[judges]

Originally Posted by butnut I connected my bluray drive but I still get the same error. The firmware dumps just fine but I can't write...

Check your wiring is all I can recommend. If this is occurring with the very first sector, it's probable that you cannot even read correctly (and just don't notice). Upload you dump somewhere, send me a pm with the link and I can have a look at it.

[butnut]

PM has been sent.

[jester]

Originally Posted by butnut I connected my bluray drive but I still get the same error. The firmware dumps just fine but I can't write...

I don't think bluray drive connection is relevant. I read and write with the drive disconnected. Is more likely to be a wiring problem. It also can be due to electrical interferences, it happened to me. Try to move the wires and change teensy position

[toxie]

Originally Posted by jester I don't think bluray drive connection is relevant. I read and write with the drive disconnected. Is more likely to be a wiring problem. It also can be due to electrical interferences, it happened to me. Try to move the wires and change teensy position

I agree that the bluray drive connection has nothing to do with the writing, because you have connected the Teensy directly to the chip and have direct access to it.
I vote for a wiring problem, or some interference.

butnut, have you connected the GND from Teensy to PS3 ?

[jarmster]

asecure_loader 0x00000820
eEID 0x0002f000
cISD 0x0003f000
cCSD 0x0003f800
trvk_prg0 0x00040010
trvk_prg1 0x00060010
trvk_pkg0 0x00080010
trvk_pkg1 0x000a0010
p..ros0 0x000c0000
p..ros1 0x007c0000
cvtrm 0x00ec0000

Some dump offsets
p..ros0 3.66 start 0x000c0000


sdk_version---------------- 0x00100470
spu_pkg_rvk_verifier.self---0x00100478
spu_token_processor.self----0x0010ffc4
spu_utoken_procewssor.self--0x0011c8f4
sc_iso.self-----------------0x00122cc4
aim_spu_module.self---------0x0013ff9c
spp_verifier.self-----------0x00144234
mc_iso_spu_module.self------0x00151a24
me_iso_spu_module.self------0x00159ab0
sv_iso_spu_module.self------0x00162368
sb_iso_spu_module.self------0x0016e3e0
default.spp-----------------0x00174190
lv1.self--------------------0x00176490
lv0-------------------------0x0029a890
lv2_kernel.self-------------0x00382210
eurus_fw.bin----------------0x004faea0
emer_init.sel---------------0x0056be34
hdd_copy.self---------------0x005ea09c
manu_info_spu_module.self---0x0064b8b4
prog.srvk-------------------0x0064cb5c
pkg.srvk--------------------0x0064ce3c



And the easiest way i found to actually patch the hash check in any firmware is to use ps3mfw...


go into the task directory and open up the patch_lv1.tcl file

set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01" set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\x38\x80\x00\x01"

replace the lines in the file with what you see above. save it (remember to back up original...)
open ps3mfw and only apply the lv1 patch to ofw355
When done you have patch ofw. extract coreos, and cut into your dump
easy peasy.....

[butnut]

@toxie I have connected the GND and made all connections that the directions said to. I will re connect the teensy and see if that helps.

[dandza]

Originally Posted by jarmster asecure_loader 0x00000820 eEID 0x0002f000 cISD 0x0003f000 cCSD 0x0003f800 trvk_prg0 0x00040010 trvk_prg1 0x00060010 trvk_pkg0 0x00080010 trvk_pkg1 0x000a0010 p..ros0 0x000c0000 p..ros1 0x007c0000 cvtrm 0x00ec0000 Some dump offsets p..ros0 3.66 start 0x000c0000 sdk_version---------------- 0x00100470 spu_pkg_rvk_verifier.self---0x00100478 spu_token_processor.self----0x0010ffc4 spu_utoken_procewssor.self--0x0011c8f4 sc_iso.self-----------------0x00122cc4 aim_spu_module.self---------0x0013ff9c spp_verifier.self-----------0x00144234 mc_iso_spu_module.self------0x00151a24 me_iso_spu_module.self------0x00159ab0 sv_iso_spu_module.self------0x00162368 sb_iso_spu_module.self------0x0016e3e0 default.spp-----------------0x00174190 lv1.self--------------------0x00176490 lv0-------------------------0x0029a890 lv2_kernel.self-------------0x00382210 eurus_fw.bin----------------0x004faea0 emer_init.sel---------------0x0056be34 hdd_copy.self---------------0x005ea09c manu_info_spu_module.self---0x0064b8b4 prog.srvk-------------------0x0064cb5c pkg.srvk--------------------0x0064ce3c And the easiest way i found to actually patch the hash check in any firmware is to use ps3mfw... go into the task directory and open up the patch_lv1.tcl file replace the lines in the file with what you see above. save it (remember to back up original...) open ps3mfw and only apply the lv1 patch to ofw355 When done you have patch ofw. extract coreos, and cut into your dump easy peasy.....

