Rogero MFW to fix the Trophies Problem after a PS3 downgrade

[Rogero]

Last night I had the chance to try and downgrade a Slim Ps3 (JSD-001 board with Spansion NOR) version 3.70 to CFW 3.55 using Dospiedra's downgrade v2 patches.

I managed to get a clean dump of the NOR using my ProgSkeet (latest QT port used), created a patched Downgrade.bin image
using the 6 patched files from Dospiedra and a hex editor, then I flashed the image to the PS3 NOR, dumped the NOR another
time and verified that all was written fine.

Then I continued with the normal downgrade procedure, go into service mode, update using the 3.55_no_check.PUP, then exit
service mode and all was good, it was back into CFW 3.55.

Here the problems started, I tried to start a game and I got the famous Trophy error, so I decided to update it to my
personal Modified Firmware, so I started the update and after installing the firmware, the PS3 turned off by itself,
I tried to turn it on again, It turned on for almost 2 or 3 seconds then turned off completely ( No Screen Output, No Red Led either )
so I knew-ed at this point that the PS3 was Bricked

N.B:this was never mentioned in any of the downgrade tutorials floating on the net, although this is a very important point
to warn the users who are downgrading their Ps3 machines not to update using usual Modified firmwares unless the firmware
have the LV1.self file patched to Disable all checks, anything else will result into a Bricked PS3, and this is not good at
all especially if the Hardware flasher used to downgrade was removed from the Ps3's NOR or Nand Flash.

After doing some research and discussing the issue with my friend eussNL <-- a wiki by himself
I realized what happened to the Ps3, after the downgrade procedure, the machine's syscon still had a version > 3.55
(3.56 or higher) and this needs a Patched LV1.self (checks disabled) in the NOR for the PS3 to be able to boot fine, and when
I updated it to my own MFW, the LV1.self file in the NOR was replaced with a non-patched version (checks enabled) and the PS3
detected the higher syscon version (3.56+) and Bricked.

To Fix it, I had to re-flash the NOR again with the patched Downgrade.bin image (to get rid of the un-patched LV1.self)
then the Ps3 was fixed and booting fine again.

N.B: in case you're using ProgSkeet, make sure you are using the Latest released flasher (QT port) as of 11 Sep 2011 from this link :
WinSkeet40000.zip
This one have Preset parameter values for each NOR type, I used it on Win7 and it flashed my Spansion NOR just fine.


At this point, the Ps3 was working again, but the Trophy problem was always there, so I prepared another Modified firmware with
3.70 spoof, Privacy Patch and this time the LV1.self Checks Disabled
(the patches were provided by eussNL too so Credits here goes to him),
then while still having Progskeet soldered to the NOR flash, I updated the Ps3 with the new MFW, everything
went fine, and it rebooted fine into the XMB, did some tests and the Trophy problem was gone for good and all games working fine.

For all the users who had successfully downgraded their PS3 machines to 3.55 again, I share with you my MFW with Lv1 Checks patched to bypass the 3.56+ syscon version and prevent any brick after updating to it, and to get rid of the annoying Trophy problem encountered after the usual downgrade procedure.


Link Removed... Please check this thread for info about the new CFW Version 2:
Rogero-CFW-V2-with-better-Downgrade-Compatibility


N.B: This MFW can be used directly for downgrade (instead of 3.55_no_check) after flashing the NOR and entering Factory Service Mode in order to have a final CFW3.55 working smoothly without any trophy errors (this will save some time during the process, rather then updating to it again after the downgrade)
by following Dospiedra's downgrade tutorial V2 ( NOT THE OLD V1 DOWNGRADE TUTORIAL )

DSC03717.JPG

DSC03723.JPG

DSC03727.JPG

Cheers...

Rogero

[JLM]

That's some great work. Are any other checks disabled in the lv1.self or your mfw besides the syscon version? Thanks for posting the process you went through to come up with this firmware.

[Rogero]

That's some great work. Are any other checks disabled in the lv1.self or your mfw besides the syscon version? Thanks for posting the process you went through to come up with this firmware.

