Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Guides and Tutorials       Thread starter BwE       Start date Mar 10, 2019 at 12:43 AM       80      
Status
Not open for further replies.
A few months ago I posted a BwE Complete PS4 NOR Removal Guide followed by my BwE PS4 NOR Comparator, and today's Tutorial covers a lesson in corruption repair on PS4 NOR Repairs by Better Way Electronics.

Here in my favourite example we have a dump that does not boot, is ultimately displaying signs of a BLOD but when the dump is validated it shows the following results:

Code:
UNK Dynamic PerConsole Section Filler 2: ✔
UNK Static Section 1: 000000 [DANGER]
UNK Dynamic Section 20 (SKU Byte): 00 [DANGER]
UNK Dynamic Section 21: 0000000000000000000000000000 [DANGER]
UNK Filler 4: ✔
UNK Dynamic Section 22:
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ✔
UNK Filler 5: ✔
UNK Dynamic Section 23:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [WARNING]


Well large blocks of 00 is obviously not good, but what about the UNK Dynamic Section 23? Well I give this area (and the areas below it) WARNING's as it generally has blank spaces sporatically throughout its section. So no big deal! I just can't explain why there are blank spaces!

The real issue is the UNK Static Section 1 and UNK Dynamic Section 20-22. Hence the DANGER output!

If you were to open this dump in a hex editor (I prefer HxD) you would see from 0x1CE000 to 0x1CE1FF (A length of 200) you would see this:

BwE PS4 Dump Repair 1.png

Now this corrupt dump is a CUH-1001A on version 6.20 - If I were to look at a similar dump, with similar specs I would see:

BwE PS4 Dump Repair 2.png

Its quite clear what the solution is! Copy this data from the working dump into the corrupt dump! But Should I?

Well luckily the above static section and dynamic sections that were corrupt are GENERIC. This means they are not tied down to a specific console or even version.

To explain a bit better, here is a quick run down of the possible results for the corrupt area:

The possible outputs for the UNK Static Section 1 are only going to be 0007FF (Unless you are stuck in IDU mode, it will be 0107FF - which I consider a 'DANGER' output). So its quite obvious that there is no other replacement for this corruption!

The next area is the UNK Dynamic Section 20, it is a bit different as it is based on the SKU of the console. The possible outputs are: 07 (Retail) or 06 (Dev/Test). It is again very obvious what to replace it with. Easy!

Now the UNK Dynamic Section 21 is a bit more weird as it is dynamic but can also be static among multiple consoles with very different SKU's and versions. For example, 28 of my dumps have this as the result: 0007FF0700030C04000000040000. This makes it easy to replace! If it didn't work, I would have tried the other results (there are not that many).

The UNK Filler 4 was always going to be blank space, but was it FF space or 00? Well that was easy to figure out.

UNK Dynamic Section 22 is the most complex section. While it is dynamic I was able to prove through my research that it is NOT tied to a specific console. It is highly dynamic, maybe only 2 of 100 consoles will have the same result, but when they do they are totally different SKU's and versions. I ultimately have no idea what this section is, but I do know it's transferable!

Again, the final UNK Filler 5 is a simple fix!

The final result is that logically, I can feel safe in copying the area from 0x1CE000 to 0x1CE1FF verbatim from a similar console! So I did!

So I ran the patched dump in my validator again and ta-da!

Code:
UNK Dynamic PerConsole Section Filler 2: ✔
UNK Static Section 1: 0007FF ✔
UNK Dynamic Section 20 (SKU Byte): 07 (Retail) ✔
UNK Dynamic Section 21: 0007FF0700030C04000000040000 ✔
UNK Filler 4: ✔
UNK Dynamic Section 22:
F9020000F90200009885B400000000003401000034010000A881B700000000006602000065020000AC901C01000000004D000000 ✔
UNK Filler 5: ✔
UNK Dynamic Section 23:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [WARNING]


The results come up perfectly! (Ignoring the WARNING). Putting this data on the PS4 resulted in it booting up once again! No more BLOD! Amazing!

This is why my BwE PS4 NOR Comparator tool is so damn useful, this is the best method for understanding what areas of a corrupt console can be patched!

Remember if you want to help my BwE PS4 NOR Validator, send me dumps (but please label them (version, model & issue etc))!

If you like what I do, or just like me for me, buy me a coffeeeee!


For some strange reason, if your ps4 core os gets corrupted, and displays the error SU-30631-3, you can "fix" it by just patching the region with random garbage, and then attempting to update. this means that the coreos isn't hashed in snvs.
BwE Logo.png

BwE PS4 NOR Repair Guide by BetterWayElectronics.jpg
 

Comments

@BwE
I was surprised too, I was analyzing the last dump that I sent you and I noticed that despite the serial number of the console is composed of 11 characters, only 10 appear on the dump, so I thought of doing a new installation of the teeny to do new dumps but also this time only 10 characters appear.

I noticed then that every time the ps4 is turned on something changes on the Nor chip, exactly 90 bytes of differences, so I thought it would be nice to be able to make a permanent predisposition to connect the teensy if necessary without having to open the ps4 each time and by do all the installation, so I put the 4.7K resistor back on and tried to make new dumps and surprise ... the dumps were identical to the previous ones, then I put the diode back and made some dumps again, surprise ... the dumps are always identical.

Now I will install wires to the outside of the ps4 and a connector so I can connect easly the Teensy board when I need it ;)
 
i have this error/danger how can i fix it?

0x3C0000 -> 0x1FFFFFF:
CoreOS Entropy: 7.99 ✔
CoreOS Alternative Validation:
Code:
'7D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' with length 0x4002 found at offset: 0x1493FFF [B][DANGER][/B]
'8700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' with length 0x4002 found at offset: 0x149BFFF [B][DANGER][/B]
'4100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' with length 0x30002 found at offset: 0x14CFFFF [B][DANGER][/B]
 
Status
Not open for further replies.
Back
Top