Editing Syscon Firmware

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Description =
[[Category:Software]]
The '''Syscon firmware''' (also known as '''sys'''tem '''con'''troller '''firmware''') is the software stored inside [[Syscon Hardware|syscon]]. Composed by the base firmware (not updateable in retail syscon models) and a optional patch that is applyed virtually on runtime on top of the base firmware<br>
Syscon Firmware is the firmware stored on the System Controller EEPROM (see [[Syscon Hardware]]). Updates are stored in update packages within the Update_files.tar of a [[Playstation Update Package (PUP)]]. Syscon Packages appear to always be 5KB (5376 bytes) in size.
The syscon patches (also known as system controller update packages) for retail PS3 models are distributed in [[PKG_files|PKG]] format inside the [[Update_files.tar]] of the [[Playstation Update Package (PUP)|PS3UPDAT.PUP]]s. Syscon patches appear to always be 5KB (5376 bytes) in size.


= Update procedure =
The PS3 firmware installer PUP's contains a collection of syscon patches for all the different syscon's chips used in the different motherboard models. The ps3swu.self (system updater) checks the syscon [[More_System_Information|SoftID]] and installs the compatible patch accordingly (via updater manager ss service).<br>
The non-retail PS3 models with syscon [[CXR713F120A]] don't have patches, this special syscon model with the "F" product code (that seems to indicate that is fully flasheable) allows to overwrite the base syscon firmware through the [[Communication Processor]]


= Syscon firmwares =
= Syscon update packages =
{| class="wikitable"
d/l: [http://www.multiupload.com/JHBCOCGNUR syscon_fw1.00-4.00.rar (51.74 KB)]
|+Mullion
 
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! Adds support for [[Platform ID]]s !! Corresponding [[SCEI PS3 SDK|SDK]] / [[Communication_Processor|CP]] versions !! Notes
== Package structure ==
|-{{cellcolors|lightgrey}}
Sys_con_firmware Packages can be unpacked with unpkg
| -    || v0.4.5_b4  || BACKUP      || 2005      || (Cyt1.0), (Cyt1.1), (Cyt2.1), (Cok01)    || 0.40 || Only used on the backup bank of flash models
 
|-{{cellcolors|lightgrey}}
=== Overview ===
| 06DA || v0.6.1_c8  || CYTOLOGY    || 2006/01/31 || Cyt1.2, Cyt2.0, Cyt2.2, (Cok02), (Cok03)  || 0.80 / 0.3.2 ||
{|class="wikitable"
|-{{cellcolors|lightgrey}}
| 073E || v0.6.10_c4 || CYTOLOGY    || 2006/03/01 || (Cok05)                                  || 0.81 / 0.4.3/0.4.7 ||
|-{{cellcolors|lightgrey}}
| 07FF || v0.6.11_c4 || CYTOLOGY    || 2006/03/27 || Cyt3.0, Cyt3.1, Cyt3.2, (Cok08)           || 0.82 / 0.5.3 ||
|-{{cellcolors|lightgrey}}
| 086C || v0.6.12_c5 || CYTOLOGY    || 2006/04/11 || -                                        || 0.83 / 0.6.4/0.6.5/0.6.7 ||
|-{{cellcolors|lightgrey}}
| 08F1 || v0.6.12_c7 || CYTOLOGY    || 2006/04/22 || -                                        || 0.83 ||
|-{{cellcolors|lightgrey}}
| 0955 || v0.6.14_c4 || CYTOLOGY    || 2006/05/01 || -                                        || 0.84 / 0.7.1 ||
|-{{cellcolors|lightgrey}}
| 0AF4 || v0.8.4_c8  || CYTOLOGY    || 2006/06/23 || (Cok11)                                  || 0.85 / 0.8.4/0.8.8 ||
|-{{cellcolors|lightgrey}}
| 0B48 || v0.9.9_c1  || CYTOLOGY    || 2006/07/07 || Cyt3.3, Cyt3.4, (Cok12), (Cok13), (Cok14) || 0.90 / 0.9.1 ||
|-{{cellcolors|lightgrey}}
| 0B67 || v0.9.13_k1 || COOKIE      || 2006      || -                                        || -  || [[COOKIE-13]], [[COK-001_(Prototype)|COK-001(Proto)]], etc... with a [[CXR713F120A]]
|-{{cellcolors|lightgrey}}
| 0B74 || v0.9.14_c1 || CYTOLOGY    || 2006/08/03 || -                                        || 0.91 / 0.9.2 ||
|-
|-
| 0B8E || v1.0.0_k1  || COOKIE (201) || 2006      || -                                        || -    ||
! Address !! Length !! Value !! Description
|-{{cellcolors|lightgrey}}
| 0B9D || v1.0.1_c1  || CYTOLOGY    || 2006/08/31 || -                                        || 0.93 / 0.9.4 ||
|-
|-
| 0C16 || v1.1.3_k1  || COOKIE (202) || 2006      || CokB10                                    || -    ||
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header
|-{{cellcolors|lightgrey}}
| 0C23 || v1.0.3_c1  || CYTOLOGY    || 2006/12/04 || -                                        || 1.50 / 1.1.1 ||
|-
|-
| 0D52 || v1.2.3_k1  || COOKIE (203) || 2007      || CokC10, CokC11, CokC12, CokD10            || -    ||
| 0x04 || 0x4 || 0x2 || Flags
|-{{cellcolors|lightgrey}}
| 0D79 || v1.0.4_c1  || CYTOLOGY    || 2007/06/21 || -                                        || 1.90 / 1.2.0 ||
|-
|-
| 0DBF || v1.3.3_k1  || COOKIE (301) || 2007      || -                                        || -    ||
| 0x08 || 0x4 || 0x3 || Type (0x3 = PKG)
|-{{cellcolors|lightgrey}}
| 0E4E || v1.0.4_c2  || CYTOLOGY    || 2007/11/08 || -                                        || 2.40 / 1.3.1 ||
|-
|-
| 0E69 || v1.4.4_k2  || COOKIE (302) || 2007      || CokE10, Deb01                            || -    ||
| 0x0C || 0x4 || 0x0 || Blank/Unknown
|-
|-
| 0F29 || v1.5.0_k2  || COOKIE (303) || 2009      || -                                        || -    || Removes hardcoding from previous firmware, adds support for 65nm RSX - <span style="background:#ff4444; cursor:wait;">not dumped yet</span>
| 0x10 || 0x4 || 0x0 || Blank/Unknown
|-
|-
| 0F38 || v1.5.1_k2  || COOKIE (304) || 2010      || -                                        || -    || Adds support for 40nm RSX
| 0x10 || 0x8 || 0x280 || Start Data Offset ('hdr_len')
|-{{cellcolors|lightgrey}}
| 0F3B || v1.0.5_c1  || CYTOLOGY    || 2010/05/12 || -                                        || 3.60 / 1.3.3 ||
|}
 
