Scribd
Upload
2K views32 pages

PS4 Revert

The document provides instructions for reverting a PS4 firmware from version 9.03 to 9.00. It details dumping the NOR and Syscon firmware to backup and patch them. It describes using various hardware like a SVOD 4 programmer, Teensy 2.0++, and soldering equipment. The instructions explain patching the NOR to enable UART, then patching the Syscon's latest 08-0B slot using the offset found during the scan. Following these steps allowed the PS4 to be reverted from 9.03 to 9.00.

Uploaded by

revisionunboxingworld
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views32 pages

PS4 Revert

The document provides instructions for reverting a PS4 firmware from version 9.03 to 9.00. It details dumping the NOR and Syscon firmware to backup and patch them. It describes using various hardware like a SVOD 4 programmer, Teensy 2.0++, and soldering equipment. The instructions explain patching the NOR to enable UART, then patching the Syscon's latest 08-0B slot using the offset found during the scan. Following these steps allowed the PS4 to be reverted from 9.03 to 9.00.

Uploaded by

revisionunboxingworld
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Hello, first of all ... I'm no expert at this.

I do have experience with micro-soldering and board level repairs,


mainly on computers.
I also fix corrupt BIOS images on computers, remove BIOS
passwords, ... so I know my way around a programmer and a hex
editor .

This is just a document to share how I reverted from 9.03 to 9.00.


This is not a tutorial.

Did I do it the right way? I dunno.


Did I get lucky? Maybe ...
Will this method work for you? I dunno, maybe ...

All I know is that last week my PS4 was still at 9.03 and now it's at
9.00 ;)

I will try to document as much as I can, as much as I know.

Please read this document completely before doing anything,

Have a nice day :)

My PS4 is a SLIM, CUH-2116A, SAE-002

RV V1.0
What hardware did I use?

- SVOD 4 programmer to dump and program the NOR


- Teensy 2.0++ to dump and program the Syscon
- Soldering Iron with a fine tip.
https://nl.aliexpress.com/item/1005005196888069.html
- Multimeter
- 1 x 150 ohm resistor
- Flux (You want this when soldering, trust me)
- Alcohol & cotton swabs to remove flux residue
- Tweezers
- Magnet wire 0.15mm and insulated copper wire 0.3mm
- SOIC to DIP Adapter 8 Pin
https://nl.aliexpress.com/item/32728460852.html
- TTL adapter (PL2303)
https://nl.aliexpress.com/item/32345829369.html

What did I do to revert the firmware from 9.03 to 9.00?

1. Dump the NOR


2. Dump the Syscon
3. Patch NOR & scan the syscon
4. Patch Syscon
5. UART
6. Program NOR & syscon

RV V1.0
Before doing anything, read BWE his guide, it
contains a lot of valuable information!
I'm serious, read it.
https://github.com/BetterWayElectronics/sce-syscon-writer-
guide

1. Dump the NOR


To dump the NOR we need a SPI ROM programmer.
I have a Svod 4 programmer so I used that.

You can however use many different programmers:

- Teensy 2.0++ with SPIway


https://www.psdevwiki.com/ps4/SPIway

- Raspberry Pi with FlashRom


https://github.com/flashrom/flashrom
https://leo.leung.xyz/wiki/Flashrom
https://tomvanveen.eu/flashing-bios-chip-raspberry-pi/

- EZP2023+
https://nl.aliexpress.com/item/1005003522518528.html

- CH341A
https://nl.aliexpress.com/item/1005003515809868.html
- Xgecu
https://nl.aliexpress.com/item/1005002889063117.html

RV V1.0
Now we need to connect the programmer to the NOR.

Check this guide out for more information:


https://repair.wiki/w/PS4_UART_Guide

I connect to the NOR via some pads and 2 resistors on the


motherboard. Just scrape away the solder mask and solder the 8
wires.

Watch this video to see how you can solder the wires to your
motherboard:
https://youtu.be/W7RpkG5hiA0?t=135

Here is a pinout I made for my motherboard.

RV V1.0
I also made an adapter to connect to my programmer.

------------------------------------------------------------------------------------
With everything connected we can dump the NOR!

Dump it at least 2 times and compare the 2 files in a hex editor


like HXD (https://mh-nexus.de/en/hxd/)

RV V1.0
Great! We've successfully dumped our NOR.
Copy the files and place them somewhere safe, you don't want to
loose these!
You can check your NOR backup with BWE his NOR
COMPARATOR.
https://betterwayelectronics.com.au/downloads/BwE_PS4_NOR_
Comparator.rar
My NOR backup gave me this output:

If you can't get identical dumps, check your wires/solderpoints or


set your SPI speed to a lower value.

