PS3 CECHG01 stuck in firmware 3.41

[feng_ye]

I just got this CECHG01 without knowing its previous history. It appears to be opened and some work on the BD drive however the disc seems reading but nothing appears on the XMB. Nothing had been done on the mainboard.

I dumped the flash with my teensy flash dumper, it appears has OFW 3.41 installed. One strange thing is its ros0 is 341 but ros1 seems to be empty. I got those warning from PyPS3checker:

******* Getting SDK versions *******
  ROS0 : 341.000
  ROS1 : (unknown)
WARNING! : unable to get all versions.


009.03   ROS1 Header : OK
009.04   ROS1 Hash : WARNING!
  Size = 0x0
  MD5 = D41D8CD98F00B204E9800998ECF8427E
  Version = (unknown)


******* Checks completed *******

Total number of checks = 131
Number of dangers = 0
Number of warnings = 2

Following check(s) returned a WARNING!
  SDK versions
  009.04   ROS1 Hash

Then I proceed to install OFW 4.88 on the console. No matter how hard I tried, (4.88, 4.89, 3.55, on USB dongle or over Internet) it always returns "The data is corrupted (8002F157)" error when in the update screen.

Any clue what has happened? I think one thing might be the BD drive is not original so update check has failed. But without a jailbreakable firmware I cannot remarry the BD drive. Another thing is this machine has some unusual serial number. It's "CE5095XXXXX-CECHG01" although it actually is an CECHG and has SEM-001 motherboard.

EDIT: removed BD/format HDD to no avail, same error occurs. Ethernet and wifi are both working.

EDIT2: added "appears on OFW 3.41"

Many thanks!

 

[kenzy]

Check if the console is a retail or a developer console( I mean by checking the model number code.) chech or dech

 

[atreyu187]

Have you tried a no-BD/no-BT patched firmware? If the daughter board isn't mated properly it will not allow the update to complete.

 

[feng_ye]

Check if the console is a retail or a developer console( I mean by checking the model number code.) chech or dech

It's a CECHG01, although I think the serial number might be a bit weird, starts with "CE5095" but ends with "CECHG01". I don't see any extra options in the XMB either.

 

[feng_ye]

Have you tried a no-BD/no-BT patched firmware? If the daughter board isn't mated properly it will not allow the update to complete.

Tried 4.88 Evilnat noBD firmware. Won't work as it's not on CFW nor nofsm patched.

 

[GuilloteTesla]

Tried 4.88 Evilnat noBD firmware. Won't work as it's not on CFW nor nofsm patched.

If you are on OFW 3.41, you can install any CFW as the validation checks were changed on OFW 3.56. Try searching the forums for the CFW 3.55 no BD.

 

[feng_ye]

If you are on OFW 3.41, you can install any CFW as the validation checks were changed on OFW 3.56. Try searching the forums for the CFW 3.55 no BD.

The machine looks like it has OFW 3.41 installed but the further I look into it, the more I believe it was inappropriately downgraded to 3.41. I found that because if I try to install system software from recovery menu, it will tell me to have system software 3.56 or higher, which is inconsistent to what XMB told me(3.41). Installed a MFW 3.55 with noBD still results in same data corruption error.

 

[GuilloteTesla]

The machine looks like it has OFW 3.41 installed but the further I look into it, the more I believe it was inappropriately downgraded to 3.41. I found that because if I try to install system software from recovery menu, it will tell me to have system software 3.56 or higher, which is inconsistent to what XMB told me(3.41). Installed a MFW 3.55 with noBD still results in same data corruption error.

Well, if the Recovery Menu asks for OFW 3.56, then I'm afraid you can't install a no BD CFW unless you have a hardware flasher.

I don't think you will be able to use the 4.85 flash exploit because you can not install OFW 4.89.

Such an odd situation.

 

[feng_ye]

Well, if the Recovery Menu asks for OFW 3.56, then I'm afraid you can't install a no BD CFW unless you have a hardware flasher.

I don't think you will be able to use the 4.85 flash exploit because you can not install OFW 4.89.

Such an odd situation.

Thanks for your info. Actually I do have a working teensy flasher and obtained the NAND dump. I was thinking just putting 4.88 ROS to ROS0 and ROS1 but thought that must be silly as so many other variables can brick the console. But is there any hope with the flasher?

 

[atreyu187]

Thanks for your info. Actually I do have a working teensy flasher and obtained the NAND dump. I was thinking just putting 4.88 ROS to ROS0 and ROS1 but thought that must be silly as so many other variables can brick the console. But is there any hope with the flasher?