These are the 25 Patches applied to LV1.self contained in my MFW :

# Description: Patch LV1 checks

# Option --patch-lv1checks: Disables many checks in lv1

# Type --patch-lv1checks: boolean

namespace eval :: patch_lv1checks {

array set :: patch_lv1checks:: options {
--patch-lv1checks true
}

proc main { } {
set self "lv1.self"

::modify_coreos_file $self :: patch_lv1checks:: patch_self
}

proc patch_self {self} {
if {!$:: patch_lv1checks:: options(--patch-lv1checks)} {
log "WARNING: Enabled task has no enabled option" 1
} else {
::modify_self_file $self :: patch_lv1checks:: patch_elf
}
}

proc patch_elf {elf} {
if {$:: patch_lv1checks:: options(--patch-lv1checks)} {
log "Patching LV1 Checks"

# ss_server1
# Patch core OS Hash check // product mode always on
log "--------------- Patching ss_server1.fself ----------------------------"
log "Patch core OS Hash check // product mode always on"

set search "\x41\x9E\x00\x1C\x7F\x63\xDB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"
set replace "\x60\x00\x00\x00\x7F\x63\xDB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patch check_revoke_list_hash check // product mode always on
log "Patch check_revoke_list_hash check // product mode always on"

set search "\x41\x9E\x00\x1C\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"
set replace "\x60\x00\x00\x00\x7F\xA3\xEB\x78\xE8\xA2\x85\x68\ x38\x80\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# In product mode erase standby bank skipped
log "Patch In product mode erase standby bank skipped"

set search "\x41\x9E\x00\x0C\xE8\xA2\x8A\x38\x48\x00\x00\xCC\ x7B\xFD\x00\x20"
set replace "\x60\x00\x00\x00\xE8\xA2\x8A\x38\x48\x00\x00\xCC\ x7B\xFD\x00\x20"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patching System Manager to disable integrity check
log "Patching System Manager to disable integrity check"

set search "\x38\x60\x00\x01\xf8\x01\x00\x90\x88\x1f\x00\x00\ x2f\x80\x00\x00"
set replace "\x38\x60\x00\x00"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# Patching LV1 to enable skipping of ACL checks for all storage devices
log "Patching LV1 to enable skipping of ACL checks for all storage devices"

set search "\x54\x63\x06\x3e\x2f\x83\x00\x00\x41\x9e\x00\x14\ xe8\x01\x00\x70\x54\x00\x07\xfe"
append search "\x2f\x80\x00\x00\x40\x9e\x00\x18"
set replace "\x38\x60\x00\x01\x2f\x83\x00\x00\x41\x9e\x00\x14\ x38\x00\x00\x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"


# LV1 0021D0B4@355 patch (?Patch sys_mgr integrity lv1 and lv0 integrity check?)
log "?Patch sys_mgr integrity lv1 and lv0 integrity check?"

set search "\x48\x00\xD7\x15\x2F\x83\x00\x00\x38\x60\x00\ x01"
set replace "\x38\x60\x00\x00\x2F\x83\x00\x00\x38\x60\x00\ x01"

catch_die {:: patch_elf $elf $search 0 $replace} "Unable to patch self [file tail $elf]"

}
}
}

[tonybologna]

Great work Rogero! Nice to see this for the ones on 3.70 OFW.

[Rogero]

I just want to point out that:

This MFW can be used directly for downgrade (instead of 3.55_no_check) after flashing the NOR and entering Factory Service Mode in order to have a final CFW3.55 working smoothly without any trophy errors (this will save some time during the process, rather then updating to it again after the downgrade)
N.B: by following Dospiedra's downgrade tutorial V2 ( NOT THE OLD V1 DOWNGRADE TUTORIAL )

[bitsbubba]

These are the 25 Patches applied to LV1.self contained in my MFW :

is this the PS3MFW Builder tcl task, just wondering because I was going to look into the possibility of adding this to Cobra CFW

[Rogero]

is this the PS3MFW Builder tcl task, just wondering because I was going to look into the possibility of adding this to Cobra CFW

Hi Bubba
You can find the tcl plugins to disable LV1 checks which are added to the PS3DevWiki pages for Dospiedra's Downgrade Method V2, there are 2 set of patches V1 & V2, each one to be used with the specific Downgrade Method used ( V2 is the one used for now until Dospiedra finishes his V3 Method testings )

Cheers