2. Dump the Syscon


Now it's time to dump the Syscon.
First of all, download the PS4 Syscon Tools By Abkarino & EgyCnq
and watch their tutorial video.
https://github.com/AbkarinoMHM/PS4SysconTools/releases/tag/
v1.0.1
https://www.youtube.com/watch?v=Abu-M_z_I-c&t=11s
Second, watch this video to see how to solder to the syscon:
https://youtu.be/W7RpkG5hiA0?t=408

Be carefull when lifting pin 15, it's very fragile!

RV V1.0
Extract the ZIP file and find the correct diagram for your device,
I'm using a teensy 2.0++ and I have a PS4 SLIM so i'm using this
diagram:

------------------------------------------------------------------------------------
My Teensy after soldering the wires and the resistor

RV V1.0
This is how I connected the Teensy to the syscon, if you find a pad
that's connected to one of the pins, solder to the pad. Check with
a multimeter in continuity mode to be sure.

------------------------------------------------------------------------------------
With everything connected, it's time to dump the Syscon.
- Connect your Teensy to your computer
- Open the PS4 Syscon Tool
- Select the correct COM port
- Click connect.

You should get a message confirming the connection.

RV V1.0
The first thing I did was creating a full syscon flash dump.
Dump it twice and compare it. If the 2 dumps are identical, save
them somewhere safe.
The next thing I did was debugging/unlocking the Syscon, this way
you don't need to glitch the chip everytime.
If this is succesfull, you can dump the full syscon again.
Use this dump from now on.
That's it, the syscon has been dumped and unlocked.

RV V1.0
3. Patch the NOR
First step to patch the NOR is enabling UART. You will need this
later to see which NOR patch works for you.
Second step is to patch the CoreOs header.

As i'm writing this, it just came to my attention that


andy-man released a new piece of software to
"replace" BwE his software. It's not how I did it but
I will include this here.

https://github.com/andy-man/ps4-wee-tools/releases/tag/v0.2

3.1 ps4-wee-tools
Ok, create a new folder and copy the ps4-wee-tools, the NOR
dump and the syscon dump inside the folder.

run ps4-wee-tools.exe and select your NOR dump.

RV V1.0
You should get this screen, Type 1 and hit ENTER.

RV V1.0
You should get this screen, UART has now been enabled. Type 6
and hit ENTER.

RV V1.0
You should get this screen, here you get all the options to patch
the CoreOS. The option that worked for me is option 7.
I would suggest creating a patch for every option because not all
of them will work for your system. So repeat for every option and
copy & rename the file between every patch.

RV V1.0
After patching, you should get this screen, here you can see that
UART has been enabled and what option was selected.
Type 0 and hit ENTER.

RV V1.0
You should get this screen, now select your syscon dump.

------------------------------------------------------------------------------------

You should get this screen, here you can see that debug was
activated in step 2 (Dump syscon). Select 2 and hit ENTER.

RV V1.0
You should get this screen, what you see here is the active SNVS
slot. Search for the last 08-0B slot.
See how it goes from "A5 08" all the way to "A5 0B"?
You can see here that it starts at offset 0x64B80. Remember this.

That's it, go to step 4.

RV V1.0
3.2 BWE tools
First step to patch the NOR is enabling UART. You will need this
later to see which NOR patch works for you.
Second step is to patch the CoreOs header.

To do this, I've used BwE his NOR validator.


It's an older version with a trial that you can use 1 time.
You can only use it without an internet connection, otherwise it
will just close automatically.
You can find it here:
https://anonfiles.com/R1Cdxb0fz8/BwE_PS4_NOR_Validator_rar
The password is BwE.

You can use this program only 1 time so be really carefull


not to close it, the program can not patch the syscon but
it can give you usefull information about the syscon so
don't close it after patching the NOR to enable UART!
Disconnect your internet connection before starting the
program!
After patching the NOR to enable UART we can also scan our
syscon dump.
This will show us the latest 08-0B slot that we can patch.

RV V1.0
Ok, create a new folder and copy the NOR validator, the NOR
dump and the syscon dump inside the folder.

Disconnect your internet connection and run the NOR validator.


Type 1 and hit ENTER.

RV V1.0
You should get this screen, Type 5 and hit ENTER.

You should get this screen, Type 1 and hit ENTER.

RV V1.0
You should get this screen, Type 1 and hit ENTER.

