00000138 R . . . . . .
lv1_close_device                            ROM 0000000000306A24 00000144 R . . . . . .
lv1_configure_execution_time_variable       ROM 00000000002EB3DC 00000494 R . . . . . .
lv1_configure_irq_state_bitmap              ROM 00000000002E9E94 000006CC R . . . . . .
lv1_configure_virtual_uart_irq              ROM 00000000002F2348 000002E4 R . . . . . .
lv1_connect_interrupt_event_receive_port    ROM 0000000000305828 00000164 R . . . . . .
lv1_connect_irq_plug                        ROM 00000000002EAA04 00000118 R . . . . . .
lv1_connect_irq_plug_ext                    ROM 00000000002E98E0 000005B4 R . . . . . .
lv1_construct_event_receive_port            ROM 00000000002EEF5C 0000010C R . . . . . .
lv1_construct_logical_spe                   ROM 000000000031A6A4 000001CC R . . . . . .
lv1_construct_virtual_address_space         ROM 00000000002EC08C 00000278 R . . . . . .
lv1_deconfigure_virtual_uart_irq            ROM 00000000002F2A9C 0000013C R . . . . . .
lv1_destruct_event_receive_port             ROM 00000000002EEE54 00000108 R . . . . . .
lv1_destruct_io_irq_outlet                  ROM 00000000002BF7A8 0000033C R . . . . . .
lv1_destruct_logical_spe                    ROM 00000000002FD3B0 00000108 R . . . . . .
lv1_destruct_virtual_address_space          ROM 00000000002EC304 0000032C R . . . . . .
lv1_detect_pending_interrupts               ROM 00000000002EA7D0 0000012C R . . . . . .
lv1_did_update_interrupt_mask               ROM 00000000002E8E8C 000003BC R . . . . . .
lv1_disable_logical_spe                     ROM 00000000002FCBC8 00000304 R . . . . . .
lv1_disconnect_interrupt_event_receive_port ROM 00000000003056C4 00000164 R . . . . . .
lv1_disconnect_irq_plug                     ROM 00000000002EA8FC 00000108 R . . . . . .
lv1_disconnect_irq_plug_ext                 ROM 00000000002E95AC 00000334 R . . . . . .
lv1_enable_logical_spe                      ROM 00000000002FCECC 000002F0 R . . . . . .
lv1_end_of_interrupt                        ROM 00000000002EA6C8 00000108 R . . . . . .
lv1_end_of_interrupt_ext                    ROM 00000000002E9248 00000364 R . . . . . .
lv1_free_device_dma_region                  ROM 0000000000306450 00000154 R . . . . . .
lv1_get_rtc                                 ROM 00000000002F70F0 000003D0 R . . . . . .
lv1_get_spe_all_interrupt_statuses          ROM 00000000002FE1D0 000002DC R . . . . . .
lv1_get_spe_interrupt_status                ROM 00000000002FE6DC 0000012C R . . . . . .
lv1_get_spe_irq_outlet                      ROM 00000000002FC4A0 0000012C R . . . . . .
lv1_get_virtual_address_space_id_of_ppe     ROM 00000000002EADDC 0000013C R . . . . . .
lv1_get_virtual_uart_param                  ROM 00000000002F35A0 00000130 R . . . . . .
lv1_gpu_attribute                           ROM 000000000021027C 00000850 R . . . . . .
lv1_gpu_context_attribute                   ROM 0000000000210ACC 00000B3C R . . . . . .
lv1_gpu_context_intr                        ROM 000000000020CB08 000003CC R . . . . . .
lv1_insert_htab_entry                       ROM 00000000002EBBBC 000004D0 R . . . . . .
lv1_invalidate_htab_entries                 ROM 00000000002EC920 000003D8 R . . . . . .
lv1_map_device_dma_region                   ROM 00000000003062A8 000001A8 R . . . . . .
lv1_map_device_mmio_region                  ROM 000000000030689C 00000188 R . . . . . .
lv1_net_add_multicast_address               ROM 0000000000306D70 00000260 R . . . . . .
lv1_net_control                             ROM 0000000000307864 000002B4 R . . . . . .
lv1_net_remove_multicast_address            ROM 0000000000307214 00000260 R . . . . . .
lv1_net_set_interrupt_mask                  ROM 0000000000307B18 00000224 R . . . . . .
lv1_net_set_interrupt_status_indicator      ROM 0000000000307D3C 000003C4 R . . . . . .
lv1_net_start_rx_dma                        ROM 0000000000308304 0000023C R . . . . . .
lv1_net_start_tx_dma                        ROM 0000000000306FD0 00000244 R . . . . . .
lv1_net_stop_rx_dma                         ROM 0000000000308100 00000204 R . . . . . .
lv1_net_stop_tx_dma                         ROM 0000000000306B68 00000208 R . . . . . .
lv1_open_device                             ROM 0000000000305570 00000154 R . . . . . .
lv1_panic                                   ROM 00000000002EB96C 00000128 R . . . . . .
lv1_pause                                   ROM 00000000002EB150 00000180 R . . . . . .
lv1_read_htab_entries                       ROM 00000000002EC630 000002F0 R . . . . . .