{| class="wikitable"
|+Sherwood
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! <abbr title="Not final">Adds support for [[Platform ID]]s</abbr> !! Notes
|-{{cellcolors|lightgrey}}
| 0658 || ?.??.? || -      || 2008 || CokF10                        || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> [[VERTIGO-02]]
|-
|-
| 065D || 0.17.0 || SW-301  || 2008 || -                              ||  
| 0x18 || 0x8 || 0x1080 || Data Size ('dec_size')
|-
|-
| ???? || ?.??.? || SW-302  || 2008 || -                              || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> [[VER-001]]
| 0x20 || 0x260 || - || Header
|-
|-
| 0832 || 1.11.0 || SW2-301 || 2009 || CokG10, CokG11                ||  
| 0x280 || 0x40 || - || 'info0' section (see below)
|-
|-
| 0898 || 1.15.0 || -       || 2009 || CokH10, CokH11, CokJ12        ||
| 0x2C0 || 0x40 || - || 'info1' section (see below)
|-
|-
| 08A0 || 1.16.0 || SW2-302 || 2009 ||                                ||
| 0x300 || 0x1000 || - || 'content'
|-
|-
| 08C2 || 1.21.0 || SW2-303 || 2010 || CokJ13, CokJ20                ||
|}
==='info0'===
{|class="wikitable"
|-
|-
| 0918 || 2.3.0  || SW3-301 || 2011 || CokK10                        ||
! Address !! Length !! Value !! Description
|-
|-
| 098F || 2.12.0 || SW3-302 || 2012 || CokM20, CokM40, CokN10, CokN30 ||
| 0x00 || 0x4 || 0x3 ||  
|-
|-
| ???? || ?.??.? || SW3-303 || 2013 || -                              || <span style="background:#ff4444; cursor:wait;">not dumped yet</span> (unknown PS3 model/motherboard)
| 0x04 || 0x4 || 0x8 ||  
|-
|-
| 09A4 || 2.21.0 || SW3-304 || 2013 || -                              ||
| 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type)
|}
 
= Syscon patches =
<div style="float:right">[[File:MoreSystemInformation_CECHA_with_40nm_RSX.jpg|400px|thumb|left|[[CECHAxx]] Refurbished 40nm RSX / [[COK-001]] / [[CXR714120-304GB]]<br>Syscon firmware '''v1.5.1_k2''' patch '''1''']]<br>[[File:MoreSystemInformation-CECH2004B-270.JPG|400px|thumb|left|[[CECH-20xx]] / [[DYN-001]] / [[SW2-301]]<br>Syscon firmware '''1.11.0''' patch '''1.2.83E.832''']]</div>
 
These patches are in full Retail/CEX and Debug/DEX firmwares. Are intended to fix some problem in the syscon firmware
*Fix 1) System firmware 1.30 (December 6, 2006). Disables UART access to the Syscon EEPROM patch region (not for 0832)
*Fix 2) System firmware 1.81 (June 15, 2007). Patch for the HDMI display data channel read<!-- ''hdmi chstat'' ? --> function (only for 0B8E and 0C16)
*Fix 3) System firmware 3.00 (September 1, 2009). Unknown patch (only for 0832)
*Fix 4) System firmware 3.40 (June 29, 2010) and  3.41 (July 26, 2010). Patch for the rtc read<!-- ''getrtc'' ? --> function (not for 0832)
 
{| class="wikitable"
|-
|-
! <abbr title="Syscon ROM Revision">SoftID</abbr> !! sys_con_firmware package !! [[1.00_CEX|1.00]]~[[1.11_CEX|1.11]] !! [[1.30_CEX|1.30]]~[[1.80_CEX|1.80]] !! [[1.81_CEX|1.81]]~[[2.80_CEX|2.80]] !! [[3.00_CEX|3.00]]~[[3.30_CEX|3.30]] !! [[3.40_CEX|3.40]] !! [[3.41-1_CEX|3.41]]~[[4.88_CEX|4.88]] !! Notes
| 0x0C || 0x4 || 0x0B8E<br />0x0C16<br />0x0D52<br />0x0DBF<br />0x0E69<br />0x0F29<br />0x0F38<br />0x065D<br />0x0832<br />0x08C2<br />0x0918 || 'SoftID'
|-{{cellcolors|lightgrey}}
! rowspan=3 | 0B8E
| SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} (fix 1) || {{No}} || {{No}} || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01000005.pkg
|-{{cellcolors|lightgrey}}
| SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2) || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01000006.pkg
|-
|-
| SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2+4) || [[CXR713120-201GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...4706</abbr>
| 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID'
|-{{cellcolors|lightgrey}}
! rowspan=2 | 0C16
| SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2) || {{No}} || {{No}} || Superseded by SYS_CON_FIRMWARE_01010303.pkg
|-
|-
| SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" {{Yes}} (fix 1+2+4) || [[CXR713120-202GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...7214</abbr>
| 0x18 || 0x8 || 0x1000 || 'Content' Data Size
|-
|-
! 0D52
| 0x20 || 0x8 || 0x1000 || 'Content' Compressed Data Size
| SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR713120-203GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...F427</abbr>
|-
|-
! 0DBF
| 0x28 || 0x8 || 0x0 ||  
| SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-301GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...F321</abbr>
|-
|-
! 0E69
| 0x30 || 0x10 || 0x0 ||  
| SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-302GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...5096</abbr>
|-
|-
! 0F29
| SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || colspan="2" style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-303GB]]
|-
! 0F38
| SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || style="background:#55CC55; color:#FFFFFF; text-align:right;" | Yes (fix 1+4) || [[CXR714120-304GB]] <abbr title="Last 2 bytes of the patch 2 region, at the end of the EEPROM dumps>...16FA</abbr>
|-
! 0832
| SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || colspan="3" {{Yes}} (fix 3) || [[SW2-301]]
|}
|}


The screen [[More System Information]] allows to see some details related with syscon. The syscon firmware version can be derived from the SoftID, and additionally if there is a patch installed the PatchID displayed in the screen contains both, the syscon firmware version and the patch version. Note also that there is a direct relationship in between the PatchID displayed in the screen and the patch filename. The syscon UART commands also displays some info related with the base syscon firmware and the patch
Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.
 
Some examples from syscon UART:
<div style="float:left; font-size:small;">
<div style="float:top; text-align:center;">'''CECHC, CECHE / COK-002 / CXR713120-202GB'''</div><pre>
>$ revision
0C16
 
>$ version
v1.1.3_k1
 
>$ patchvereep
major:0x0001
minor:0x0001
patch:0x0003
revision:0x0003
 
>$ patchcsum
r1 csum: [00030266] [018DB626] [90662679]
r2 csum: [000069C5] [0046B830] [5E535A06]
</pre></div>
 
<div style="float:left; font-size:small;">
<div style="float:top; text-align:center;">'''CECH-20xx / DYN-001 / SW2-301'''</div><pre>
>$ revision
# Revision = 2098(0832)
 
>$ version
# Sherwood Version = 1.11.0
 
>$ patchinfo
#
# MAJOR  :0000
# MINOR  :0000
# REV    :0000
# SYS_REV :0000
# TABLE  :00FFFFFF
# DATSIZ  :FFFF
# DATSUM  :FFFF
# SUM    :FFFF
# not applyed
</pre></div>


<div style="float:left; font-size:small;">
==='info1'===
<div style="float:top; text-align:center;">'''CECH-20xx / DYN-001 / SW2-301'''</div><pre>
>$ revision
# Revision = 2098(0832)
 
>$ version
# Sherwood Version = 1.11.0
 
>$ patchinfo
#
# MAJOR  :0001
# MINOR  :0002
# REV    :083E
# SYS_REV :0832
# TABLE  :0000201A
# DATSIZ  :0FAA
# DATSUM  :02AB
# SUM    :035D
# applyed
</pre></div>
<br style="clear: left;" />
 
