PS3 TestBench Firmware (Automated fault detection used in the factory)

[M4j0r]

So the 1st time you install TestBench it switches the ROS bank automatically. Then when you type in the command to switch the ROS bank and get out of TB it reboots into 355. But how do I get back into testbench from there?I could install 355 again to wipe the TB ROS, and then install TB again, but that seems convoluted.

On the DECR-1000A there's a function for this which can be triggered via lv1.
On NAND consoles the info is saved in the flash: https://www.psdevwiki.com/ps3/Flash:ROS#Header .
On NOR/eMMC consoles the bank indicator is saved in the SC EEPROM (0x48C24-0x48C29).

I don't think any CFW does have the function implemented because on normal firmwares you want the vsh to work, but if you have incompatible firmwares installed, you'll end up in recovery mode (not in the TestBench usecase though).

(Maybe writing 0xFF to 0x48C60 via the lv2 update manager interface will trigger the bank swap on NAND/NOR/eMMC.)

 

[RIP-Felix]

Maybe writing 0xFF to 0x48C60 via the lv2 update manager interface will trigger the bank swap on NAND/NOR/eMMC.

Would it be possable to add this feature to ps3 advanced toolset?

 

[nCadeRegal]

Hey guys just be mindful in posting logs to remove Cid and any other pertinent info. May not be as bad as back in the day but I'm sure there are still people selling and banning them.

 

[M4j0r]

Would it be possable to add this feature to ps3 advanced toolset?

I'll perform some tests.

Hey guys just be mindful in posting logs to remove Cid and any other pertinent info. May not be as bad as back in the day but I'm sure there are still people selling and banning them.

The TestBench firmware will only output the CID and eCID from the cISD, not the IDPS from the eEID.
Up to ~2008 you could use the CID/eCID to retrieve the IDPS by abusing Sony's factory servers, but I don't know of any current method to do that. The CID and eCID are only used in the factory/service center and are not read by the normal PS3 firmware in any way (like the eid5 inside eEID).

 

[RIP-Felix]

The TestBench firmware (the same CoreOS) will work on all targets (CEX/DEX/TOOL/ARCADE....) but I only have DECH/DECR hardware for tests, so I can't provide PUPs for other targets.

So does this PUP only work with DEX targets? It sounds like you're saying the TB can work with any, but that you built the PUP for DECH, which correct me if I'm wrong, would mean we need DEX FW to install it.

What's workd so far...

1. Evilnat 4.89.3 PEX converted to DEX
2. 3.55 DEX Downgrader
3. TestBench

Would this also work?

1. Pretty much any CFW
2. Rogero 999 Downgrader (355 spoofed)
   
3. TestBench

 

[zecoxao]

So does this PUP only work with DEX targets? It sounds like you're saying the TB can work with any, but that you built the PUP for DECH, which correct me if I'm wrong, would mean we need DEX FW to install it.

What's workd so far...

1. Evilnat 4.89.3 PEX converted to DEX
2. 3.55 DEX Downgrader
3. TestBench

Would this also work?

1. Pretty much any CFW
2. Rogero 999 Downgrader (355 spoofed)
   
3. TestBench

If you have a hardware flasher you can just flash the coreos into the ps3 directly. and this works on ANY ps3! the testbench firmware is UNIVERSAL! which means superslims can do tests, slims can do tests, and phats can do tests, as well as devs and tests. it's just easier to use dex firmware and on 3.55

 

[zecoxao]

__int64 sub_54D090()
{
  __int64 v1; // r3
  __int64 v2; // r31
  char *v3; // r11
  _QWORD *v4; // r29
  __int64 v5; // ctr
  char *v6; // r31
  unsigned int *v7; // r28
  __int64 v8; // r9
  const void *v9; // r3
  __int64 v10; // r4
  __int64 v11; // r3
  unsigned int v12; // [sp+70h] [-820h] BYREF
  unsigned int v13; // [sp+74h] [-81Ch]
  __int64 v14; // [sp+78h] [-818h]
  char v15; // [sp+80h] [-810h] BYREF

