DISCLAIMER: Though I believe this should work on all NAND frankenstein fat PS3s, on any firmware that is too low to initialize the 40nm/65nm RSX, I have only used it on a COK-001 board from a CECHA01 as I only buy CECHAXX models to frankenstein, and thus is all I have around. Please be sure to validate and keep your original NAND dumps safe in case this method does not work for you. In addition, this guide assumes you have already performed the frankenstein mod (40nm/65nm RSX retrofit) correctly, and are stuck at a stage where the console does not boot due to a low firmware that does not support the newer RSX revisions, with an 'rsx rom abort' message in the southbridge uart logs. Please check this first (write 02 to register 7202 (w 7202 02) in syscon eeprom, and attempt to boot while watching southbridge UART logs, look for 'rsx rom abort') (the syscon for me, showed a 1701 error at this stage).
Background
I recently made a frankenstein PS3 (CECHA01 w/ 40nm RSX) that I didn't realize was on an old firmware that did not support the 40nm RSX (fw 3.0.1) until after installing the new RSX (southbridge logs didn't print due to 3034). After I installed the 40nm RSX I could see the souhtbridge logs showing rsx rom abort messages then failing to boot the firmware, with an additional rsx driver assert fail message. I spent a long time trying to figure out how to update without installing a 90nm RSX as I didn't have a working one and I wanted to avoid extra rework and reballing steps.
The only method that I have seen recommended (aside from installing a 90nm RSX temporarily to update) is to follow the traditional downgrade method with a service mode JIG after patching ROS0 and ROS1 to version 3.55. Despite this, I had seen a few others try this to no success (FSM never loads, blind update does not initiate) and had the same results myself when attempting. I was surprised however when I tried loading safe mode on a whim after patching ROS0 and ROS1 to version 3.55, and safe mode loaded correctly with an initialized 40nm RSX.
The following are the steps I followed, the initial steps are based on the steps found the in the
psdevwiki guide for Downgrading with Hardware Flasher. You will have to find the files in archives of the site or
elsewhere, as I don't know if I can link them here.
Tools Needed
Files Needed
## Process
Let me know if there are any questions or issues, and most of all if it works for you. I'm also curious about results on other firmwares (I was on fw 3.0.1), I assume this should work universally on all low firmware frankies, but who knows. Always keep a backup of your original NAND dumps when attempting this in case it does not work. Then you can at least flash back and hope a method exists for your firmware. Regardless I would love to see if this works on other firmwares so we know, as it could save extra time / stress doing additional rework on frankies just to perform an update.
Background
I recently made a frankenstein PS3 (CECHA01 w/ 40nm RSX) that I didn't realize was on an old firmware that did not support the 40nm RSX (fw 3.0.1) until after installing the new RSX (southbridge logs didn't print due to 3034). After I installed the 40nm RSX I could see the souhtbridge logs showing rsx rom abort messages then failing to boot the firmware, with an additional rsx driver assert fail message. I spent a long time trying to figure out how to update without installing a 90nm RSX as I didn't have a working one and I wanted to avoid extra rework and reballing steps.
The only method that I have seen recommended (aside from installing a 90nm RSX temporarily to update) is to follow the traditional downgrade method with a service mode JIG after patching ROS0 and ROS1 to version 3.55. Despite this, I had seen a few others try this to no success (FSM never loads, blind update does not initiate) and had the same results myself when attempting. I was surprised however when I tried loading safe mode on a whim after patching ROS0 and ROS1 to version 3.55, and safe mode loaded correctly with an initialized 40nm RSX.
The following are the steps I followed, the initial steps are based on the steps found the in the
psdevwiki guide for Downgrading with Hardware Flasher. You will have to find the files in archives of the site or
elsewhere, as I don't know if I can link them here.
Tools Needed
- A way to flash NAND via hardware
- I used NANDway on a teeensy++2.0 (you can still find them on aliexpress, though they are out of production)
- You can also pull the chips and use a generic programmer, as it seems quite difficult to track down these old hardware flashers that were used for downgrading.
Files Needed
- Flowrebuilder 5.2.0.0 / Playstation 3 Flash Tool 4.0 (this has an option for autopatching ROS to 3.55, I have not personally tested it as i found it after I performed the patches and flashed my console, I assume it works the same as the manual patch steps from what I understand, and you are welcome to try it if you cannot find the patch files, but I cannot guarantee it / have not used this method. The guide will use the manual method with Flowrebuilder)
- Needed if dumping / flashing NAND chips individually
- Hex Editor for patching firmware (I used bless on linux, HxD for Windows is a good option)
- patch1 mentioned in the psdevwiki downgrade guide (3.55 prepatched CoreOS, filename=NAND-patch1-0x0C0030.bin)
- patch2 mentioned in the psdevwiki downgrade guide (filename=NAND-patch2-0x91800.bin)
- Rogero 3.55 CFW v3.7 (filename=3.55_Rogero_v3.7_8F8166B25D6BED891F292C77DE5C4B28_PS3UPDAT.PUP)
- For this, I'm pretty sure you can use ANY firmware file 3.41 or above (safe mode says it will allow you to flash any firmware above your installed firmware, even with 3.55 patched CoreOS), however, this is what I used as I already had it on hand, and this is what I had success with.