*Mullion PatchID names format ('''major, minor, patch, revision''')
**0B8E.0000000000000000@SC = syscon firmware '''v1.0.0_k1''', not patched
**[[Media:MoreSystemInformation-CECHA01-102.JPG|0B8E.000'''1'''000'''0'''000'''0'''000'''5'''@SC]] = syscon firmware '''v1.0.0_k1''', patch '''5''' (filename SYS_CON_FIRMWARE_0'''1'''0'''0'''0'''0'''0'''5'''.pkg)
**0F38.0000000000000000@SC = syscon firmware '''v1.5.1_k2''', not patched
**[[Media:MoreSystemInformation CECHA with 40nm RSX.jpg|0F38.000'''1'''000'''5'''000'''1'''000'''1'''@SC]] = syscon firmware '''v1.5.1_k2''', patch '''1''' (filename SYS_CON_FIRMWARE_0'''1'''0'''5'''0'''1'''0'''1'''.pkg)
*Sherwood PatchID names format ('''major, minor, rev, sys_rev''')
**0832.0000000000000000@SC = syscon firmware '''1.11.0''', not patched
**[[Media:MoreSystemInformation-CECH2004B-270.JPG|0832.000'''1'''000'''2'''0'''83E'''0'''832'''@SC]] = syscon firmware '''1.11.0''', patch '''1.2.83E.832''' (filename SYS_CON_FIRMWARE_S1_000'''1'''000'''2'''0'''83E'''0'''832'''.pkg)
 
<br style="clear: both;" />
 
= Package structure =
Sys_con_firmware Packages can be unpacked with unpkg. See [[PKG files]] and [[Certified File]]
 
== Header ==
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header
| 0x00 || 0x4 || 0x0 ||  
|-
|-
| 0x04 || 0x4 || 0x2 || Version
| 0x04 || 0x4 || 0x3 ||  
|-
|-
| 0x08 || 0x2 || 0x0 || Attribute
| 0x08 || 0x8 || 0x40 || Offset/size?
|-
|-
| 0x0A || 0x2 || 0x3 || Category (0x3 = Update Package)
| 0x10 || 0x4 || 0x0 ||  
|-
|-
| 0x0C || 0x4 || 0x0 || Extended Header Size (no ext header)
| 0x14 || 0x4 || 0x0 ||  
|-
|-
| 0x10 || 0x8 || 0x280 || File Offset (hdr_len)
| 0x18 || 0x8 || 0x1000 || 'Content' Data Size?
|-
|-
| 0x18 || 0x8 || 0x1080 || File Size (dec_size)
| 0x20 || 0x8 || 0x1 ||  
|-
|-
| 0x20 || 0x260 || - || Encrypted part of header
| 0x28 || 0x8 || 0x1 ||  
|-
|-
| 0x280 || 0x40 || - || '''update_package_header''' section (see below)
| 0x30 || 0x10 || 0x0 ||  
|-
| 0x2C0 || 0x40 || - || '''update_package_contents_header''' section (see below)
|-
| 0x300 || 0x1000 || - || '''content''' section
|-
|-
|}
|}
 
==='content' overview===
== Update Package Header ==
{|class="wikitable"
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
! Address !! Length !! Value !! Description
|-
|-
| 0x00 || 0x4 || 0x3 || Header Version? 3 (fixed value for all PS3 update packages)
|-
|-
| 0x04 || 0x4 || 0x8 || SoftType? 8 = SC firmware
| 0x0 || 0x1000 || - || 'content'
|-
|-
| 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type)
|}
 
== Known Retail syscon update packages ==
These are in in full Retail/CEX and Debug/DEX firmwares:
{| class="wikitable sortable"
|-
|-
| 0x0C || 0x4 || 0x0B8E(1.30-4.84)<br />0x0C16(1.81-4.84)<br />0x0D52(3.40-4.84)<br />0x0DBF(3.40-4.84)<br />0x0E69(3.40-4.84)<br />0x0F29(3.40-4.84)<br />0x0F38(3.41-4.84)<br />0x0832(3.00-4.84) || 'SoftID'
! [[Motherboard Revisions|Board]] !! [[Syscon Hardware]] !! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.30 !! SoftID !! Notes
|-
|-
| 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID' (official name is "version")
| rowspan=3 | [[COK-00x#COK-001|COK-001]] || rowspan=8 | CXR713120-201GB || SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B8E || Superceeded by SYS_CON_FIRMWARE_01000005.pkg
|-
|-
| 0x18 || 0x8 || 0x1000 || '''Content''' Data Size
| SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0B8E || Superceeded by SYS_CON_FIRMWARE_01000006.pkg
|-
|-
| 0x20 || 0x8 || 0x1000 || '''Content''' Compressed Data Size
| SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0B8E ||  
|-
|-
| 0x28 || 0x4 || 0x0 || Attribute
| rowspan=2 | [[COK-00x#COK-002|COK-002]] || SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0C16 || Superceeded by SYS_CON_FIRMWARE_01010303.pkg
|-
|-
| 0x2C || 0x4 || 0x0 || Region
| SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0C16 ||  
|-
|-
| 0x30 || 0x8 || 0x0 || Image Offset
| [[SEM-00x|SEM-001]] || SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0D52 ||  
|-
|-
| 0x38 || 0x8 || 0x0 || Reserved_0
| [[DIA-00x#DIA-001|DIA-001]] || SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0DBF ||  
|-
|}
 
Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.
 
Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs
 
== Update Package Contents Header ==
{|class="wikitable"
|-
|-
! Address !! Length !! Value !! Description
| [[DIA-00x#DIA-002|DIA-002]] || SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0E69 ||
|-
|-
| 0x00 || 0x8 || 0x3 || Header Version?
| [[VER-00x|VER-001]] || SW-30x || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 065D ||
|-
|-
| 0x08 || 0x8 || 0x40 || Header Size?
| [[DYN-00x|DYN-001]] || rowspan=4 | SW2-30x || SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || 0832 || ps3 2k series
|-
|-
| 0x10 || 0x8 || 0x0 || Chunk Offset
| [[SUR-00x|SUR-001]] || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08C2 ??? ||
|-
|-
| 0x18 || 0x8 || 0x1000 || Chunk Size
| [[JTP-00x|JTP-001]], [[JSD-00x|JSD-001]] || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08C2 ||
|-
|-
| 0x20 || 0x8 || 0x1 || Current Chunk
| [[KTE-00x|KTE-001]] || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 0918 || ps3 3k series
|-
|-
| 0x28 || 0x8 || 0x1 || Chunks Total
| [[MSX-00x|MSX-001]], [[MPX-00x|MPX-001]] || SW3-30x || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 098F || ps3 4k series
|-
|-
| 0x30 || 0x8 || 0x0 || Reserved_0?
| ??? || ??? || SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0F29 || Compatible with CXR713120-201GB ?
|-
|-
| 0x38 || 0x8 || 0x0 || Reserved_1?
| ??? || ??? || SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || 0F38 || Compatible with CXR713120-201GB ?
|-
|-
|}
|}


== Content ==
This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00, 3.40 and 3.41 that affected retail and debug PS3 models
{|class="wikitable"
*Firmware 1.30 (December 6, 2006) added Backup/Restore
*Firmware 1.81 (June 15, 2007) ?
*Firmware 3.00 (September 1, 2009) resulted in Class action suit for BluRay reading problems
*Firmware 3.40 (June 29, 2010) ?
*Firmware 3.41 (July 26, 2010) ?
 
== NonRetail syscon ==
Remember, Debug/DEX consoles are normal retail consoles with different TargetID, so only those that have a nonretail board have deviating patches (like the CXR713F120A found on the DECR1000A TOOL/DECR).
 
Tool/DECR don't have patches, they flash entire firmwares.
 
=== Deviating from Retail ===
Please note that without info about the SKU the listing of ID's is pretty useless
{| class="wikitable sortable"
|-
|-
! Address !! Length !! Value !! Description
! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.11 !! SoftID !! Notes
|-
|-
| ? || ? || ? || ? || ? || ? || {{Yes}} || 08A0 || Debug/DEX
|-
|-
| 0x0 || 0x1000 || - || '''Content''' Data
| ? || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B67 || Debug/DEX
|-
|-
|}
|}


=== Content Data Header ===
== Usage ==
 
The firmware PUP's contains a collection of patches for all the different hardware revisions of syscon's chips used in different motherboard models.
 
