I had the same brick yesterday but since my console does not allow me to enter a FSM then all i have to do is reflash my original dump (CEX) using progskeet.
But after flashing it i had the same brick, so i thought about SysCon checks and i was right.
All you have to do then if your console bricked and can not enter a FSM is to patch your original CEX dump with downgrade patch v2.0 then flash your patched dump to your console.
Now your console will be able to enter a FSM and you can recovery it using ROGERO CFW or any other lv1 hash check patched CFW.
Hmm same situation here. I flashed original CEX with E3 and gives no difference. No power on USB so i can't get into FSM. Can you give link for the downgrade patch?
Edit : Nevermind. Already have it. Patch CEX dump and flash it. PS3 works again. Thanks for the tip.
Redump Your Nor/Nand PS3 With Multiman, Unpack The NOR/NAND Copy "metldr" File to Metldrpwn Folder In Linux/Red Ribbon.
Next Do This Step Again
ps3@ps3:~$ cd metldrpwn/
ps3@ps3:~/metldrpwn$ sudo ./run.sh
Originally Posted by chocobo2k
I tried HXD to look at my dump_eid0.bin
It is all bunch of zeros. So something must have went wrong. I check Norunpack tutorial at the beginning of the post. I extracted metldr from unpacking. I put it in metlrdpwn folder and copied it to Linux. I executed the command sudo ./run.sh but still got nothing. Here is a copy of the dump.
ps3@ps3:~$ cd metldrpwn/
ps3@ps3:~/metldrpwn$ sudo ./run.sh
[sudo] password for ps3:
+ insmod ./metldrpwn.ko
+ cat metldr
+ sleep 1
+ cat appldr-metldrexploit350.self
+ sleep 2
+ echo 1
+ sleep 5
+ cat /proc/metldrpwn/debug
PPE id (0x0000000000000001) VAS id (0x0000000000000002)
lv1_construct_logical_spe (0x00000000)
SPE id (0x0000000000000033)
lv1_enable_logical_spe (0x00000000)
lv1_set_spe_interrupt_mask(0) (0x00000000)
lv1_set_spe_interrupt_mask(1) (0x00000000)
lv1_set_spe_interrupt_mask(2) (0x00000000)
lv1_set_spe_privilege_state_area_1_register (0x00000000)
ea (0xc000000003650000) esid (0xc000000008000000) vsid (0x0000408f92c94500)
lv1_get_spe_interrupt_status(0) (0x00000000)
lv1_get_spe_interrupt_status(1) (0x00000000)
lv1_get_spe_interrupt_status(2) (0x00000000)
sleep
lv1_get_spe_interrupt_status(0) (0x00000000)
lv1_get_spe_interrupt_status(1) (0x00000000)
lv1_get_spe_interrupt_status(2) (0x00000000)
out interrupt mbox (0x0000000000000001)
lv1_clear_spe_interrupt_status(2) (0x00000000)
transferring EID0, ldr args and revoke list to LS
waiting until MFC transfers are finished
MFC transfers done
out mbox (0x00000001)
problem status (0x00000089)
lv1_destruct_logical_spe (0x00000000)
+ cp /proc/metldrpwn/dump /home/ps3/dump_eid0.bin
+ rmmod metldrpwn.ko
ps3@ps3:~/metldrpwn$
It's 1:30 am and Guiness Draught is still keeping me awake. Help is much appreciated! xD
just a heads up, but just because we fixed our ps3s, we should not think of this method as a security blanket. I have been seeing some more people talking about bricks from DEX to CEX, and they get messed up USB Slots or it completly will power off. those type of bricks can not be fixed with the current fix.
Then trying to do the conversion is going to be a risky ride then!
Having a valid dump will help you out if you're planning to get a hardware flasher, but obviously, that's a more complicated procedure than the Factory Service Mode recovery fix.
Please people bare in mind that recovery using a hardware flasher to flash the NOR/Nand Dump also requires a Jig/PSGrade to Flash the Firmware into the PS3 from Factory Service Mode.
So, the Jig device is required for all types of Recovery.
It is not the years in your life that count. It is the life in your years.