If you get this screen, your NOR has been patched to enable
UART. Type Y and hit ENTER.

RV V1.0
A new file (NOR Dump_uart_patched.bin) has been made and has
been placed in the same folder as your original NOR dump.

After typing Y and hitting ENTER on the previous screen, you now
should be back at the beginning of the program.
Type 2 and hit ENTER.

RV V1.0
You should get this screen now

At the bottom, it should say: Active slot Patchable.


Take a picture or a screenshot, you will need this information
later!
In my case it says: Last 08-0B found here: 0x64B80.
This is the important part!
The program will close when you hit ENTER.
Don't worry, you won't need it anymore.

RV V1.0
Now it's time to patch the CoreOS header inside the NOR dump.
I know you can do this with the NOR validator but in my case it
crashed when doing it, so I had to find a different pc to run the
software again.
-------------------------------------------------------------------------------------
Open the UART patched NOR dump in HXD and go to offset
0x201000.

RV V1.0
The goal is to replace the value at this offset, you have the
following options:
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
- FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF
- 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF
- FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00
- FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
To replace the value, just copy one of these rows above.
select the row at offset 20100, right click and paste write.

result:

Do this for all eight options and save it to 8 different files.

That's it for the NOR.


RV V1.0
4. Patch Syscon
Remember that 08-0B offset (0x64B80) we got after enabling
UART?
We will need it now.
Open your syscon dump in HXD and go to that offset, mine was
0x64B80

Now you want to replace that slot with the one above it.

result:

That's it, save it as syscon dump_patched.bin

RV V1.0
5. UART
Check this guide out for more information:
https://repair.wiki/w/PS4_UART_Guide
I'm using a PL2303 TTL to USB adapter.

On my TTL adapter I have 5 pins:


- 3.3v
- 5.0v
- TXD
- RXD
- GND
I've connected RXD to the TX pad on the motherboard and GND to
the GND pad on the motherboard.

RV V1.0
RV V1.0
I use Putty as Serial Monitor.
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.htm
l

To set up Putty, run it and select serial.


Set the Serial line to the COM port for your TTL device and set the
speed to 115200.

RV V1.0
6. Program NOR & syscon
Ok, so we have our patched NOR files, our patched syscon file and
we have our TTL connected.
------------------------------------------------------------------------------------
Because we have unlocked our syscon when we dumped it, we
should be able to write/read it with only 3 wires connected:
Pins 5, 6 and GND.
Your PS4 won't turn on with pin 16 (5V) connected to the Teensy.
To program the syscon we need the PS4 Syscon Tools By Abkarino
& EgyCnq again.
Open their program, connect to your Teensy and select: "Write
Syscon NVS/SNVS Only"
Open the patched Syscon dump, check "Auto erase before dump"
and click "Start"
------------------------------------------------------------------------------------
To program the NOR, use the same method you used to dump the
NOR but instead, erase the NOR and write it with the patched
NOR file. It is wise to verify the code after writing to the NOR.

RV V1.0
It's time to see if we can actually revert the firmware on our
console.
I did the following:
- Program syscon and NOR
- Power on PS4 and watch the terminal.
- I can see on the terminal:
secure loader build: Nov 10 2021 05:20:43
(r10475:release_branches/release_09.03) [711MHz]
AGESA: KG&CN.BDK W9311 ERROR: main(3738) checkUpdVersion
0xffffffff != 0x9030000
- Not good, try next NOR patch ...
- I can see on the terminal:
secure loader build: Nov 10 2021 05:20:43
(r10475:release_branches/release_09.03) [711MHz]
AGESA: KG&CN.BDK W9311 ERROR: main(3738) checkUpdVersion
0xffffffff != 0x9030000
- Not good, try next NOR patch ...
- I can see on the terminal:
secure loader build: Sep 1 2021 05:20:31
(r10468:release_branches/release_09.000) [711MHz]
AGESA: KG&CN.BDK W9311 ERROR: main(3738) checkUpdVersion
0xffffffff != 0x9008000
- Allright!
- Program syscon again and power on PS4.
- I see a lot of text scrolling on the terminal.
- After 1 reboot, it asks me for the recovery software for 9.00 :)
RV V1.0
After installing the 9.00 firmware, I've dumped the NOR and the
Syscon again just to have a backup.
When checking the 9.00 dump, this is what I got:

RV V1.0
Giving credit where credit is due:
fail0verflow
DarkNESMonk
Wildcard
BwE
Abkarino
EgyCnq
AndyManDev

RV V1.0

You might also like