The ps3swu.self (system updater) decides wich applicable [[Syscon Hardware]] is present and installs the needed package update(s) accordingly (via updater manager ss service).
 
Which syscon version and which patches are installed can be seen in [[More_System_Information]]
 
== Decryption ==
Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB).
 
== Header ==
The header format is partially unknown at this stage.
The header format is partially unknown at this stage.
All the Firmwares patches are written in little endian.
All the Firmwares patches are written in little endian.
Line 310: Line 179:
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Offset !! Length !! Notes !! Related DECR Error !! Notes
! Offset !! Lenght !! Notes
|-
|-
| 0x0 || 0x4 || Magic || FFFFFED2 (Magic Error) || 0x1B2D700F in mullions, '''sys1''' in cytology ?
| 0x0 || 0x4 || Header
|-
|-
| 0x4 || 0x10 || Header CMAC1 || rowspan="6" | FFFFFED1 (Header Check Error)  || CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes<br>and where Header CMAC2 is zeroed Concatenated with Encrypted Body
| 0x4 || 0x20 || SHA ?
|-
|-
| 0x14 || 0x10 || Header CMAC2 || CMAC of Header (where this cmac has been zeroed)
| 0x24 || 0x4 || header offset?
|-
|-
| 0x24 || 0x4 || Padding ||
| 0x28 || 0x4 || file size
|-
|-
| 0x28 || 0x4 || Total size || Always 0x1000 in mullions, 0x60040 in cytology ?
| 0x2c || 0x4 || binary size
|-
|-
| 0x2C || 0x4 || Size of binary || Always 0xFC0 in mullions, 0x60000 in cytology ?
| 0x30 || 0x10 || IV for aes256cbc?
|-
|-
| 0x30 || 0x10 || IV for AES-128 CBC ||
| 0x40 || 0xfc0 || binary
|-
| 0x40 || 0xFC0 || Encrypted binary || FFFFFED0 (Data Check Error)<br>FFFFFECF (Data Size Check Error) ||
|-
|-
|}
|}


* Note: For the weird bogus update ONLY: FFFFFF37 (Alignment Error?) (Trying any data size between 0x41 and 0x4C bytes)
=== Samples ===
* Note2: v0.6.14c4 is the bogus update (only update with a weird header)
* Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0
 
'''Samples'''
<pre>
<pre>
00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
Line 352: Line 215:
00000020  FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00  ÿƒ à    @       
00000020  FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00  ÿƒ à    @       
00000030  69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94  i¶ i:—‹ N Ôàc}Ê”
00000030  69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94  i¶ i:—‹ N Ôàc}Ê”
00000040  4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78  K y4yA½ »hÔ · x
00000040  4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78  K y4yA½ »hÔ  · x
00000050  D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3  Ù  (lš aÏ¡çI}ÊÄ£
00000050  D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3  Ù  (lš aÏ¡çI}ÊÄ£
00000060  A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F  ¤MKà®H† ±CòGÀÄ O
00000060  A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F  ¤MKà®H† ±CòGÀÄ O
Line 358: Line 221:
</pre>
</pre>


=== Content Data Patch (encrypted) ===
=== Observations ===
Packages can be extracted with the unpkg tool. Extracted content of the updates appears to always be 0x1000 bytes (4KB).
* The first 4 bytes (0x1B2D700F) appear static in each package.
 
* The next 20 bytes appear to change with each package
The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch<br>
* The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (file size) and 00000fc0 is 4032 in dec (update size).
We know that:
* On the DECH fw, the update works in the same way: 000000004000060000000600 converted will be: 00000000 00060040 00060000, where, 00000000 is probably padding, file size 00060040, 00060000 update size
* Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc)
* the first 40 bytes probably are IV + HASH + update infos. probably the algorithm used is AES.
* Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables)
* Authenticated regions uses a form of what seems to be some ECB with tweak xoring (as graf once said about XTS)
* XTS was introduced in 2007 and SysCon from ps3 exists for far more time than that (2003)
* XEX is a close relative of XTS that was introduced in 1984
* PS4 uses XTS for Authenticated Regions or SNVS (with sector size of 0x20 being used. is this even considered safe?)
* 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50)
* here are the DPA bytes for each of the controlable sections:
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001) -> 210623DCA298994DFE87F840FC481CBF 
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001) -> 210623DCA298994DFE87F840FC481CBF 
* 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content)
* XX XX XX XX 7B FC 27 CD D5 9A 05 09 3A DF E4 75  (section 3/header AA from DEB-001 patch content) -> 6E9CE7C57BFC27CDD59A05093ADFE475
* 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content)
* 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward)
* 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse)
* 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward)
* 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER) -> 6B3583DA1AA6B49106E1641178EE68C8 (inverse ttables)
* some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail
* another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc
* since key expansions take 10 "hills" in the analysis, it should be safe to assume that AES-128 is used(because it uses 10 rounds).
* 6554cff202c3bfdd9740901070b705bf :  correct md5 for patch content we are trying keys on (DIA-001)
* 4875ad06a1499cc516a0d4d92e595794 :  correct md5 for patch content we are trying keys on (DEB-001/DIA-002)
* trying a different header/body patch content from another similar board will result into failure of decrypting body, which means that the header is checked for authenticity and that the header hash is NOT in the header
* altering the patch header doesn't cause the patch header dpa bytes to change (a test was done with 4 bytes and the result was 16 32 47 79, which matches the other patch dpa recovered bytes)
* there are in fact not 4 but 5 aes sections. the last one seems to be body related, as changing the body even one bit makes the last aes section disappear.
* section 2 is divided into two sections, corresponding to TopHalf and BottomHalf of patch area.
* TopHalf uses forward ttables/sbox. BottomHalf uses inverse ttables/sbox
* TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10)
* BottomHalf is the rest of the body itself.
* DYN-001 processes one entire chunk of 0x1000 bytes, 0x40 for header and 0xFC0 for body, and not two of 0x400 and 0xC00 like the Sony models
* 504 aes operations are done for the body (252/0xFC for cmac and 252/0xFC for cbc). it is unknown if cmac comes first or it is cbc.
* All attacks show weak bytes in comparisson with CXR(F), likely due to CXR being optimized for the attack (removed resistors/capacitors, etc)
 
= Patch structure (decrypted) =
 
== Mullion Patch structure ==
 
{| class="wikitable"
|-
! Offset !! Size !! Name !! Number !! Example !! Notes
|-
| 0x00 || 0x2 || Major Version || 1 ||  ||
|-
| 0x02 || 0x2 || Minor Version || 1 ||  ||
|-
| 0x04 || 0x2 || Major Revision || 1 ||  ||
|-
| 0x06 || 0x2 || Minor Revision || 1 ||  ||
|-
| 0x08 || 0x10 || Patch Addresses || 4*4 ||  ||
|-
| 0x18 || 0x10 || Patch Instruction / Data || 4*4 ||  ||
|-
| 0x28 || 0x10 || Patch Jump Instruction Addresses || 4*4 ||  ||
|-
| 0x38 || 0x388 || Additional Patch Instructions || 1 ||  ||
|-
| 0x3C0 || 0xC00 || HDMI Patch || 1 ||  ||
|-
|}
 
