53w ago - Following up on the
MA BD Tool v0.8 for PS3 JFW DH 3.56 MA CFW, today
JaicraB has updated the
previous PS3 Preloader Advance 2 to version 3 followed by bugfix 3.1 alongside a guide by
Chekco via
DemonHades below.
Download:
PS3 Preloader Advance 3.1 /
PS3 Preloader Advance 3.1 (Mirror) /
PS3 Preloader Advance 3.0 /
PS3 Preloader Advance 3.0 (Mirror)
To quote, roughly translated: Hi all, as many know, when it published the JFW 3.56 MA-DH commented on the possibility of creating a virtual flasher to downgrade to 3.55 or less, well today is a fact that possibility so from now no one is "prisoner of MA", however it is a dangerous process, it is recommended to keep things clear and know what we are doing responsible are misuse said this. Let's begin:
The first is dump the data vital to our PS3, Aegean and we will use a configuration file download from the link below the pre3 (jaicrab.blogspot.com.es) and put in the root of the pen Archivo advanced.cfg, then rename the Lv2Diag.self to egea.self, create the following directory PS3/UPGRADE/egea.self.
Connecting to the USB port on the right and hope while reading the data from our ps3 "the process are between 3/5 minutes depending on the pen", when finished we will create the Backuprflash.bin. There are flash drives that are not compatible with egea, if we see that the ps3 starts normally change pendrive...
Good, the configuration file that will do is dump the rflash and flash1, flash2, flash3 once the reading process will turn off the ps3 and begins one of the most dangerous steps, we now have to patch the rflash with 3.55 core_os not chek, patch is recommended to follow the tutorials to dowgrades with physical flasher, but if you look confused or not know how. To be continued...
Thanks to:
JaiCraB, to create preloader 3 and include the MAD.
Varicela test this tool and give me a PS3 and which I used for this tool and other future purposes.
Kike for sacrificing your PS3.
Checko, to try all options.
Demonhades by atosigarme to do it.
M * D ** for the knowledge transmitted.
Black, to add the improvement of Service Mode
Sorry for my bad English
PS3 Preloader Advance 3 by
JaicraB
I decided to make improvements to the previous Advance Preloader 2. A major improvement is the virtual controller (MAD). Can directly manipulate the NOR or NAND memories of our consoles without having a physical developer. This leads to a high risk of running out of console.
A bad patch and you would be required to settle a physical developer. It has been tested successfully in several models. This does not mean that there is any model that fails. I hope you will heap up head. I am not responsible for any damage. Another use is to make copies of data unique to each console.
This tool has been developed for systems and lower JFW 3.55 3.56 MA. It requires no external libraries. It works even without the dev_flash in the system. It can be launched as Lv2Diag.self, as in JFW EGEA MA SELF 3.56 or releasing from any FileManager that supports it. May soon be published as PKG.
1. Copy of rflash:
For systems with NOR (16MB) and NAND (256MB) (no bootloader). Available two ways to copy. The first 16MB, 256MB or whole (for NAND) The process takes 50 sec (16MB NOR), 15 sec (16MB NAND), 1 min (256MB NAND). In rflash entire system is stored on the PS3. There we find:
- Asecure_loader
- EEID
- CISD
- CCSD
- Trvk_prg
- Trvk_pkg
- Ros (CoreOS)
- Cvtrm
- Bootloader (NOR models only)
It will create a file called "Backuprflash.bin" in the USB000.
2. Restoring the rflash (MAD):
This step is dangerous, a bad change in the original can cause rflash BRICK. A bad usage can only be repaired only with physical developer. Also available in two modes (16MB, 256MB). Designed primarily for downgrading systems with "JFW MA" and for systems with problems downgrader. Has option to restore only different sectors. (Experimental). The process can take NOR, auque See not work on USB not quench. The "rflash" must be copied to the USB as "rflash.bin" But this safe to do so ... Do not!
3. Copy and Restore "/ dev_flashX"
To safely handle the file system used in GameOS. It will create a file called "Backupflash1.bin", "Backupflash2.bin", "Backupflash3.bin" USB000 depending on the number of dev_flash chosen. You can mount that image in your PC so you can change and then restore it. It is also useful when the system downgrade option 2 "Restoring rflash" and change your firmware with the file system. To restore is to copy the image of the "dev_flash" USB000 named the "flashX.bin".
4. Dump LV2, LV1
It is an extra unimportant. You just have to be installed in the system SC 6, 7, 11 for the process. The file created will be named on USB000 "DumpLv2.bin", "DumpLv1.bin".
