Probably there's very few of you able to answer this, but I wondered if anyone knew much about the state-of-play with infectus.
I bought an infectus chip ages ago, intending to dump the flash from my PS3, but never got round to actually using it. I've now decided to give it a whirl before I upgrade to 3.21, and in the process of trying it out, made the mistake of using the only programmer available from their website (126.96.36.199) which updated the infectus loader on startup.
As soon as I was in the programmer, I discovered the "Dual NAND programmer" option was missing and then after downloading the 0.0.3.4 software discovered that the infectus will now only work with the latest programmer. I tracked down 0.0.3.9 which seems to be the same as 188.8.131.52 but with more images, however after installing "Dual NAND programmer" onto the infectus, it doesn't seem to actually do anything. Certainly the menu options to read/write etc aren't there...
I'm not sure if the "Actel Panel" is only intended for the homebrew version (which never seemed to be released from what I can tell), which lets you use your own code on the FPGA. Certainly, if I try it, it complains that "ActID=02a121cf ExpID=03a121cf" or moans about AES errors.
Also, the infectus website seems pretty dead - last update January 2009 and the forums just rather bluntly say that they're not open, and almost all of my google searches lead back to the forum...
Given that the board is basically just an an FPGA and flash chip with an 8051/USB processor for the interface, I'm half tempted to learn enough 8051 to rewrite the loader so that I can erase the infectus loader and put my own on, as the FPGA side of the dual nand programmer should be easy enough to recreate. But obviously, that's a lot of extra work I'd rather not do...
So, my questions are:
* has anybody actually got the PS3 Dual NAND reader working with 0.0.3.9 or does it only work with the original 0.0.3.4 that it was announced with.
* is it possible to downgrade infectus back to a state where I can run 0.0.3.4.
It seems pretty ironic that a tool designed to aid downgrading machines can't itself be downgraded, especially when the newer versions seem worse that the older versions. I guess there's a parallel that could be drawn with PS3's 3.21 here though...
Hmmm, doing some more doing on the Actel FPGA used, it seems that once it's been put into AES ecnrypted mode, you can only ever reprogram it using the same AES key. That means the only solution is hoping that someone has managed to get their infectus working with 184.108.40.206 or 0.0.3.9.
That hmmm bit above was supposed to be "doing more research"...
Last edited by tragedy; 04-10-2010 at 01:35 PMReason: Automerged Doublepost
I think I would dump it. As I have found the Infectus board as an upcoming firmware changer for PS3 months ago I had a closer look at it and was unsure. They connect all necessary lines to program the NAND-flash but I didn't find any method to avoid collisions on control and IO lines (Cell vs. Infetcus). Maybe in earlier firmwares sony read the NAND content to RAM and left it alone then, so controlling would have been possible. But if they would (or already had?) add a feature in firmware that dummy-reads NAND a few times per second which might disable this kind of in-circuit programming.
Maybe it is possible to add an additional wire to HALT or hold cell in reset preventing disturbing access. But before that you need to replace your A3P060 since it is locked for sure, then learn how to program it, including all SDK trouble etc.
I would choose a microcontroller with sufficient pins you're familiar with and replace the Infectus by it.
However this method only works on older fat models. Newer fats and slims don't have NANDs anymore.
Since I found an interesting socket (I'll try to attach info) my idea is to replace firmware flash by this socket and clean pins of unsoldered flash (hot air and flux). You'll be able to put it then in any readily available TSOP programmer and stick it back to PS3 again. So you can re-program the flash as often as you (or the flash) like(s) it. Not that convenient but a quick working solution until something more comfortable is found. And this would work for the new fats and slims also.
Maybe one could try a 'modern' fat flash FW3.15 on a slim? With luck maybe the flash-set serialnumber is not copied anywhere else in the system, maybe the serialnumber can be kept and only memory content is programmed, resulting in a slim with otherOS?
Stripping otherOS from firmware seems to shake up the community. Instead they should have offered access to RSX, all could have use XBMC, VDR or whatever they want and were busy with the new features. Even access to firmware's mpeg library would have been nice, it is already licensed for your PS3. Stupid in my opinion.
AFAIK the infectus can also be used with the PS3 powered off. That would take care of possible collisions, no?
Also the newer Fat models and the Slim do have NAND but only 16 MiB instead of 256.
I think that I've read somewhere around here that the infectus can't be used to downgrade anymore. The question is if it doesn't work to downgrade below a certain version (because of blown eFuses) or at all. But I guess that for 3.21 Sony might blow some eFuses, too since that has happened for all security related FW updates AFAIK (and would be the sensible thing to do if I were Sony).
Totally off Topic and such, but One of the Main reasons i like this forum and this website is you guys. We got many many many "hackers" "programmers" and people who know what they are talking about. Props to all of you!
after following the thread you mentioned it seems to work that PS3 NAND during hard-off and external supply is accessible. But to partial inject external power supply into a rather unknown circuit is a somewhat harsh method and is for sure not that reliable. I'll stick with the ZIF-socket method.
the newer models have flash of course, but not the older NAND types. they differ completely in interfacing. The NAND ones have control- and IO-lines, the newer flashes have control-lines and a separate address- and data-bus.
Back to downgrade lock: it is known that after 2.10 or 2.17 a downgrade to prior 2.10 fails to boot. Has anyone tried that with 3.15 vs. 3.21? Did any Infectus user at least read out updated flashes from 2.10 to 3.x to collect them?
I don't know whether efuses exist in cell core, but we still have a serial 512 byte EEPROM on board, which should also be saved prior to and after an update. Maybe the BD-drive is abused as a memory-stick. And the HD of course…