== Sherwood Patch structure ==
{| class="wikitable"
|-
! Offset !! Size !! Name !! Number !! Example !! Notes
|-
| 0x00 || 0x4 || Magic || 1 || 0x5D4E246B ||
|-
| 0x04 || 0x2 || Major Version || 1 || 0x0001 || In the output of the UART command ''patchinfo'' is named ''MAJOR''
|-
| 0x06 || 0x2 || Minor Version || 1 || 0x0002 || In the output of the UART command ''patchinfo'' is named ''MINOR''
|-
| 0x08 || 0x2 || Major Revision || 1 || 0x083E || In the output of the UART command ''patchinfo'' is named ''REV'' (patch revision)
|-
| 0x0A || 0x2 || Minor Revision || 1 || 0x0832 || In the output of the UART command ''patchinfo'' is named ''SYS_REV'' (syscon revision)
|-
| 0x0C || 0x4 || Absolute Table Address || 1 || 0x0000201A || In the output of the UART command ''patchinfo'' is named ''TABLE''
|-
| 0x10 || 0x2 || Data Size || 1 || 0x0FAA || In the output of the UART command ''patchinfo'' is named ''DATSIZE''
|-
| 0x12 || 0x2 || Data Checksum || 1 || 0x02AB || In the output of the UART command ''patchinfo'' is named ''DATSUM''
|-
| 0x14 || 0x2 || Patch Checksum || 1 || 0x035D || In the output of the UART command ''patchinfo'' is named ''SUM'' (patch checksum)
|-
| 0x16 || 0x2 || Relative Data Address || 1 || 0x0000 || Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
|-
| 0x18 || 0x2 || Relative Table Address || 1 || 0x0000 || Not parsed/ignored on SW (only used on SW2/SW3). Relative to the patch start address (0x2000)
|-
| 0x1A || 0x80 || Table || 4*0x20 ||  ||
|-
| 0x9A || 0x6 || Padding || - ||  || Not parsed/ignored on SW (only used on SW2/SW3)
|-
|}
 
= Command list =
 
== Mullion ==
 
=== External commands ===
<!-- Im wondering if there is some easy way to indicate in wiki what means each byte
*Permission
** 0x00008096 = ?
** 0x000080D5 = ?
** 0x000080D6 = ?
** 0x0000809A = ?
** 0x000080DA = ?
** 0x0000C0D5 = ?
** 0x0000C0D7 = ?
** 0x0000C0DF = ?
** 0x0000C0EF = ?
** 0x0000C0FF = ?
-->
 
{| class="wikitable sortable"
! Address              !! Command      !! Subcommand  !! Permission 
|-
| 0x32959              || BOOT        || MODE        || 0x000080D6 
|-
| 0x329D5              || BOOT        || CONT        || 0x000080D5 
|-
| 0x342D7              || SHUTDOWN    || -            || 0x0000C0D5 
|-
| 0x32A51              || HALT        || -            || 0x0000C0D5 
|-
| 0x32A85              || BOOTENABLE  || -            || 0x0000809A 
|-
| 0x33491              || AUTH1        || -            || 0x0000C0EF 
|-
| 0x33525              || AUTH2        || -            || 0x0000C0EF 
|-
| 0x33619              || AUTHVER      || SET          || 0x0000C0DF 
|-
| 0x335BF              || AUTHVER      || GET          || 0x0000C0FF 
|-
| 0x32AC3              || EEP          || INIT        || 0x000080DA 
|-
| 0x32C51              || EEP          || SET          || 0x0000C0DF 
|-
| 0x32D3D              || EEP          || GET          || 0x0000C0DF 
|-
| 0x32EA7              || PDAREA      || SET          || 0x0000C0DF 
|-
| 0x32E3B              || PDAREA      || GET          || 0x0000C0DF 
|-
| 0x330C5              || CSAREA      || SET          || 0x0000C0DF 
|-
| 0x33057              || CSAREA      || GET          || 0x0000C0DF 
|-
| 0x33169              || VID          || GET          || 0x0000C0D5 
|-
| 0x331D7              || CID          || GET          || 0x0000C0D5 
|-
| 0x3321D              || ECID        || GET          || 0x0000C0D5 
|-
| 0x3325D              || REV          || SB          || 0x0000C0D5 
|-
| 0x3328D              || SPU          || INFO        || 0x0000C0D5 
|-
| 0x332E1              || KSV          || -            || 0x0000C0D5 
|-
| 0x33685              || FAN          || SETPOLICY    || 0x0000C0D7 
|-
| 0x33717              || FAN          || GETPOLICY    || 0x0000C0D7 
|-
| 0x33781              || FAN          || START        || 0x0000C0D7 
|-
| 0x33781              || FAN          || STOP        || 0x0000C0D7 
|-
| 0x33951              || FAN          || SETDUTY      || 0x0000C0D7 
|-
| 0x339C3              || FAN          || GETDUTY      || 0x0000C0D7 
|-
| 0x33A27              || R8          || -            || 0x0000C0DF 
|-
| 0x33AD1              || W8          || -            || 0x0000C0DF 
|-
| 0x33B71              || R16          || -            || 0x0000C0DF 
|-
| 0x33C19              || W16          || -            || 0x0000C0DF 
|-
| 0x33CBB              || R32          || -            || 0x0000C0DF 
|-
| 0x33E49              || W32          || -            || 0x0000C0DF 
|-
| 0x33EE9              || RBE          || -            || 0x0000C0D5 
|-
| 0x33F91              || WBE          || -            || 0x0000C0D5 
|-
| 0x34049              || PORTSTAT    || -            || 0x0000C0DF 
|-
| 0x332BF              || VER          || -            || 0x0000C0FF 
|-
| 0x341C5              || BUZ          || -            || 0x00008096 
|-
| 0x342D7              || SERVFAN      || -            || 0x0000C0D7 
|-
| 0x341F9              || ERRLOG      || START        || 0x0000C0DF 
|-
| 0x34221              || ERRLOG      || STOP        || 0x0000C0DF 
|-
| 0x34249              || ERRLOG      || GET          || 0x0000C0FF 
|-
| 0x342B3              || ERRLOG      || CLEAR        || 0x0000C0DF 
|-
|}


