PS3 3.6x Downgrade Tutorial (256Mb NAND Only)
Simplified 256Mb NAND PS3 3.6x Downgrade Guide:
Software needed:
PS3NANDProgrammer v1.41
OR
Infectus NAND Flasher v1..42
Flow Rebuilder v4.1.3.2
Hexeditor (HxD is free of charge)
^^^^^ALL Incorporated^^^^^
First make certain you will find the Infectus motorists installed, and you’ve got already designed your Infectus with PS3 DUAL NAND firmware (using Infectus software)
Second unpack the rar files provided. Locate the libusb folder and install the filter. Within the popup box, choose ‘Install Device Filter’, then look for your Infectus device within the list and choose it, then install.When done you are able to exit libusb.
This enables your Infectus using the incorporated flasher programs Infectus NAND Flasher v.1..4.2, etc.
1. When creating the first dump, make 100% sure you’ve got a good dump, make several safe and do a comparison with HxD. Should you not have a very good backup and erase your NANDs then you’re virtually screwed… This Will Be Significant!
2. After you have your NAND expensive dumps, use FlowRebuilder v.4.1.3.2 unscramble then interleave flashes into one unified dump. Let’s call the output file 256Mb.bin
3. Open 256Mb.bin with HxD (Incorporated in rar files)
3a. Visit offset: 000C0020 (Control G) that ought to look something similar to this
(BRICKED PS3 DUMP @ 000C0020)
Code:
00 00 00 00 00 00 00 00 00 00 00 00 00 53 CC 78 ………….SÌx
00 00 00 01 00 00 00 18 00 53 CC 78 00 00 00 00 ………SÌx….
OR Such As This (WORKING CONSOLE)
Code:
00 00 00 00 00 00 00 00 00 00 00 00 00 6F FF E0 ………….oÿà
00 00 00 01 00 00 00 17 00 00 00 00 00 6F FF E0 ………….oÿà
00 00 00 00 00 00 04 60 00 00 00 00 00 00 44 98 …….`……D˜
61 69 6D 5F 73 70 75 5F 6D 6F 64 75 6C 65 2E 73 goal_spu_module.s
65 6C 66 00 00 00 00 00 00 00 00 00 00 00 00 00 elf………….
00 00 00 00 00 00 49 00 00 00 00 00 00 01 E2 54 ……I…….âT
61 70 70 6C 64 72 00 00 00 00 00 00 00 00 00 00 appldr……….
Open 1patchcos.bin in HxD, Choose All and Copy
Return to your NAND dump and go Edit – Choose Block
Within the box that appears, tick the space button make it possible for the written text and enter DFFFE1 as block length. Go Edit – Paste Write (not place!)
This next thing is optional, I recommend trying without it patch first when i did be successful without them. 1patchcos.bin is dependant on 3.41 CoreOS, and 1patchcos355.bin is dependant on 3.55 CoreOS. The 2nd labored for me personally. The initial 1patchcos.bin should work so try that first, in rare cases (much like me & EiKii) it doesn’t then try 1patchcos355.bin.
3b. Now visit offset: 00093800 and you ought to find something similar to this:
Code:
00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 20 ……. ……. <-PASTE WRITE FROM HERE
00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 …… ………
00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 60 ……………`
53 43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 SCE………….
00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 60 ……………`
Open 2patchtrvk.bin and copy all of its content and paste WRITE from the above offset
4. Save the changes – IF THE FILESIZE HAS CHANGED YOU DID SOMETHING WRONG!
5. Again open FlowRebuilder v.4.1.3.2 and this time we want to Re-scramble the modified dump then de-interleave it into two new flashes. Choose your flash0.bin, flash1.bin and the 256Mb.bin you modified. When done it should say 42 or 43 blocks modified each NAND depends on if you only did one or both patches
Now you end up with 2 new files called flash0.bin.new.bin and flash1.bin.new.bin. You will also get A folder called ‘Differential Flashing’ which contain 2 txt files. These can GREATLY speed up the flashing/restoring process.
6. With Infectus NAND Flasher v.1.0.4.2, connect your programmer and select flash0. Select Difference Write, select your flash0.bin.new.bin as your input file, then select the flash0 difference file. This way you only have to flash 42-44 blocks instead of 2048! Untick the box Check ECC during DUMP and WRITE operations (slower but safer) before you hit go.
7. When done, power your console up. If you get YLOD then you should try the second patch as mentioned earlier. If all went well you should have a green light but black screen (might differ slightly, mine powered off after about 20/30 seconds) You MAY need to put your console into service mode at this point if you were brick-fixing (usual dongle method). The Lv2diag files are included.
8. Make a downgrade to your desired firmware – If your PS3 refuses to work with a particular PS3UPDAT.PUP, try again with a different one. I tried 3 times before mine would accept a firmware.
NOTES: if you are patching with 3.55 cos you have to use the special 3.55 downgrade PUP, which means you will get 3.41 as min version. This can be changed with doing the “DOWNGRADE” Procedure again, choosing another firmware in service mode downgrade.
If you get YLOD after flashing, check your soldering & do a full dump & compare the NANDS. Even 1 write error will prevent your console from booting.
When attempting to do a downgrade, enter service mode before patching. It will make it easier even if you forgot its not a problem, you just need to enter service mode. (this is only possible when downgrading) BUT remember DO NOT ENTER SERVICE MODE ON v3.66 UNLESS YOU HAVE A HARDWARE FLASHER (INFECTUS, PROGSKEET, WILLEM, ETC)
The original .doc file is attached and is easier to view than on the forum.
Download: