Editing Syscon Firmware
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
[[Category:Software]] | |||
Syscon Firmware is the firmware stored on the System Controller EEPROM (see [[Syscon Hardware]]). Updates are stored in update packages within the Update_files.tar of a [[Playstation Update Package (PUP)]]. Syscon Packages appear to always be 5KB (5376 bytes) in size. | |||
= Syscon | = Syscon update packages = | ||
d/l: [http://www.multiupload.com/JHBCOCGNUR syscon_fw1.00-4.00.rar (51.74 KB)] | |||
= | == Package structure == | ||
Sys_con_firmware Packages can be unpacked with unpkg | |||
=== Overview === | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
Line 216: | Line 16: | ||
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header | | 0x00 || 0x4 || ASCI:"SCE" || SCE magic header | ||
|- | |- | ||
| 0x04 || 0x4 || 0x2 || | | 0x04 || 0x4 || 0x2 || Flags | ||
|- | |- | ||
| 0x08 || | | 0x08 || 0x4 || 0x3 || Type (0x3 = PKG) | ||
|- | |- | ||
| | | 0x0C || 0x4 || 0x0 || Blank/Unknown | ||
|- | |- | ||
| | | 0x10 || 0x4 || 0x0 || Blank/Unknown | ||
|- | |- | ||
| 0x10 || 0x8 || 0x280 || | | 0x10 || 0x8 || 0x280 || Start Data Offset ('hdr_len') | ||
|- | |- | ||
| 0x18 || 0x8 || 0x1080 || | | 0x18 || 0x8 || 0x1080 || Data Size ('dec_size') | ||
|- | |- | ||
| 0x20 || 0x260 || - || | | 0x20 || 0x260 || - || Header | ||
|- | |- | ||
| 0x280 || 0x40 || - || ' | | 0x280 || 0x40 || - || 'info0' section (see below) | ||
|- | |- | ||
| 0x2C0 || 0x40 || - || ' | | 0x2C0 || 0x40 || - || 'info1' section (see below) | ||
|- | |- | ||
| 0x300 || 0x1000 || - || | | 0x300 || 0x1000 || - || 'content' | ||
|- | |- | ||
|} | |} | ||
==='info0'=== | |||
== | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Address !! Length !! Value !! Description | ! Address !! Length !! Value !! Description | ||
|- | |- | ||
| 0x00 || 0x4 || 0x3 || | | 0x00 || 0x4 || 0x3 || | ||
|- | |- | ||
| 0x04 || 0x4 || 0x8 || | | 0x04 || 0x4 || 0x8 || | ||
|- | |- | ||
| 0x08 || | | 0x08 || 0x4 || 0x0 or 0x1 || | ||
|- | |- | ||
| 0x0C || 0x4 || 0x0B8E | | 0x0C || 0x4 || 0x0B8E<br />0x0C16<br />0x0D52<br />0x0DBF<br />0x0E69<br />0x0F29<br />0x0F38<br />0x065D<br />0x0832<br />0x08C2<br />0x0918 || 'SoftID' | ||
|- | |- | ||
| 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID' | | 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID' | ||
|- | |- | ||
| 0x18 || 0x8 || 0x1000 || | | 0x18 || 0x8 || 0x1000 || 'Content' Data Size? | ||
|- | |- | ||
| 0x20 || 0x8 || 0x1000 || | | 0x20 || 0x8 || 0x1000 || 'Content' Data Size? | ||
|- | |- | ||
| 0x28 || | | 0x28 || 0x8 || 0x0 || | ||
|- | |- | ||
| 0x30 || 0x10 || 0x0 || | |||
| 0x30 || | |||
|- | |- | ||
|} | |} | ||
==='info1'=== | |||
== | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Address !! Length !! Value !! Description | ! Address !! Length !! Value !! Description | ||
|- | |- | ||
| 0x00 || | | 0x00 || 0x4 || 0x0 || | ||
|- | |- | ||
| | | 0x04 || 0x4 || 0x3 || | ||
|- | |- | ||
| | | 0x08 || 0x8 || 0x40 || Offset/size? | ||
|- | |- | ||
| | | 0x10 || 0x4 || 0x0 || | ||
|- | |- | ||
| | | 0x14 || 0x4 || 0x0 || | ||
|- | |- | ||
| | | 0x18 || 0x8 || 0x1000 || 'Content' Data Size? | ||
|- | |- | ||
| | | 0x20 || 0x8 || 0x1 || | ||
|- | |- | ||
| | | 0x28 || 0x8 || 0x1 || | ||
|- | |||
| 0x30 || 0x10 || 0x0 || | |||
|- | |- | ||
|} | |} | ||
==='content' overview=== | |||
== | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
Line 300: | Line 92: | ||
|- | |- | ||
|- | |- | ||
| 0x0 || 0x1000 || - || '' | | 0x0 || 0x1000 || - || 'content' | ||
|- | |- | ||
|} | |} | ||
== | == Known Retail syscon update packages == | ||
These are in in full Retail/CEX and Debug/DEX firmwares: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! | ! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.11 !! SoftID !! Notes | ||
- | |||
! | |||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B8E || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0B8E || | ||