=== Internal commands ===
== Access to Syscon from Linux ==
{| class="wikitable sortable"
|-
! Command !! Address !! Perms !! SubCommands !! Description
|-
|becount || 0xCA7D || 0xDD0C0000|| - || Display bringup/shutdown count + Power-on time
|-
|bepgoff || 0xA4E7 || 0xD00C0000|| - || BE power grid off
|-
|bepkt ||  0x2435D ||  0xDC0C0000 || show/set/unset/mode/debug/help || Packet permissions
|-
|bestat ||  0xD413 || 0xFD0F0000|| - || Get status of BE
|-
|boardconfig ||    0x99C7 || 0xDC0C0000|| - || Displays board configuration (NOT WORKING?)
|-
|bootbeep || 0x1EA67 ||  0xF0000000 || stat/on/off ||  Boot beep
|-
|bringup || 0xD597 || 0xFD0F0000|| - || Turn PS3 on
|-
|bsn || 0xD805 || 0xF00F0000|| - || Get board serial number
|-
|bstatus || 0x24269 ||  0xDD0C0000|| - || HDMI related status
|-
|buzz ||    0xA4FF || 0xDC0C0000 || [freq] || Activate buzzer
|-
|buzzpattern ||    0xA8B7 || 0xDC0C0000 || [freq] [pattern] [count] || Buzzer pattern
|-
|clear_err || 0x2595B ||  0xDD0C0000 || last/eeprom/all ||  Clear errors
|-
|clearerrlog ||    0xB8CB || 0xDD0C0000|| - || Clears error log
|-
|comm ||    0x9919 || 0xDC0C0000|| - || Communication mode
|-
|commt ||  0x24907 ||  0xDC0C0000 || help/start/stop/send ||  Manual BE communication
|-
|cp || 0x1E077 ||  0xF0000000 || ready/busy/reset/beepremote/beep2kn1n3/beep2kn2n3 || CP control commands
|-
|csum ||    0xD687 || 0xFF0F0000|| - || Firmware checksum
|-
|devpm ||  0xD053 || 0xDD0C0000 || ata/pci/pciex/rsx || Device power management
|-
|diag ||    0x9AAD || 0xD00C0000 || ... || Diag (execute without param to show help) (NOT WORKING?)
|-
|disp_err ||0x25911 ||  0xDD0C0000|| - || Displays errors
|-
|duty ||    0x9B23 || 0xDD0C0000 || get/getmin/getmax/getinimin/getinimax<br>set/setmin/setmax/setinimin/setinimax ||  Fan speed
<pre>
Usage: duty get fanconNo
    ex. duty get 1
</pre>
|-
|dve || 0x2995D ||  0xDC0C0000 || help/set/save/show || DVE chip parameters
|-
|eepcsum || 0xAA65 || 0xDD0C0000|| - || Displays checksums of some eeprom areas
|-
|eepromcheck ||    0x9A1D || 0x000C0000 || [id] || Check eeprom
|-
|eeprominit || 0x9A65 || 0x000C0000 || [id] || Init eeprom
|-
|ejectsw || 0xD611 || 0xFD0F0000|| - || Eject switch
|-
|errlog ||  0xB7ED || 0xFF0C0000|| - || Gets the error log
|-
|fancon ||  0xD26D || 0x0D000000|| - || Does nothing
|-
|fanconautotype || 0xC075 || 0xDD0C0000|| - || Does nothing
|-
|fanconmode || 0xBF35 || 0xDD0C0000 || get || Fan control mode (0=Full, 1=VaryTable & VaryServo, 2=Manual, 3=Minimun)
<pre>
Usage: fanconmode get fanconNo
    ex. fanconmode get 1
</pre>
|-
|fanconpolicy ||  0xBBC9 || 0xDD0C0000 || get/set/getini/setini || Fan control policy (0=Full, 1=Auto, 2=Manual)
<pre>
Usage: fanconpolicy get fanconNo
    ex. fanconpolicy get 1
</pre>
|-
|fandiag || 0x1E91B ||  0xF0000000|| - || Fan Diagnostic (test)
|-
|faninictrl || 0xD3D9 || 0x0D000000|| - || Does nothing
|-
|fanpol ||  0xCA31 || 0xDD0C0000|| - || Does nothing
|-
|fanservo || 0xBF29 || 0xDD0C0000|| - || Does nothing
|-
|fantbl ||  0xC087 || 0xDD0C0000 || get/set/getini/setini/gettable/settable/getselect/setselect ||  Fan table: get/set - currently in RAM/in use ; getini/setini - stored in EEPROM (!! in COK the chksum does not updated automatically !!)
<pre>
Usage: fantbl set fanconNo pNo tempD tempU duty
    ex. fantbl set 0 p1 0x1400 0x1E40 0xC0
    ex. fantbl set 0 p1 20.0 30.25 75
Usage: fantbl get fanconNo
    ex. fantbl get 1
</pre>
|-
|firmud ||  0xD61D || 0xFDFF0000|| - || Firmware update
|-
|geterrlog || 0xB84F || 0xDD0C0000 || [id] || Gets error log
|-
|getrtc ||  0xA6F3 || 0xDD0C0000|| - || Gets rtc
|-
|halt ||    0x1E107 ||  0xF0000000|| - || Halts syscon
|-
|hdmi ||    0x29F39 ||  0xDD0C0000 || ... ||  HDMI (various commands, use help)
<pre>
[HDMI Help] HDMI System Start        :$ hdmi setup ([ChannelNo])
[HDMI Help] Show IC Type              :$ hdmi ictype [ChannelNo]
[HDMI Help] Display EDID              :$ hdmi redid  [ChannelNo] (p)
[HDMI Help] Display KSV              :$ hdmi rksv  [ChannelNo]
[HDMI Help] SiI Register Read        :$ hdmi r  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] SiI Register Write        :$ hdmi w  [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Set 12bit Param          :$ hdmi 12bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] Set 10bit Param          :$ hdmi 10bit  [ChannelNo] (d1:0 - d5:4)
[HDMI Help] DDC Bus Read              :$ hdmi dr [ChannelNo] [TargetDevID(0/1)] [OffsetAddr(hex)] [ReadSize(hex)]
[HDMI Help] DDC Bus Write            :$ hdmi dw [OffsetAddr(hex)] [WriteData(hex)]
[HDMI Help] Show Channel Status      :$ hdmi chstat  [ChannelNo]
[HDMI Help] Debug Log Verbose        :$ hdmi vbs ([Verbose Setting(hex)])
[HDMI Help] HDMI System Shutdown      :$ hdmi letup ([ChannelNo])
[HDMI Help] HDMI Eleguler Test        :$ hdmi hwreset ([ChannelNo])
[HDMI Help] HDMI Eleguler Test KPL    :$ hdmi hwreset2 ([ChannelNo])
[HDMI Help] HDMI Manage Struct Dump  :$ hdmi dumpst ([ChannelNo])
[HDMI Help] Show HDMI and DVE Port Num:$ hdmi ports
[HDMI Help] Show Timer Value          :$ hdmi timer
[HDMI Help] Show I2C Resource        :$ hdmi i2c
[HDMI Help] Show Patch Information    :$ hdmi patch
[HDMI Help] Resolution Reset          :$ hdmi resrst [ChannelNo]
[HDMI Help] Show this Message        :$ hdmi help
</pre>
|-
|hdmiid ||  0x29D1D ||  0xDC0F0000|| - || Get HDMI id's
|-
|hdmiid2 || 0x29D81 ||  0xDC0F0000|| - || Get HDMI id's
|-
|hversion || 0x2422F ||  0xDD0C0000|| - || Displays [[Platform ID]]
|-
|hyst ||    0xAEF5 || 0xDD0C0000 || get/set/getini/setini || This value is stored inside the Thermal Config area, every thermal sensor has their own. See: [https://en.wikipedia.org/wiki/Hysteresis#Control_systems Hysteresis]
<pre>
Usage: hyst set TZoneNo temp
    ex. hyst set 1 0x0200
    ex. hyst set 1 2.0
Usage: hyst get TZoneNo
    ex. hyst get 14
</pre>
|-
|lasterrlog || 0xB7FF || 0xDD0C0000|| - || Last error from log
|-
|ledmode || 0xA80B || 0xDC0C0000 || [id] [id] ||  Get led mode
|-
|LS || 0x2421B ||  0xDD0C0000|| - || LabStation Mode
|-
|ltstest || 0xCB97 || 0xDD0C0000 || get/set be/rsx ||  ?Temp related? values
|-
|osbo ||    0x1EA3F ||  0xF0000000|| - || Sets 0x2000F60
|-
|patchcsum ||  0xD9F7 || 0xDD0C0000|| - || Patch checksum
|-
|patchvereep ||    0xD9B1 || 0xDD0C0000|| - || Patch version eeprom
|-
|patchverram ||    0xD965 || 0xDD0C0000|| - || Patch version ram
|-
|poll ||    0x240E3 ||  0xDD0C0000|| - || Poll log
|-
|portscan || 0xDA0D || 0xDD0C0000 || [port] || Scan port (NOT WORKING?)
|-
|powbtnmode || 0xB911 || 0xDC0C0000 || [mode (0/1)] || Power button mode
|-
|powerstate || 0xCE6F || 0xDD0C0000|| - || Get power state
|-
|powersw || 0xD5F9 || 0xFD0F0000|| - || Power switch
|-
|powupcause || 0xB621 || 0xDD0C0000|| - || Power up cause
|-
|printmode || 0x99D9 || 0xDC0C0000 || [mode (0/1/2/3)] || Set printmode
|-
|printpatch || 0xD94F || 0xDD0C0000|| - || Prints patch
|-
|r || 0x8CA5 || 0xDD0C0000 || [offset] [length] ||  Read byte from SC
|-
|r16 || 0x8ED5 || 0xDD0C0000 || [offset] [length] ||  Read word from SC
|-
|r32 || 0x9191 || 0xDD0C0000 || [offset] [length] ||  Read dword from SC
|-
|r64 || 0x935D || 0xDD0C0000 || [offset] [length] || Read qword from SC
|-
|r64d ||    0x948F || 0xDD0C0000 || [offset] [length] ||  Read ?qword data? from SC
|-
|rbe || 0x96F9 || 0xDD0C0000 || [offset] ||  Read from BE
|-
|recv ||    0x24135 ||  0xDD0C0000|| - || Receive something
|-
|resetsw || 0xD605 || 0xFC0F0000|| - || Reset switch
|-
|restartlogerrtoeep ||  0xB903 || 0xDD0C0000|| - || Reenable error logging to eeprom
|-
|revision || 0xD7E1 || 0xFFFF0000|| - || Get [[More_System_Information|SoftID]]
|-
|rrsxc ||  0xD313 || 0xDD0C0000 || [offset] [length] || Read from RSX
|-
|rtcreset ||  0xA7BB || 0x000C0000|| - || Reset RTC
|-
|scagv2 ||  0xE24F || 0xFF000000|| - || Auth related?
|-
|scasv2 ||  0xE207 || 0xDD000000|| - || Auth related?
|-
|scclose || 0xE1EF || 0xFF000000|| - || Auth related?
|-
|scopen ||  0xE121 || 0xFF000000|| - || Auth related?
|-
|send ||    0x2416F ||  0xDD0C0000 || [variable] || Send something
|-
|shutdown ||0xD5C5 || 0xFD0F0000|| - || PS3 shutdown
|-
|startlogerrtsk || 0xB8E7 || 0xDD0C0000|| - || Start error log task
|-
|stoplogerrtoeep ||  0xB8F5 || 0xDD0C0000|| - || Stop error logging to eeprom
|-
|stoplogerrtsk ||  0xB8D9 || 0xDD0C0000|| - || Stop error log task
|-
|syspowdown ||0xB6E9 || 0xDD0C0000 || 3 params || System power down
|-
|task ||    0x15005 ||  0xDD0C0000|| - || Print tasks
|-
|thalttest || 0xD813 || 0x000F0000|| - || Thermal Alert Test ? (boes nothing), maybe is needed to do it while GameOS is working to trigger the XMB overheat warning message and the power off sequence
|-
|thermfatalmode || 0xCA3B || 0xDD0C0000 || canboot/cannotboot || Set boot mode after a thermal alert ?
|-
|therrclr || 0xD3E5 || 0xDD0C0000|| - || Clears the thermal alert register ?
|-
|thrm ||    0xBF1D || 0xDD0C0000|| - || Does nothing
|-
|tmp ||0xAA69 || 0xDD0C0000 || [tzone] ||  Get temperature
<pre>
Usage: tmp TZoneNo
    ex. tmp 1
</pre>
|-
|trace ||  0xB951 || 0xDD0C0000 || ... ||  Trace tasks (use help)
<pre>
Usage: trace command param
    command:
      [status/start/stop/dump/print/id]
    param (with `id' command):
      available characters: [0-9][,][-]
      ex. trace id 1-12,16
</pre>
|-
|trp ||0xAB2F || 0xDD0C0000 || get/set/getini/setini || This value is stored inside the Thermal Config area, every thermal sensor has their own<!-- Transient Receptor Potential ? https://en.wikipedia.org/wiki/Thermosensation -->
<pre>
Usage: trp set TZoneNo temp
    ex. trp set 2 0x5980
    ex. trp set 2 89.5
Usage: trp get TZoneNo
    ex. trp get 14
</pre>
|-
|tsensor || 0xA279 || 0xDD0C0000 || [tzone] ||  Get raw temperature
<pre>
Usage: tsensor TZoneNo
    ex. tsensor 2
</pre>
|-
|tshutdown || 0xB2A1 || 0xDD0C0000 || get/set/getini/setini || Thermal shutdown. This value is stored inside the Thermal Config area, every thermal sensor has their own
<pre>
Usage: tshutdown set TZoneNo temp
    ex. tshutdown set 2 0x5A80
    ex. tshutdown set 2 90.5
Usage: tshutdown get TZoneNo
    ex. tshutdown get 14
</pre>
|-
|tshutdowntime ||  0xC95D || 0xDD0C0000 || get ||  Thermal shutdown time. This value is stored inside the Thermal Config area, is a single value shared by all thermal sensors
|-
|tzone ||  0xB5E1 || 0xDD0C0000|| - || Shows a list of the "TZone" identifyers associated with every thermal sensor, and a short text description of them
<pre>
Example, on cytology PS3 models
> tzone
00: 1st BE Primary
01: RSX Primary
02: XDR Primary
0A: Air Intake
0F: GbE
14: SB
 