  if ( !sub_5DBB68() )
    return 0LL;
  sub_5C0370(1LL, "ss2/isd.cpp", 0x46LL);
  memset(&v12, 0LL, 0x800LL);
  if ( dword_D3C288 == 2 )
  {
    v1 = boot_storage::read(&v12, 0x90800LL, 0x800LL);
    v2 = v1;
  }
  else
  {
    if ( dword_D3C288 != 3 )
      return 0LL;
    v1 = boot_storage::read(&v12, 0x3F000LL, 0x800LL);
    v2 = v1;
  }
  if ( v2 )
  {
    v9 = (const void *)sub_605B88();
    printf("boot_storage::read error. ret=0x%08x s=%p\n", v2, v9);
    return 0LL;
  }
  if ( v12 )
  {
    if ( v13 )
    {
      v3 = &v15;
      v4 = 0LL;
      v5 = v12 - 1 + 1LL;
      v6 = 0LL;
      v7 = 0LL;
      if ( !v14 )
      {
        do
        {
          v8 = *((_QWORD *)v3 + 1);
          if ( v8 == 1 )
          {
            v6 = (char *)&v12 + *(unsigned int *)v3;
          }
          else if ( v8 )
          {
            if ( v8 == 2 )
              v7 = (unsigned int *)((char *)&v12 + *(unsigned int *)v3);
          }
          else
          {
            v4 = (_QWORD *)((char *)&v12 + *(unsigned int *)v3);
          }
          v3 += 0x10;
          --v5;
        }
        while ( v5 );
        if ( v6 )
        {
          printf("[INFO]: ISD: % 17s: %.12s\n", "BoardID", v6 + 0x38);
          printf(
            "[INFO]: ISD: % 17s: %02X%02X%02X%02X%02X%02X\n",
            "CID",
            (unsigned __int8)v6[0xA],
            (unsigned __int8)v6[0xB],
            (unsigned __int8)v6[0xC],
            (unsigned __int8)v6[0xD],
            (unsigned __int8)v6[0xE],
            (unsigned __int8)v6[0xF]);
          printf("[INFO]: ISD: % 17s: %.32s\n", "ECID", v6 + 0x10);
          printf(
            "[INFO]: ISD: CKP1 ManagementID: %08X%08X\n",
            *((unsigned int *)v6 + 0x16),
            *((unsigned int *)v6 + 0x17));
          printf("[INFO]: ISD: CKP2 ManagementID: %04X\n", *((unsigned __int16 *)v6 + 0x28));
          printf("[INFO]: ISD: BootLoaderVersion: %04X\n", *((unsigned __int16 *)v6 + 0x22));
          printf("[INFO]: ISD:  OSUpdaterVersion: %04X\n", *((unsigned __int16 *)v6 + 0x23));
          printf("[INFO]: ISD:  BoardDiagVersion: %04X\n", *((unsigned __int16 *)v6 + 0x24));
          printf("[INFO]: ISD: ConfigBootVersion: %04X\n", *((unsigned __int16 *)v6 + 0x25));
          v1 = printf("[INFO]: ISD:    LibBootVersion: %04X\n", *((unsigned __int16 *)v6 + 0x29));
        }
        if ( v4 )
          v1 = printf(
                 "[INFO]: ISD: % 17s: %02X:%02X:%02X:%02X:%02X:%02X\n",
                 "MAC Address",
                 HIBYTE(*v4),
                 (unsigned __int8)BYTE1(*v4),
                 (unsigned __int8)((unsigned __int16)WORD1(*v4) >> 8),
                 (unsigned __int8)BYTE3(*v4),
                 BYTE4(*v4),
                 (unsigned __int8)BYTE5(*v4));
        if ( v7 )
          v1 = printf("[INFO]: ISD: % 17s: %08X%08X%08X%08X\n", "WLAN", *v7, v7[1], v7[2], v7[3]);
        v10 = 0xFFFFLL;
        if ( dword_D3C288 == 2 )
        {
          v11 = sub_615598(v1, 0xFFFFLL);
          v10 = sub_615800(v11);
        }
        printf("[INFO]:     StarShip2 Revision: %4X\n", v10);
        return 0LL;
      }
    }
  }
  sub_5C4F9C("Invalid ISD format. Display ISD failed.\n");
  printf("pRomRegionHeader->m_region_num  = %d\n", v12);
  printf("pRomRegionHeader->m_region_size = %d\n", v13);
  printf("pRomRegionHeader->reserved      = %d\n", v14);
  return 0LL;
}

cISD code

 

[GuilloteTesla]

If you have a hardware flasher you can just flash the coreos into the ps3 directly. and this works on ANY ps3! the testbench firmware is UNIVERSAL! which means superslims can do tests, slims can do tests, and phats can do tests, as well as devs and tests. it's just easier to use dex firmware and on 3.55

So, a PUP with the TestBench FW can be made and signed with the known keys, and it can be installed on any PS3?.

That's because the other signature checks are made on GameOS, right?.

 

[RIP-Felix]

As I understand it you cant use the downgraders to minver 3.56 consoles, or you'll brick. So the PUP TestBench update @M4j0r linked above can only be installed on consoles that can see the update. I had to downgrade to 355 before I could install it. Perhaps there is a higher than 3.55 FW that can allow you to see it? IDK.

What @zecoxao is saying is you can flash TestBench to the ROS and it'll run on any PS3 period. But that's different than the PUP update M4j0r released. Requires some HxD magic and a fair bit of annoyance (teensy and 2 million wires, or working the flash off and programing it). Not as convenient as a PUP.

My question was about the update method.

 

[GuilloteTesla]

Yes, flashing is straightforward but cumbersome. I was thinking of a more user-friendly way to install this (that's why I've referred to a PUP), thinking on how factory employees at Sony do their job checking the PS3s hardware conditions.

 

[M4j0r]

I'll perform some tests.

So does this PUP only work with DEX targets? It sounds like you're saying the TB can work with any, but that you built the PUP for DECH, which correct me if I'm wrong, would mean we need DEX FW to install it.