If you have a valid full dump yes there is hope. Without the bootloader image is 236mb & full is of course 256mb. NANDway is what I used ages ago but haven't used the flasher side in years as my flasher is embedded so I never have to remove it.

 

[feng_ye]

If you have a valid full dump yes there is hope. Without the bootloader image is 236mb & full is of course 256mb. NANDway is what I used ages ago but haven't used the flasher side in years as my flasher is embedded so I never have to remove it.

I tried to use PyPS3patcher to replace the ROS0 and ROS1 with a CoreOS_4.82.bin and flash it back to the system. Now it looks like having YLOD. It doesn't have YLOD before flashing, so I think that simply replacing ROS0/1 won't work as there are so many other variables needs to be updated at the same time(SC eeprom, wifi firmware, bd firmware, etc).

 

[atreyu187]

@littlebalup so if anyone here can help you it is him. Hopefully since I tagged him he will come help. I have a Teensy++ installed but I have a patched image I just use all the time if I brick.

 

[atreyu187]

Oh also have you tried installing UART to get a better understanding of what the issue is.

 

[feng_ye]

Oh also have you tried installing UART to get a better understanding of what the issue is.

I have done quite a few UART on syscon before. But I don't understand what can I get from it? Perhaps read syscon's eeprom? If it's for the YLOD, after I flashed the original dump back, the YLOD is gone.

 

[atreyu187]

I have done quite a few UART on syscon before. But I don't understand what can I get from it? Perhaps read syscon's eeprom? If it's for the YLOD, after I flashed the original dump back, the YLOD is gone.

Well a ton of errors have been documented that would help guide you to where you need to be so you aren't blindly trying to fix an issue.

 

[feng_ye]

Well a ton of errors have been documented that would help guide you to where you need to be so you aren't blindly trying to fix an issue.

AFAIK syscon errors are good for diagnosing hardware issues. Here I think my best bet is trying to get a proper toggled QA flag through UART, so yes, I should solder wires to get UART working but I'm still figuring out how to toggle QA in that way. I know there are commands to write to syscon eeprom but wondering if there's a better way of doing it. Also make a valid 80 bytes QA flag isn't that straightfoward.

 

[littlebalup]

I tried to use PyPS3patcher to replace the ROS0 and ROS1 with a CoreOS_4.82.bin and flash it back to the system. Now it looks like having YLOD. It doesn't have YLOD before flashing, so I think that simply replacing ROS0/1 won't work as there are so many other variables needs to be updated at the same time(SC eeprom, wifi firmware, bd firmware, etc).

That's normal as OFW core os is not patched for hash check bypass and of course the hash stored in the syscon does not match = brick.
Anyway looks like a kind of bad spoof or something like that. If it was mine in its situation I would patch nands with fsm patches and install 3.55 OFW using the old school FSM method to clean up everything.
You may also try nofsm patches first.

Note you don't need a married BD logic board to update with a regular PUP. You only need a working BD logic board.

 

[feng_ye]

That's normal as OFW core os is not patched for hash check bypass and of course the hash stored in the syscon does not match = brick.
Anyway looks like a kind of bad spoof or something like that. If it was mine in its situation I would patch nands with fsm patches and install 3.55 OFW using the old school FSM method to clean up everything.
You may also try nofsm patches first.

Note you don't need a married BD logic board to update with a regular PUP. You only need a working BD logic board.

Thank you for the info, helpful as always.

EDIT: figured out something myself. So new question:

If I understand correctly, I need to patch my NAND dump with "patcher.py fsm mydump.bin" option right? That should install 3.55 with fsm patched to both of my ros0 and ros1.
Then I flashed the rescrambled two flashes back to the console. I should be able to boot normally right?

After that, how exactly I can install 3.55 OFW "using old school FSM method"? I'm not from that 3.55 firmware time so I'm very ignorant on that part.

 

[feng_ye]

UPDATE: managed to flash @littlebalup 's 3.55 fsm patch to my NANDs. It cannot boot normally but I can enter recovery menu. It asks for system 3.56 or later, if I chose update PS3 system.

UPDATE2: Normal boot will result in going straight to red light(no beeping, no YLOD) after a few seconds. Then I tried every other options in the recovery menu(restore default settings, restore file system, restore PS3 system). They all just go straight to red light without beeping, without YLOD, except "System Update" that proceeds to the firmware update screen(3.56), but sadly it's still a data corruption(8002F157) error.

 

[cfreddykrueger]

If you are on OFW 3.41, you can install any CFW as the validation checks were changed on OFW 3.56. Try searching the forums for the CFW 3.55 no BD.

So are you saying that if you have a console that's under FW 3.55 you can install CFW directly?


Sent from my iPhone using Tapatalk