5. Service Mode
We can enter / exit the service mode. To enter service mode from the pre3 need patched systems with LV1.
6. Out mode
When you finish the processes indicated in advance.cfg can do is shut down or reboot the system.
Configuration file
The tool will locate the file "advance.cfg" in "/ dev_usb000/advance.cfg" (Port closer to the reader) You can do all the actions triggered sequentially. That is, you can program the rflash and dev_flash at a time, out of service mode and reboot. In the configuration file is detailed the activation of each action. Flashing green LED means you are working.
Where it is that Red is complete. Writing in NOR models will seem to be blocked. But the led usb flash every 20 seconds so slightly. Do not put out until you do one or put the red LED.
JFW 3.56 downgrade MA:
The process will be detailed demonhades.org community.
Easy change version:
With well patched the rflash (CoreOS not check) with their respective "dev_flashX" can be changed in a matter of 4 minutes (NAND) of any firmware using this tool. Will address the issue soon on demonhades.org
Thanks to:
Chickenpox test this tool and give me a PS3 and which I used for this purpose and other future purposes.
Kike for sacrificing your PS3.
Checko, to test all future tutorials opciones.Y use of that tool.
Demonhades by atosigarme to do it.
M * D ** for the knowledge transmitted.
Black, to add the improvement of Service Mode.
hello, i'm pilou.. what's up everyone...
Well hell, after the triumphant return of DemonHades (Triumphal say something
If if as you read, the CFW who had to leave for a long time and stubbornness of your dear master demon DH did not go. So without further ado I leave you with the link to download the CFW and its Tolos (Manager, usaveme and others) just say that a certain person once told me that a cfw had to be free, well that's something I do not agree.
But if they wanted their work free jaicrab since all that thought it was demon JFW were wrong and the only themes I jaicrab little more but I think the pup, blipi, the manager, the openpstore mario, is that this is something that would need to see cast long ago that if this was not released at the time were by the manipulations of a certain person.. Links ..
• Usaveme: http://www.putlocker.com/file/B234F8AC37E42573
• Blipi TheGrid Manager: http://www.putlocker.com/file/A8E48E2F05036440
• OpenPStore: http://www.putlocker.com/file/082D657078F7A2DD
• JFW-DH 3.41 V2: http://www.mediafire.com/?j7mude3rd16dtju
• JFW-DH 3.41 V3: http://www.mediafire.com/?7jvvcv6b3tnr9k5
A greeting and farewell dh.org Rest in peace.
PS The v2 is the best work, thanks to jaicrab, blipi, FLIPI. mario, and other people who worked alongside this be for nothing then remained in. CAREFULLY: BOATS AND TEAM I was the most controversial developer in the DH team
To quote, roughly translated: eEID0 Dumper by BlackDeath to JBM 3.55, MA 3.56 and CFW 3.55
Hello friends, after the method of filtration CEX2DEX the team decided to investigate this new field (for some) and not so much for others, that is why we are working to bring you the easiest method to move to Linux without requiring DEX.
Today I present created by the dumper EID0 blackdeath with which we can dump all EID0 or directly CEX first section with only launch a pkg and have connected a USB port on dev_usb000, the instructions are on screen and are easy:
• START: To dump all EID0.
• SQUARE: To dump the first section of EID0 directly (eid0_1st_Section_CEX.bin).
• X (EQUIS): To dump metldr (Encryption) to USB and be prepared to exploit and get the dump of the decrypted metldr in subsequent steps.
If you are in Normal 3.55 cfw release the pkg from video.
BlackDeath says: This latest version now allows you to dump the metldr (encryption) on your console if usais the X button and you will have your ready to dump metldr encryption decryption keys used together with her exploit later.
Tell them to keep working this issue need not linux as the next step is to dump the metldr without having to make so many things in linux but a quick and easy dump.
The eEID0 is necessary for the process dump metldr As you know, and only the first section of eEID0 (That we get directly to this tool) is required for Conversion to a unit DEX / TEST.
No more here I leave the download link, works both on any CFW 3.55 (PEEK | POKE LV2) as in MA:
• http://www.mediafire.com/?eblfgmmwrmjl8sw (Old Version)
• http://www.mediafire.com/?32dca82c31470qa (New Version)
Thanks BlackDeath, Checko, Tito01 and DemonHades
From checko: WIP: A method to dump metldr and eEID root keys without linux, more easy with some little steps .. maybe naehrwert can help you. To quote from his Twitter (via twitter.com/naehrwert/status/226682478373531648 and twitter.com/naehrwert/status/226686257005203456):
Isn't installing linux to get your eid root key a bit of an overkill when you could just use netrpc?!