Awesome Jarmster, thanks for the tip. That is what i have been trying. instead of modifying it i made another tcl patch task for ps3mf.
So if we make a custom firmware like kmeaw and insert this hash check patch also, extract cos and write it in binary and then finally flash it back to nor, that way we should get downgraded ps3 with custom firmware and no need to flash it again, right?
What about the firmware on HDD?

[jarmster]

Just flash an ofw patched cos, then install the cfw. That takes care of the f/w on the hdd.
If you flashed a patched kmeaw cos....same. install the cfw overtop

[dandza]

Ok, will try that this weekend and post results, thanks every1.

[Dumbelek]

Originally Posted by jarmster asecure_loader 0x00000820 eEID 0x0002f000 cISD 0x0003f000 cCSD 0x0003f800 trvk_prg0 0x00040010 trvk_prg1 0x00060010 trvk_pkg0 0x00080010 trvk_pkg1 0x000a0010 p..ros0 0x000c0000 p..ros1 0x007c0000 cvtrm 0x00ec0000 Some dump offsets p..ros0 3.66 start 0x000c0000 sdk_version---------------- 0x00100470 spu_pkg_rvk_verifier.self---0x00100478 spu_token_processor.self----0x0010ffc4 spu_utoken_procewssor.self--0x0011c8f4 sc_iso.self-----------------0x00122cc4 aim_spu_module.self---------0x0013ff9c spp_verifier.self-----------0x00144234 mc_iso_spu_module.self------0x00151a24 me_iso_spu_module.self------0x00159ab0 sv_iso_spu_module.self------0x00162368 sb_iso_spu_module.self------0x0016e3e0 default.spp-----------------0x00174190 lv1.self--------------------0x00176490 lv0-------------------------0x0029a890 lv2_kernel.self-------------0x00382210 eurus_fw.bin----------------0x004faea0 emer_init.sel---------------0x0056be34 hdd_copy.self---------------0x005ea09c manu_info_spu_module.self---0x0064b8b4 prog.srvk-------------------0x0064cb5c pkg.srvk--------------------0x0064ce3c And the easiest way i found to actually patch the hash check in any firmware is to use ps3mfw... go into the task directory and open up the patch_lv1.tcl file replace the lines in the file with what you see above. save it (remember to back up original...) open ps3mfw and only apply the lv1 patch to ofw355 When done you have patch ofw. extract coreos, and cut into your dump easy peasy.....

i cant decrypt CORE_OS_PACKAGE.pkg this way...
1- Edited "patch_lv1.tcl" and started PS3MFW checked only "Patch LV1 Hypervisor" task. And in task options unchecked "Allow mapping of any memory area (Needed for LV2 Poke)" option
2- Build MFW --successful
3- Extracted M355.PUP with PUPExtractor, extracted CORE_OS_PACKAGE.pkg from File_7.tar. ( Size : 5.090 KB - 5.212.160 bytes )
4- >fwpkg d "CORE_OS_PACKAGE.pkg" "DECRYPTED_COS.pkg" --no error ( Size : 5.089 KB - 5.211.094 bytes )
When I check decrypted cos with hex editor its not start with "oÿà - 6F FF E0 hex pattern"

Can you check it out from your process? There must be a difference between our processes.