## Process
- Dump your NAND. I dumped top and bottom NAND separate, and will base the guide of that. If you dumped them as unified NAND, you can skip combining and splitting steps. Take a couple dumps and make sure they match. It is a good idea to validate your dumps as well.
- Unify your NAND. I used Flowrebuilder. In Flowrebuilder, select (NAND only) UNSCRAMBLE then interleave two NAND flashes into one unified dump. Input your top and bottom dumps, and choose a path to output the unified dump, for the sake of this guide, we'll use unified.bin, then click Execute Operation
- Make a copy of your unified.bin as a backup.
- Open unified.bin in a hex editor.
- Also open NAND-patch1-0x0C0030.bin in your hex editor
- Select complete contents of NAND-patch1-0x0C0030.bin in your hex editor and copy them.
- Select 0x6FFFE0 (7340000) bytes starting at offset 0x0C0030 in unified.bin in your hex editor, paste the contents of NAND-patch1-0x0C0030.bin over the selected bytes (this overwrites ROS0).
- Select 0x6FFFE0 (7340000) bytes starting at offset 0x7C0020 in unified.bin in your hex editor, paste the contents of NAND-patch1-0x0C0030.bin over the selected bytes (this overwrites ROS1).
- Open NAND-patch2-0x91800.bin in your hex editor.
- Select complete contents of NAND-patch2-0x91800.bin in your hex editor and copy them.
- Select 0x4000 (16384) bytes starting at offset 0x091800 in unified.bin in your hex editor, paste the contents of NAND-patch2-0x91800.bin over the selected bytes.
- Save your newly patched unified.bin
- In Flowrebuilder, select the option EXTRACT a Byte reversed NOR dump or an interleaved and unscrambled NAND dump, and input your patched unified.bin then click Execute Operation.
- You should now have a directory in the same directory as unified.bin named unified.ext. Look inside unified.ext/ros, ensure there are 2 directories, ros0_355.000 and ros1_355.000. If you don't have these, or they both aren't ros*_355.000, you did not apply patch1 correctly. Make a copy of your backed up, original unified.bin, then go back to step 4 and try patching again, paying close attention to offsets and the number of bytes to replace.
- In Flowrebuilder, select the option RE-SCRAMBLE a modified dump then de-interleave it into two new flashes select the original top and bottom dumps, and your PATCHED unified.bin. Click Execute Operation
- You should now have top_patched.bin, bottom_patched.bin, top_patched_Difffile.txt and bottom_patched_DiffFile.txt. In the same directory as your patched unified.bin
- Flash the patched firmware back to your NAND. If using NANDWay (others may support Difffiles as well, though I only have experience with NANDway) you can use the Difffiles to flash the NAND back, this will only replace the blocks that we have changed and is much faster than writing the entire NAND.
- Reassemble console enough that fans and heatsinks are on, power supply / wifi board / blu ray drive / hard drive are attached (wifi and blu ray boards should be able to come out if flashing noWiFi / noBD firmware, but we'll be safe).
- Copy 3.55_Rogero_v3.7_8F8166B25D6BED891F292C77DE5C4B28_PS3UPDAT.PUP to a FAT32 formatted USB drive as PS3/UPDATE/PS3UPDAT.PUP, and insert into rightmost usb port.
- Boot PS3 unto safe mode (From off state, hold power button until the system turns back off. Release. Hold again until you hear a double beep).
- Safe mode should boot with a working 40nm/65nm RSX!
- On your PS3 in safe mode, select 6. System Update
- It should find your firmware update and allow you to install. Format hard drive if it asks you, and go through normal System Update process.
- Your PS3 should reboot and you should have a working frankie on Rogero's 3.55 CFW v3.7!
- From here, you can update to any CFW/OFW you want, then you should be finally done!
Let me know if there are any questions or issues, and most of all if it works for you. I'm also curious about results on other firmwares (I was on fw 3.0.1), I assume this should work universally on all low firmware frankies, but who knows. Always keep a backup of your original NAND dumps when attempting this in case it does not work. Then you can at least flash back and hope a method exists for your firmware. Regardless I would love to see if this works on other firmwares so we know, as it could save extra time / stress doing additional rework on frankies just to perform an update.
