PS3 [research] SuperSlim 4000 series - hardware flash

NiQ said:
There's no such thing as eMMC firmware. The eMMC is just the flash storage chip that holds part of the firmware. Unfortunately it's encrypted with a key unique to each unit, which cannot be extracted in any way.
I'm not sure about this exact error (maybe someone else will), but if your PS3 can still boot into recovery mode you can try installing OFW 4.90 from there and if it works then install HFW 4.90.1 (again from recovery mode) and then you can install HEN. It's impossible to install CFW on super-slims.
If the previous owner has attempted to force-install CFW on a super-slim or downgrade it to a lower firmware using a hardware flasher then it would very likely result in a brick. If that's the case the only way to salvage it would be to reflash it using a hardware flasher with the firmware it had before he messed with it - assuming he kept a backup. A file downloaded from the Internet will not help you in any way since, as I said, the firmware is encrypted with a key unique to each console. If he messed with the firmware and did not keep a backup then unfortunately your PS3 is just a fancy doorstop at this point.
Click to expand...
The console was poured with built-in tools, without the use of third parties. In which chips are the keys located? Can I replace them with others, with a donor fee, who do not have such a problem? Is there an option to start the console in the restore menu directly without using the power button method?
 
Lol not sure if you want to replace all that from one similar thing.
Cell, nor, emmc (in your case), also bdrom ic Renesas.
Cell I assume is that tiny model.
They are all tied up with cell key.
 
is there a way to start the recovery mod not by pressing the shutdown button in any other way? for example, by closing any contacts.
vyktormvmpay25 said:
Lol not sure if you want to replace all that from one similar thing.
Cell, nor, emmc (in your case), also bdrom ic Renesas.
Cell I assume is that tiny model.
They are all tied up with cell key.
Click to expand...
is there a way to start the recovery mod not by pressing the shutdown button in any other way? for example, by closing any contacts.
 
D__l said:
The console was poured with built-in tools, without the use of third parties. In which chips are the keys located? Can I replace them with others, with a donor fee, who do not have such a problem? Is there an option to start the console in the restore menu directly without using the power button method?
Click to expand...
You'll need at the very least to replace the CPU (aka Cell), because the per-console unique key is baked into it, and the Syscon chip, because it's married to the Cell. Note that these are two out of the three main chips of the PS3 (the 3rd being the GPU, aka RSX, which is the only one that doesn't require replacing). Also you will need to either also replace the eMMC NOR chip or copy its content with a hardware flasher.
Anyway it's only worth considering if you have or can get a broken unit that still have those three chips (Cell, Syscon, NOR) in working order and can do the soldering work yourself. Otherwise it's going to cost you a lot more than another 2nd hand console. My recommendation is that you get a CFW compatible slim. They go for ~$100.
If you have a hardware flasher the only useful thing you can do at this point is to use it to get your dead console's IDPS. If another console of yours ever gets banned from PSN you can use that number to unban it (once).

D__l said:
is there a way to start the recovery mod not by pressing the shutdown button in any other way? for example, by closing any contacts.
Click to expand...
Even if there is it wouldn't help you - A bad flash breaks the stage 2 loader, which is required even for recovery mode to work.
 
vyktormvmpay25 said:
Lol not sure if you want to replace all that from one similar thing.
Cell, nor, emmc (in your case), also bdrom ic Renesas.
Cell I assume is that tiny model.
They are all tied up with cell key.
Click to expand...
Hey @vyktormvmpay25 if you got some time on your hand can you measure this component on a superslim motherboard one side is cell and syscon in line the other is attached to ground on resistance mode I get reading of 7.89ohm in 20k ohm range and 10k reading in 200k ohm range.
 