lv1_read_pci_config                         ROM 0000000000305F04 00000240 R . . . . . .
lv1_read_pci_io                             ROM 0000000000305B28 000001A0 R . . . . . .
lv1_read_virtual_uart                       ROM 00000000002F3DD4 000003E0 R . . . . . .
lv1_select_virtual_address_space            ROM 00000000002EAB1C 000002C0 R . . . . . .
lv1_send_event_locally                      ROM 00000000002EF068 00000108 R . . . . . .
lv1_set_dabr                                ROM 00000000002EB000 00000150 R . . . . . .
lv1_set_interrupt_mask                      ROM 00000000002EA560 00000168 R . . . . . .
lv1_set_ppe_periodic_tracer_frequency       ROM 00000000003149A8 000001E0 R . . . . . .
lv1_set_spe_interrupt_mask                  ROM 00000000002FE0A8 00000128 R . . . . . .
lv1_set_spe_privilege_state_area_1_register ROM 00000000002FD9D8 00000128 R . . . . . .
lv1_set_spe_transition_notifier             ROM 00000000002FCAA0 00000128 R . . . . . .
lv1_set_thread_switch_control_register      ROM 00000000002E8928 00000148 R . . . . . .
lv1_set_virtual_uart_param                  ROM 00000000002F3C38 00000128 R . . . . . .
lv1_set_vmx_graphics_mode                   ROM 00000000002E8C64 00000134 R . . . . . .
lv1_shutdown_logical_partition              ROM 00000000002EBA94 00000128 R . . . . . .
lv1_start_ppe_periodic_tracer               ROM 000000000031463C 0000036C R . . . . . .
lv1_stop_ppe_periodic_tracer                ROM 0000000000314B88 00000288 R . . . . . .
lv1_storage_check_async_status              ROM 0000000000308DA4 00000140 R . . . . . .
lv1_storage_get_async_status                ROM 0000000000308EE4 00000138 R . . . . . .
lv1_storage_read                            ROM 00000000003086C0 00000180 R . . . . . .
lv1_storage_send_device_command             ROM 000000000030901C 00000180 R . . . . . .
lv1_storage_write                           ROM 0000000000308540 00000180 R . . . . . .
lv1_undocumented_function_114               ROM 00000000002DCD54 000000A8 R . . . . . .
lv1_undocumented_function_115               ROM 00000000002DC7E0 000000A8 R . . . . . .
lv1_undocumented_function_134               ROM 00000000002E8D98 000000F4 R . . . . . .
lv1_undocumented_function_137               ROM 000000000031BBF8 00000108 R . . . . . .
lv1_undocumented_function_138               ROM 000000000031B88C 00000118 R . . . . . .
lv1_undocumented_function_167               ROM 000000000031C344 0000012C R . . . . . .
lv1_undocumented_function_168               ROM 000000000031A57C 00000128 R . . . . . .
lv1_undocumented_function_195               ROM 0000000000307680 000001E4 R . . . . . .
lv1_undocumented_function_196               ROM 0000000000307474 0000020C R . . . . . .
lv1_undocumented_function_200               ROM 000000000031AF44 00000304 R . . . . . .
lv1_undocumented_function_201               ROM 000000000031AC40 00000304 R . . . . . .
lv1_undocumented_function_209               ROM 000000000031B248 000003E0 R . . . . . .
lv1_undocumented_function_244               ROM 00000000002F7984 00000104 R . . . . . .
lv1_undocumented_function_250               ROM 0000000000308C2C 00000178 R . . . . . .
lv1_undocumented_function_251               ROM 0000000000308AEC 00000140 R . . . . . .
lv1_undocumented_function_252               ROM 0000000000308840 00000154 R . . . . . .
lv1_undocumented_function_253               ROM 0000000000308994 00000158 R . . . . . .
lv1_undocumented_function_62                ROM 000000000031AAF8 00000148 R . . . . . .
lv1_undocumented_function_75                ROM 00000000002E5A58 0000019C R . . . . . .
lv1_undocumented_function_8                 ROM 00000000002EB2D0 0000010C R . . . . . .
lv1_undocumented_function_89                ROM 00000000002FD4B8 000002E4 R . . . . . .
lv1_undocumented_function_99                ROM 000000000031BFA0 0000015C R . . . . . .
lv1_unmap_device_dma_region                 ROM 0000000000306144 00000164 R . . . . . .
lv1_unmap_device_mmio_region                ROM 0000000000306748 00000154 R . . . . . .
lv1_write_htab_entry                        ROM 00000000002ECCF8 000004A8 R . . . . . .
lv1_write_pci_config                        ROM 0000000000305CC8 0000023C R . . . . . .
lv1_write_pci_io                            ROM 000000000030598C 0000019C R . . . . . .
lv1_write_virtual_uart                      ROM 00000000002F262C 00000470 R . . . . . .
printf                                      ROM 0000000000297DBC 00000058 R . . . . . .
puts                                        ROM 00000000002B9F98 00000034 R . . . . . .