Example, on cookie old
> tzone
00: 1st BE Primary
01: RSX Primary
03: BE VR
14: SB
15: EE+GS
 
Example, on cookie new
> tzone
00: 1st BE Primary
01: RSX Primary
14: SB
 
Example, on sherwood
> tzone
# 00:1st BE Primary
# 01:RSX Primary
 
</pre>
|-
|version || 0xD65F || 0xFFFF0000|| - || Syscon firmware version
|-
|w ||0x8BF9 || 0xDD0C0000 || [offset] [value] ||  Write byte to SC
|-
|w16 ||0x8E2D || 0xDD0C0000 || [offset] [value] ||  Write word to SC
|-
|w32 ||0x8FED || 0xDD0C0000 || [offset] [value] ||  Write dword to SC
|-
|w64 ||0x92A9 || 0xDD0C0000 || [offset] [value] ||  Write qword to SC
|-
|wbe ||0x9665 || 0xDD0C0000 || [offset] [value] ||  Write to BE
|-
|wmmto ||  0xCB3B || 0xDC0C0000 || get ||  Get watch dog timeout
|-
|wrsxc ||  0xD279 || 0xDD0C0000 || [offset] [value] ||  Write to RSX
|-
|xdrdiag || 0x1E711 ||  0xF0000000 || start/info/result || XDR diagnostics
|-
|xiodiag || 0x1E875 ||  0xF0000000|| - || XIO diagnostic
|-
|xrcv ||    0x25313 ||  0xDC0C0000|| - || Xmodem receive
|-
|}
 
== Sherwood ==
*Permission
** 0x0700 = A_AUTH
** 0x0B00 = B_AUTH
** 0x0300 = INT (Command not available from UART interface. Can be unlocked by patching syscon firmware)
** 0x0F00 = ANY
 