Attachments

  • Screenshot_2023-12-01-00-12-45.jpg
    Screenshot_2023-12-01-00-12-45.jpg
    549.6 KB · Views: 83
Show me ps3 motherboard and more specific points. I don't do much those days I feel tired but I can look at some traces
Edit
First it didn't load image. Sometimes it won't show photos via tapatalk
 
Last edited:
D__l said:
is there a way to start the recovery mod not by pressing the shutdown button in any other way? for example, by closing any contacts.

is there a way to start the recovery mod not by pressing the shutdown button in any other way? for example, by closing any contacts.
Click to expand...
You need uart adaptor tied to mobo and bringup, shutdown, cmd, otherwise you may have to see on small pcb from buttons if there are no transistors to keep pull up any signals you can short with twizeer
 
vyktormvmpay25 said:
Show me ps3 motherboard and more specific points. I don't do much those days I feel tired but I can look at some traces
Edit
First it didn't load image. Sometimes it won't show photos via tapatalk
Click to expand...
Well that motherboard I have is pqx but rtx rex motherboard have the same pinout the component I mention is located right next to cell left side of the thermal monitor this one goes to cell thermal sensor I have circled it in my previous post zoom in picture
 
vyktormvmpay25 said:
You need uart adaptor tied to mobo and bringup, shutdown, cmd, otherwise you may have to see on small pcb from buttons if there are no transistors to keep pull up any signals you can short with twizeer
Click to expand...
then what can I try to do with the check-4208a 3d console, which gives the error 3002f334? The update starts immediately when you turn it on
 
littlebalup said:
I never finished that tool, specially the write stuff... I'm not even sure I kept the code somewhere. I'll check.
Click to expand...
Hi. Seems i can read and write to PS3 eMMC. I have bricked one. Can you please tell me begin and end adress for cut to check/patch with your Ps3DumpChecker tool.
Thx.
 
littlebalup said:
I didn't had time to go further on the projet but I'm posting here the hardmod connection diagram if somebody wants to play with.
!AT YOUR OWN RISK!

You can use any raw disk editor to dump your eMMC. Flash data are the first 256MB (including dev_flash, like NANDs).

View attachment 24667

Extra notes :
- I'm using 4bit connection (DAT 0 to 3), but a single bit connection should work (slowly) by only using DAT 0.
- You must inject +3v, 200mA minimum, to VCC (see the NOR tests points at the begining of that thread to locate VCC points) to supply the eMMC VDDF.

-------------------------------------------------------------------------------------

In add, here my full eMMC dump, for research purpose (if some want/can help to identify partitions addresses...) :

Notes:
- Do not search any idps... it will not work...
- It's byte swapped.

Please give feedback, if any.
Click to expand...
Has anyone tested this yet ?
 
Mouafak said:
Has anyone tested this yet ?
Click to expand...
Even if someone had, this research is more or less just for science. The only practical use it might have is to unbrick consoles.
It will not allow you to install CFW, since the super-slims have updated digital signature keys, and Sony wouldn't royally screw up the same way twice in a row.
It will also not allow you to downgrade unless a SYSCON exploit is found (and I'm pretty sure no one's even looking at this point).
 
i dont want to downgrade and i know its impossiable to do CFW on superslims but my Superslim is bricked and im trying to fix it
 
when i power on the console i only get a black screen i have the 12 gb version and i think the firmware installed on the emmc chip is corrupted i have tried all the safemode mode options but non helped
 
same here as off now there is no fix just use syscon adapter and see if you get 1200 thermal error

Mouafak said:
when i power on the console i only get a black screen i have the 12 gb version and i think the firmware installed on the emmc chip is corrupted i have tried all the safemode mode options but non helped
Click to expand...
 
littlebalup said:
4k EMMC succefully dumped from a naked PPX-001 mobo :)
Using a +3v external supply for VDDF (VCC).
VDD supplied by my card reader.
It is necessary to remove the 47ohms resistor on the CLK line (otherwise the Panasonic controller blurs the line and the connection hang...).

4 bit data connection (dat0 to dat3):
View attachment 18342

dumping:
View attachment 18340

256MB dump showing the bootldr (byte reversed):
View attachment 18341

Write tests coming soon.
Click to expand...
Any new about writing method?
 
You must log in or register to reply here.

Similar threads

Back
Top