Please people bare in mind that recovery using a hardware flasher to flash the NOR/Nand Dump also requires a Jig/PSGrade to Flash the Firmware into the PS3 from Factory Service Mode.
So, the Jig device is required for all types of Recovery.
It worked !! I tried both mmOS flash dump and Memdump 0.01
In mmOS it was 'EXTREMELY' difficult to get the flash memory to be mounted in dev_usb0000
My PS3 never wanted to mount any flash memory in the right USB port (in order to get usb0000). So Memdump can work for those of you who have my problem.
Here are the results from C2D using mmOS metldr + metldrpwn
Hi...
Complete all levels...
dump 355CEX.NORBIN
dump dump_eid0.bin
When i add this to c2d tool i see this error : error input flash file in not valid
why?
i use HxD.
where i can find key ?
here is my dump_eid0.bin
can anyone help me to find my key in this file with HxD ?
I am not sure but I don't think you need to find any key. It could be that the original flash dump is not right.
Try to get your NOR flash using Memdump
Do the steps again by getting the metldr file from norunpack extracted files. Do the metldrpwn using this metldr and try with C2D
Originally Posted by MHMProSoft
Hi...
Complete all levels...
dump 355CEX.NORBIN
dump dump_eid0.bin
When i add this to c2d tool i see this error : error input flash file in not valid
why?
i use HxD.
where i can find key ?
here is my dump_eid0.bin
can anyone help me to find my key in this file with HxD ?
I am not sure but I don't think you need to find any key. It could be that the original flash dump is not right.
Try to get your NOR flash using Memdump
Do the steps again by getting the metldr file from norunpack extracted files. Do the metldrpwn using this metldr and try with C2D
tnx...
but i validate my dump & all is good.
i exctracted metldr & with red ribon get the dump_eid0.bin
i want to find keys in this file dump_eid0.bin with HxD.
@tul, i take the liberty of improving you're tutorial, can you check? I will try this when my E3 card reader arrives
How to unbrick from a DEX to CEX conversion
When it happens?
When doing a DEX to CEX conversion, when you're in 3.55 DEX firmware after flashing the CEX EID0.NORBIN in Multiman CEX, you shutdown the ps3 and the PS3 won't boot anymore. EDIT: according to sandungas this problem has something to do with syscon hashes when you go to DEX higher firmwares, so be careful when you go to higher firmwares
Brick sign
On boot, the ps3 console, after 5 "double beeps" very fast and turn off after 3 seconds - no video output
See an example: http://www.youtube.com/watch?v=S1OEDFOKu_Q
I have edited this post.
The sentence in red is incorrect.
The sentence with blue in it has updated info.
When you get a brick that has the same beeping as in the video, it is caused by installing dex firmware on a non qa flagged ps3, it has nothing to do with downgrading.
Now if you choose to follow the little tutorial below, then please, for the love of kittens, DO NOT INSTALL A DEX FIRMWARE HIGHER THAN 3.55 or you will brick your mutha-fluffin PS3!
Anyone can test this for themselves(this will format your internal hdd so use a spare if you care) by putting a non qa flagged 3.41 or 3.55 CEX ps3 into service mode and installing DEX 3.41 or 3.55. You will get the same beeps as in the video.
Now install your favorite mfw to the ps3, exit service mode and run the qa flag package.
Go back into service mode and install DEX 3.41 or 3.55, take it out of service mode and...
It boots! YEAH!
Oh wait. Almost none of the debug options work and you cant play any games or bd-movies.
Oh well just go back to service mode and install your favorite mfw to the ps3, exit service mode.
Basically folks, under normal circumstances DEX firmwares don't boot on CEX PS3's, simple as that.
If you want to switch between DEX and CEX put your 3.55 dex ps3 in service mode and install dex 3.41 then exit service mode now install dex 3.55 from xmb and use multiman to flash your CEXDUMP but DO NOT turn off your ps3 after flashing just go directly to the XMB and install any CEX mfw you want.
After installation completes you once again have a retail CEX ps3 that will not brick when you turn it off.
Originally Posted by Abkarino
Reply With Quote