So, a PUP with the TestBench FW can be made and signed with the known keys, and it can be installed on any PS3?.
That's because the other signature checks are made on GameOS, right?.

As I understand it you cant use the downgraders to minver 3.56 consoles, or you'll brick. So the PUP TestBench update M4j0r linked above can only be installed on consoles that can see the update. I had to downgrade to 355 before I could install it. Perhaps there is a higher than 3.55 FW that can allow you to see it? IDK.
My question was about the update method.

Yes, flashing is straightforward but cumbersome. I was thinking of a more user-friendly way to install this (that's why I've referred to a PUP), thinking on how factory employees at Sony do their job checking the PS3s hardware conditions.

Here are the results of my tests:

1. The official Sony way: The manufacturing image (a special, small PUP)
   • Pro: Installs very fast, automatically with lv2diag/manufacturing updater
   • Con: You need to be in FSM on OFW/CFW and then install it
2. The Sony dev way: The (recovery) bootrom
   • Pro: Installs even faster, doesn't need FSM
   • Con: Only works on the DECR-1000

Regarding the "normal" PUP, I based it off DEX 3.55 because it is the safest way. Yes, you need to do CEX2DEX and downgrade to 3.55 to install it, but I that's the just the result of how I do the testing. Since the TestBench fw is technically OFW and version 4.40, I don't like messing with that. CFW will break the functions on the DECR-1000A which I use to make sure that everything works as intended, so that's no option.
As said before you can technically base it off any firmware, so here are the necessary files: https://workupload.com/file/SM5AyKt4NZS (original 4.40 signed, without spkg_hdr.1).

Regarding the bank switch (getting back into the TestBench fw), I also tested various ways to trigger the bank switch, but all failed on retail consoles, even if they run CFW.
You need to either patch LV1 to allow that (but then if any update fails, your console might be bricked) or rebuild the functions in your app, which I don't have time for currently.

 

[haxxxen]

interesting, but still, no inspiration and motivation -> I should call it 'LOVE'

 

[DeadEnd]

It's too bad the testbench doesn't seem to detect any issues when PS2-games don't work on CECHA/Bs. But at least it confirms when RSX is fine, so we could rule that out.

 

[bleepbleep]

is this testbench firmware related to the function ..."TestBench"... (name abbreviated) in a bootloader dump? It seems to be a dma request function, mainly composed of writes to channels 16, 17, 18, 19, 20, 21. which in C is mfc_get() and mfc_put().

 

[Joonie]

So, a PUP with the TestBench FW can be made and signed with the known keys, and it can be installed on any PS3?.

No, Signed PKG check will fail. Unless we make a CFW that works on CFW compatible model. That's why HW flasher is needed to swap out COS to make it work on non-CFW compatible PS3.. alternatively,, we could use BGToolset to do that as well I think

 

[GuilloteTesla]

No, Signed PKG check will fail. Unless we make a CFW that works on CFW compatible model. That's why HW flasher is needed to swap out COS to make it work on non-CFW compatible PS3.. alternatively,, we could use BGToolset to do that as well I think

Thanks for the clarification. It's a shame that we can't get a hand on the PUP (or whatever file is used) in order to launch this tool as Sony people used to.

 

[RoboKing's Cosmos]

Yo since I also have a HW flasher can I test this on my superslim next week? I first need to get the tool needed to unscrew the I think T8 screws if I'm correct? Then take out my motherboard and take a backup immediately from flash. All I knew was it is star shaped.

 

[RIP-Felix]

Interesting side note perhaps useful to know. Perhaps @M4j0r will find it interesting.

Here's a collation of the info we've found thus far about the different RSX revisions. @Sampsonay came across a 40nm RSX that required the EB byte at address 3254 in order to train the syscon in a COK motherboard to use it (Frankenstein phat mod), instead of the more common EC. It also has the more rare blue die (may be coincidental, would need to check the next blue die 40 we come across). I asked him to get the SB UART so I could see if it had a different FAB and D/S line. And it did! It was made by SONY line 3, same as the binned 90nm In M4j0r's DECH. I suspect there might be 65nm made from line 3 as well that we haven't yet found.

Originally we thought that EB was needed on the CXD5302 RSX revision in SS models without the IHS, but that's not the case most of the time. And there are 5300/5301 that needed EB as well IIRC. So it couldn't be pinned to the model revision. It must have been something else. Perhaps this is what it is.

RSX	Fab	MNF	DS (Line)
40nm	2	SONY	3	w 3254 21 EB
40nm	4	TSMC	6
65nm	2	SONY	2
65nm	2	SONY	3
65nm	1	TOSHIBA	2
90nm	1	TOSHIBA	2
90nm	2	SONY	3

 

[DeadEnd]

New link https://www.mediafire.com/file/6lprny1rorw2tgt/testbench_3.55.zip/file

 

[DeadEnd]

new link 2026 https://mega.nz/folder/mLRSVS6Q#VCaKRs60ZfP_oDiOKjrkyg