Installing Debug Firmware

**master737373** · 06-29-2011,12:31 AM

Has anyone attempted to try this? It says it can potentially brick so have a NAND/NOR flasher.
Downgrading with linux - PS3 Development Wiki

Insatlling Debug Firmware

High brick risk! Don´t try this if you don´t know what you are doing If you brick with this the only way to recover is with a nor flasher and a proper backup

To install debug firmware, EID0 should be reencrypted and rehashed with the proper target and device ids/type

Debugging Station Target ID: 0x82

eEID contains

system model data
target ID
PS3 motherboard revision
Per ps3 values (console id, psid...)

Other target IDs (might be helpful if someone messes this up)

Target IDs

A0 = system debugger

81 = reference tool
82 = debugging station
83 = japan
84 = USA
85 = Europe
86 = Korea
87 = UK
88 = Mexico
89 = Australia/New Zealand
8A = South Asia (Asia except China, Japan and Taiwan),
8B = Taiwan
8C = Russia
8D = China

"The kernel and most of the loaders check the target id as well as the device id/type to see if your unit is debug or not and if not they disable all the fancy things such as running unsigned code (in the case of appldr).

a good read about SC Let’s look at SYSCON. | rms's crypt

I'm about to get an infectus and was going to try this out. Anyone else gonna attempt? or has done this?

**ieder-zijn-meis** · 06-29-2011,01:11 AM

.

**Slynk** · 06-29-2011,01:12 AM

Without the keys to hash and encrypt the eid, good luck. I've also heard from good sources that the target id isn't the only thing needing to be changed.

**master737373** · 06-29-2011,01:16 AM

Originally Posted by Slynk

Without the keys to hash and encrypt the eid, good luck. I've also heard from good sources that the target id isn't the only thing needing to be changed.

oh yeah, forgot about that lol, well this would've been interesting to do.

**master737373** · 06-29-2011,01:40 AM

wait, but we have the 3.55 keys. in theory, one could get debug 3.55 then go from there right?

**Slynk** · 06-29-2011,02:16 AM

SPU Isolated Modules Reverse Engineering - PS3 Development Wiki

According to that, the key to decrypt eid is in there. There's also something in there that looks like an hmac key. It's 40 bytes and doesn't match anything on the key site. But I don't know what it's for, could be to hash the eid *shrug*

Code:

hmac?: 0x40, 0x1C, 0x4A, 0xA6, 0x3B, 0x2C, 0x8D, 0x44, 0xE2, 0x45, 0xF0, 0x74, 0xDA, 0xE7, 0x78, 0x2A, 0x36, 0x0D, 0x1E, 0x8E, 0xE2, 0x11, 0x6B, 0xDF, 0x6F, 0x0D, 0x8A, 0x3C, 0xC1, 0x7B, 0xE3, 0x8F, 0xEA, 0x48, 0xB5, 0x71, 0xF4, 0xD2, 0x6D, 0xED

I wouldn't mess with it as you can't unbrick with infectus. The eid0 gets written to eeprom, not nand/nor.

**afiser** · 06-29-2011,02:17 AM

there would be alot of trial and error in setting the proper syscon values, trial and error that cannot be fixed, so if you mess up, there is currently no way to fix a syscon problem with hardware. so you are SOL. unless you get it right on the very first try, then you are a lucky person.

**Slynk** · 06-29-2011,02:23 AM

Originally Posted by afiser

there would be alot of trial and error in setting the proper syscon values, trial and error that cannot be fixed, so if you mess up, there is currently no way to fix a syscon problem with hardware. so you are SOL. unless you get it right on the very first try, then you are a lucky person.

With some intensive comparison between different eid dumps from both debug and retail units, you might be able to reduce the risk by defining the structure of the eid completely. Anyways, it'd take quite a bit of research.

**Thecourier** · 07-20-2011,01:09 AM

SYSCON EEPROM has several fun offsets:
Offset Size Description
0x48C06 1 FSELF Control Flag
0x48C07 1 Product Mode (UM allows to read this offset, it can be also written but only when already in product mode)
0x48C0A 1 QA Flag
0x48C13 1 Device Type
0x48C42 1 HDD Copy Mode
0x48C50 0×10 Debug Support Flag
0x48C60 1 Update Status
0x48C61 1 Recover Mode Flag
0x48D3E 0×50 QA Token (UM doesn’t allow access to this offset but SC Manager can read/write it)
0x48C30 0×01 Number of usable SPEs, usually set to 0×06, can be set to 0×07 to enable all 8 SPEs in Cell/BE

shouldn't we see about 0x82 at 0x48C50?

As for version, they got a decent enough eeprom/syscon dump from 3.15 if i remember correctly.

**mathieulh** · 07-21-2011,02:16 PM

You should all start to get your facts right first, I saw too many wrong statements in this thread.

User Tag List

Thread: Installing Debug Firmware

Tweet

LinkBack

Thread Tools

Display


	Would you like to get all the new info from PSX-Scene in your email each day? Subscribe to our Daily Digest! Want to learn more about the team keeping you up to date with the latest scene news? Read about them now! Check out our Developer bios, too!