Could be we all should work together, and go get that QA.

[blazek566]

Amazing work zadow28!:D
Edit: Zadow here is the link to QA on 3.55 hope it helps you.
http://tinyurl.com/crbdbx3

[zecoxao]

i'm going to try 4.21 REX and try to do this on multiMAN, because if it wasn't done like that, then it was probably done with glevand's (not sure if it was his or graf's) dump_lv1.pkg resigned for 4.21 (with 3.60 keys but meh xD)

[zadow28]

Originally Posted by zecoxao i'm going to try 4.21 REX and try to do this on multiMAN, because if it wasn't done like that, then it was probably done with glevand's (not sure if it was his or graf's) dump_lv1.pkg resigned for 4.21 (with 3.60 keys but meh xD)

Done with the lv1.pkg via xmb. remember to resign it.
Its actuelly an fself so sign it first, then resign it.

but the new rex, should be able to dump via Mm.

[RickDangerous]

You've done it again, Zadow28. Amazing!

[haz367]

Originally Posted by zecoxao i'm going to try 4.21 REX and try to do this on multiMAN, because if it wasn't done like that, then it was probably done with glevand's (not sure if it was his or graf's) dump_lv1.pkg resigned for 4.21 (with 3.60 keys but meh xD)

in my view and testing it here, lv2 wasn\t hard to dump at all, either via MM on Rogero 4.xx or via resigned PsidPatch(lv2 dump worked fine)

then the LV1 HV dumped on rogero 4.xx+MM but it's empty 000000 file

here on 421rex, either dump LV1 HV via the TOOLBOX or MM, both are valid


little off-topic:
hey @zecoxao , can u pls verify something if ur on REBUG 421REX, pls dump the FLASH using MM etc.. and check HxD statistics on the dump, the 00's, normally its between 18-29%, but this REBUG version must have many things patched causing to lower the "00" percentages

thx for checking anyone!

[zecoxao]

just figured it out https://dl.dropbox.com/u/35197530/20...-LV1-FW4.21.7z should be similar to the one you have @zadow28

edit: @haz367 it's in fact the opposite, it's about 46% 00 and 2,5% FF

[haz367]

Originally Posted by zecoxao it's in fact the opposite, it's about 46% 00 and 2,5% FF

no no im not talking about the 20121104-151543-LV1-FW4.21.BIN

thats indeed... 39,96% 00 and 2.92% on Rebug 421-REX

i ment the NOR flash backup we use for downgrade
can u dump on rex421 and verify the statistics of the dump(00 and FF's)
thx

[zecoxao]

Originally Posted by haz367 no no im not talking about the 20121104-151543-LV1-FW4.21.BIN thats indeed... 39,96% 00 and 2.92% on Rebug 421-REX i ment the NOR flash backup we use for downgrade can u dump on rex421 and verify the statistics of the dump(00 and FF's) thx

yeah sure, just give me a sec

6.30% 00
10.50% FF

[haz367]

hmm..that's totally invalid if u go by the wiki..is it Rebug 421REX u dumped?

nvm....15.95% 00's on a REBUG 421REX MUST be correct, just would have been nice if someone can verify his backup of the NOR flash and compare, urs 6.30 00's is just weird or having secret patches applied we dont have...lol...thx for test anyway