{| class="wikitable sortable" style="line-height:110%"
|+Sherwood Commands
! rowspan="2" | Command<br>lowercase/UPPERCASE !! rowspan="2" | <abbr title="Permission">Perms</abbr> !! colspan="3" | Address !! rowspan="2" | Notes
|-
! SW-301 !! SW2-301 !! SW3-304
|-
| hdmi            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x32030 || 0x3D989 || 0x3E21D ||
|-                                               
| tsensor        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FB30 || 0x3B1CF || 0x3B8F0 ||
|-                                               
| tmp            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FE7F || 0x3B3D5 || 0x3BAF6 ||
|-                                               
| trp            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2FFA6 || 0x3B627 || 0x3BD48 ||
|-                                               
| tshutdown      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x301D8 || 0x3B645 || 0x3BD66 ||
|-                                               
| tzone          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x3041B || 0x3B663 || 0x3BD84 ||
|-                                               
| thrm            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30482 || 0x3B6C9 || 0x3BDEA ||
|-                                               
| duty            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x307EF || 0x3B95D || 0x3C07E ||
|-                                               
| fanconpolicy    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30C0D || 0x3BBB9 || 0x3C2DA ||
|-                                               
| fanconmode      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30DF9 || 0x3BD48 || 0x3C469 ||
|-                                               
| fantbl          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x30F3B || 0x3BE58 || 0x3C579 ||
|-                                               
| fanservo        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || 0x3C07D || 0x3C79E ||
|-                                               
| fanservostat    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || 0x3C2E2 || 0x3CA03 ||
|-                                               
| fanservosetval  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x3CB6B ||
|-                                               
| hyst            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x305F2 || 0x3B7F0 || 0x3BF11 ||
|-                                               
| powupcause      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x313EB || 0x3C695 || 0x3CE8E ||
|-                                               
| syspowdown      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31460 || 0x3C70A || 0x3CF03 ||
|-                                               
| devpm          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x316C6 || 0x3C98A || 0x3D183 ||
|-                                               
| powerstate      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x318CF || 0x3CB93 || 0x3D38C ||
|-                                               
| nonfatalerror  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31AC2 || 0x3CDF0 || 0x3D5E9 ||
|-                                               
| getrtc          || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F82A || 0x3AD68 || 0x3B489 ||
|-                                               
| help            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2ED2B || 0x3A280 || 0x3A9A1 ||
|-                                               
| meminfo        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EED7 || 0x3A42C || 0x3AB4D ||
|-                                               
| rbe            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EF63 || 0x3A4B8 || 0x3ABD9 ||
|-                                               
| DISABLEALLERASE || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2F1FC || 0x3A751 || 0x3AE72 ||
|-                                               
| task            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F281 || 0x3A7D6 || 0x3AEF7 ||
|-                                               
| cleareep        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F460 || 0x3A99E || 0x3B0BF ||
|-                                               
| commt          || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2F499 || 0x3A9D7 || 0x3B0F8 ||
|-                                               
| bestat          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2F79B || 0x3ACD9 || 0x3B3FA ||
|-                                               
| bringup / BOOT  || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DAC3 || 0x39018 || 0x39739 ||
|-                                               
| shutdown / HALT || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC1C || 0x39171 || 0x39892 ||
|-                                               
| r / R8<br>r16 / R16<br>r32 / R32          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC9B || 0x391F0 || 0x39911 ||
|-                                               
| r64<br>r64d    || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E7BC || 0x39D11 || 0x3A432 ||
|-                                               
| w / W8<br>w16 / W16<br>w32 / W32          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E03B || 0x39590 || 0x39CB1 ||
|-                                               
| w64<br>wbe      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E6C1 || 0x39C16 || 0x3A337 ||
|-                                               
| BOOTENABLE      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2DC7B || 0x391D0 || 0x398F1 ||
|-                                               
| EEP            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E8C2 || 0x39E17 || 0x3A538 ||
|-                                               
| PDAREA<br>CSAREA          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2E9B8 || 0x39F0D || 0x3A62E ||
|-                                               
| portset        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x2EC36 || 0x3A18B || 0x3A8AC ||
|-                                               
| extend          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x2ECF9 || 0x3A24E || 0x3A96F ||
|-                                               
| version        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x080D0  || 0x0A0F1  || 0x0A0FF  ||
|-                                               
| revision        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x0812B  || 0x0A14C  || 0x0A15A  ||
|-                                               
| setcmdlong / SETCMDLONG || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x08251  || 0x0A272  || 0x0A280  ||
|-                                               
| VER            || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x081C3  || 0x0A1E4  || 0x0A1F2  ||
|-                                               
| csum            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x08356  || 0x0A37B  || 0x0A389  ||
|-                                               
| AUTH1<br>AUTH2  || {{cellcolors|#ffffcc}} <abbr title="0x0B00">B_AUTH</abbr> || 0x08555  || 0x0A5AF  || 0x0A5BD  ||
|-                                               
| AUTHVER        || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x086FB  || 0x0A755  || 0x0A763  ||
|-                                               
| errlog / ERRLOG || {{cellcolors|#ddddff}} <abbr title="0x0F00">ANY</abbr> || 0x311DA || 0x3C484 || 0x3CC7D ||
|-                                               
| powersw        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31C87 || 0x3D005 || 0x3D7FE ||
|-                                               
| ejectsw        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x31CA5 || 0x3D023 || 0x3D81C ||
|-                                               
| doorsw          || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x3D83C ||
|-                                               
| buzzduty        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x31CC5 || 0x3D043 || 0x3D8D7 ||
|-                                               
| buzz            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x31D24 || 0x3D0A2 || 0x3D936 ||
|-                                               
| VID            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x33F98 || 0x3FC43 || 0x404D8 ||
|-                                               
| CID<br>ECID            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x340BF || 0x3FD6A || 0x405FF ||
|-                                               
| SPU            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x34211 || 0x3FEBC || 0x40751 ||
|-                                               
| REV            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x342BC || 0x3FF67 || 0x407FC ||
|-                                               
| KSV            || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x34363 || 0x4000E || 0x408A3 ||
|-                                               
| MOUNTINFO      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || {{cellcolors|lightgrey}} N/A ? || {{cellcolors|lightgrey}} N/A ? || 0x4095B ||
|-                                               
| portscan        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x3441B || 0x400C6 || 0x40A2A ||
|-                                               
| eepcsum        || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x33F46 || 0x3FBF1 || 0x40486 ||
|-                                               
| patchinfo      || {{cellcolors|#ccffcc}} <abbr title="0x0700">A_AUTH</abbr> || 0x346DD || 0x40388 || 0x40CF2 ||
|-                                               
| poll            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x346F3 || 0x4039E || 0x40D08 ||
|-                                               
| recv            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x3470F || 0x403BA || 0x40D24 ||
|-                                               
| send            || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x3472B || 0x403D6 || 0x40D40 ||
|-                                               
| LS              || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x34747 || 0x403F2 || 0x40D5C ||
|-                                               
| hversion        || {{cellcolors|#ffaaaa}} <abbr title="0x0300">INT</abbr> || 0x34763 || 0x4040E || 0x40D78 ||
|}
 
= Access to Syscon from Linux =
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON


= Placeholder for bga patch key generation =
{{Console}}
 
<pre>
34 3A 00 00 00 00 5F 5F 53 43 45 49 53 59 53 31
</pre>
 
<pre>
4:....__SCEISYS1
</pre>
 
OR (slim DYN-001)
 
<pre>
00 00 00 00 5F 5F 5F 5F 53 43 45 49 53 59 53 31
</pre>
 
<pre>
....____SCEISYS1
</pre>
 
* replace 4 dots with soft id in decimal form, xor with 0x140 key and with cipher patcher key and encrypt with master patcher key to obtain cipher master key for that soft id
 
* replace 4 dots with soft id in decimal form, xor with 0x140 key and with hasher patcher key and encrypt with master patcher key to obtain hasher master key for that soft id
 
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>
Please note that all contributions to PS3 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS3 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)

Templates used on this page:

Retrieved from "http://www.psdevwiki.com/ps3/Syscon_Firmware"