| | |||
| | |||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0B8E || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0C16 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0C16 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0D52 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0DBF || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0E69 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0F29 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || 0F38 || | ||
|- | |- | ||
| | | SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || 0832 || | ||
|- | |- | ||
|} | |} | ||
This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00 and 3.40 of all PS3 models (FW 1.30 added Backup/Restore, FW 3.00 resulted in Class action suit for BluRay reading problems). The '01050101' patch since 3.41 was only done for 'SoftID' 0x0F38. | |||
= | == NonRetail syscon == | ||
Remember, Debug/DEX consoles are normal retail consoles with different TargetID, so only those that have a nonretail board have deviating patches (like the CXR713F120A found on the DECR1000A TOOL/DECR). | |||
Tool/DECR don't have patches, they flash entire firmwares. | |||
=== Deviating from Retail === | |||
Please note that without info about the SKU the listing of ID's is pretty useless | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.11 !! SoftID !! Notes | |||
|- | |- | ||
| | | ? || ? || ? || ? || ? || ? || {{Yes}} || 08A0 || Debug/DEX | ||
| | |||
| | |||
| | |||
| | |||
|- | |- | ||
|} | |} | ||
== | == Usage == | ||
The firmware PUP's contains a collection of patches for all the different hardware revisions of syscon's chips used in different motherboard models. | |||
The ps3swu.self (system updater) decides wich applicable [[Syscon Hardware]] is present and installs the needed package update(s) accordingly (via updater manager ss service). | |||
Which syscon version and which patches are installed can be seen in [[More_System_Information]] | |||
== Decryption == | |||
Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB). | |||
== Header == | |||
The header format is partially unknown at this stage. | |||
All the Firmwares patches are written in little endian. | |||
{| class="wikitable sortable" | |||
|- | |- | ||
! Offset !! Lenght !! Notes | |||
|- | |- | ||
| | | 0x0 || 0x4 || Header | ||
|- | |- | ||
| | | 0x4 || 0x20 || header checksum? | ||
|- | |- | ||
| | | 0x24 || 0x4 || header offset? | ||
|- | |- | ||
| | | 0x28 || 0x4 || file size | ||
|- | |- | ||
| | | 0x2c || 0x4 || binary size | ||
|- | |- | ||
| | | 0x30 || 0x10 || binary checksum? | ||
|- | |- | ||
| | | 0x40 || 0xfc0 || binary | ||
|- | |- | ||
|} | |} | ||
== | === Sample === | ||
<pre> | <pre> | ||
00000000 1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D .-p.«^³™h þ=á€j. | |||
00000010 B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA ¸ý7ÏÍE…«Q÷.ãê2¥ê | |||
00000020 67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00 gEùH........À... | |||
00000030 8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D ‹..ù›¢.:u‰ñB.YÚ. | |||
00000040 21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63 !|¢ÃZäx...K÷¢sœc | |||
00000050 5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA ].]I.Ço,.3þ.Ól¡Ê | |||
00000060 BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80 º.+þ.3q×Åæ\ÿ¿wl€ | |||
00000070 F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48 ò¾.»<RRÜ©hå$.OóH | |||
</pre> | </pre> | ||
=== Observations === | |||
* The first 4 bytes (0x1B2D700F) appear static in each package. | |||
* The next 20 bytes appear to change with each package | |||
* The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (firmware size) and 00000fc0 is 4032 in dec (where the binary starts). | |||
== Access to Syscon from Linux == | |||
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON | |||
.. | |||
{{ | {{Console}} |