Or you could compile this pastie.org/4295312, sign it with metldr keys and grab the key/iv from shared LS...
ldr.ld
ENTRY(_start)
SECTIONS
{
. = 0x25800;
.text :
{
*(.text)
}
.data :
{
*(.data)
*(.rodata)
}
.bss :
{
bss = .;
*(.bss)
}
}
#ifndef _TYPES_H_
#define _TYPES_H_
typedef char s8;
typedef unsigned char u8;
typedef short s16;
typedef unsigned short u16;
typedef int s32;
typedef unsigned int u32;
typedef long long int s64;
typedef unsigned long long int u64;
#endif
.text
/* Loader entry. */
.global _start
_start:
/* Setup stack pointer. */
ila sp, 0x3DFA0
/* Well... */
brsl lr, main
_hang:
br _hang
#include "types.h"
void *_memcpy(void *dst, void *src, u32 len);
void main()
{
//Copy eid root key/iv to shared LS.
_memcpy((u8 *)0x3E000, (u8 *)0x00000, 0x30);
//Hang (the PPU should copy the key/iv from shared LS now).
while(1);
}
void *_memcpy(void *dst, void *src, u32 len)
{
u8 *d = (u8 *)dst;
u8 *s = (u8 *)src;
u32 i;
for(i = 0; i < len; i++)
d[i] = s[i];
return dst;
}
Our partner and developer RacingLocura07 (UsaveME) leaves us on this occasion the conf editor ps3, this application allows you to enable or disable patches, plugins or create flags without using a PC, all from the PS3 itself in a simple and fast
Download: http://www.sendspace.com/file/99llgd
Options:
• Displays a list of flags
• Displays list of patch-dynamic
• Displays a list of plugins
• Allows you to export to the root of the usb, the. Cfg file to test it before storing.
List of flags:
• Matheros (direct or normal)
• dumper-ram
• debug
• dev_flash (dumper / restore)
• sc35/36 +8 (more compatible)
• 100% Fan speed (fan at 100%)
Any questions you have you can reply in this thread, thanks to RacingLocura07, tito1, adriansfc92 as Cheko. Conf editor and this works both as the 3.56 MA JBM 3.55
Finally, in related PS3 homebrew news today PsyOil has made available a http://www.psyoil.info/pup/Pup%20down.zip for those interested stating:
On a click of a button a command prompt window will start downloading (from the PS3 Dev Wiki) the PUP to the same directory as the program. Do not delete wget.exe or else the pups will not download!
Its pretty simple, list of firmwares (OFW) on click they download to the directory your placed the two files in.
Now, you're probably wonder why someone would ever need this. I download and delete pups very often, so I made this program to make it a bit easy to find a PUP right away.. Making a CEX/DEX downloader soon.
Update: he has now released the http://www.psyoil.info/pup/cex-sex%20downloader.zip followed by a http://psyoil.info/pup/sexdexcex.zip stating the following:
Once again, I suck at GUI programs. I've made a command prompt version of the same program, where you just enter the name of the firmware version exmp “4.10″ and it starts downloading the firmware on command (4.10p for patch pups) Should I just release that or stick to the ghetto lookin’ GUI?
Shortly following he also made available a http://psyoil.info/pup/Pup%20extractor.zip stating, to quote:
Very simple and straight forward, place pup within the same folder as the extractor! Credit to HSReina for df.exe
Also, I've included a simple command prompt app:
Enter "pu.exe PS3UPDAT.PUP PS3UPDAT" to extract the pup.
Enter "df" to extract Dev_flash from the pup
Enjoy
Here is http://psyoil.info/pup/shop%20converter%20PUP.zip as well by PsyOil with the details below, as follows:
Sony shop PUP, just patched promo_flags/update_flags. anyways, this is just a basic pup that will convert your PS3 into a SHOP Ps3. (not advertising as a jailbreak or a CFW) its just a basic MFW.
Remember after unlocking through security settings, the package installer is NOT for homebrews but only for installing demos. The second PUP is a file that'll convert your SHOP PS3 into a retail PS3. Remember, these still apply! (scei.co.jp/ps3-eula/ps3_eula_en.html)
More PlayStation 3 News...