Editing Syscon Firmware
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
= Description = | = Description = | ||
The | The Syscon Controller Firmware (also known as the syscon firmware), is the software stored inside the [[Syscon Hardware|syscon]]. Is composed by the base firmware (not updateable in retail syscon models) and a optional patch that is applyed virtually on runtime on top of the base firmware<br> | ||
The | The patches (also known as syscon update packages) for retail PS3 models are distributed in [[PKG_files|PKG]] format inside the [[Update_files.tar]] of the [[Playstation Update Package (PUP)|PS3UPDAT.PUP]]s<br> | ||
Syscon patches appear to always be 5KB (5376 bytes) in size. | |||
= Update procedure = | = Update procedure = | ||
Line 10: | Line 11: | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Mullion | |+Mullion | ||
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! Adds support for [[Platform ID]]s !! Corresponding [[SCEI PS3 SDK|SDK]] | ! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! Adds support for [[Platform ID]]s !! Corresponding [[SCEI PS3 SDK|SDK]] version !! Notes | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| - || v0.4.5_b4 || BACKUP || 2005 || (Cyt1.0), (Cyt1.1), (Cyt2.1), (Cok01) || 0.40 || Only used on the backup bank of flash models | | - || v0.4.5_b4 || BACKUP || 2005 || (Cyt1.0), (Cyt1.1), (Cyt2.1), (Cok01) || 0.40 || Only used on the backup bank of flash models | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 06DA || v0.6.1_c8 || CYTOLOGY || 2006/01/31 || Cyt1.2, Cyt2.0, Cyt2.2, (Cok02), (Cok03) || 0.80 | | 06DA || v0.6.1_c8 || CYTOLOGY || 2006/01/31 || Cyt1.2, Cyt2.0, Cyt2.2, (Cok02), (Cok03) || 0.80 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 073E || v0.6.10_c4 || CYTOLOGY || 2006/03/01 || (Cok05) || 0.81 | | 073E || v0.6.10_c4 || CYTOLOGY || 2006/03/01 || (Cok05) || 0.81 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 07FF || v0.6.11_c4 || CYTOLOGY || 2006/03/27 || Cyt3.0, Cyt3.1, Cyt3.2, (Cok08) || 0.82 | | 07FF || v0.6.11_c4 || CYTOLOGY || 2006/03/27 || Cyt3.0, Cyt3.1, Cyt3.2, (Cok08) || 0.82 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 086C || v0.6.12_c5 || CYTOLOGY || 2006/04/11 || - || 0.83 | | 086C || v0.6.12_c5 || CYTOLOGY || 2006/04/11 || - || 0.83 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 08F1 || v0.6.12_c7 || CYTOLOGY || 2006/04/22 || - || 0.83 || | | 08F1 || v0.6.12_c7 || CYTOLOGY || 2006/04/22 || - || 0.83 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0955 || v0.6.14_c4 || CYTOLOGY || 2006/05/01 || - || 0.84 | | 0955 || v0.6.14_c4 || CYTOLOGY || 2006/05/01 || - || 0.84 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0AF4 || v0.8.4_c8 || CYTOLOGY || 2006/06/23 || (Cok11) || 0.85 | | 0AF4 || v0.8.4_c8 || CYTOLOGY || 2006/06/23 || (Cok11) || 0.85 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0B48 || v0.9.9_c1 || CYTOLOGY || 2006/07/07 || Cyt3.3, Cyt3.4, (Cok12), (Cok13), (Cok14) || 0.90 | | 0B48 || v0.9.9_c1 || CYTOLOGY || 2006/07/07 || Cyt3.3, Cyt3.4, (Cok12), (Cok13), (Cok14) || 0.90 || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0B67 || v0.9.13_k1 || COOKIE || 2006 || - || - || | | 0B67 || v0.9.13_k1 || COOKIE || 2006 || - || - || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0B74 || v0.9.14_c1 || CYTOLOGY || 2006/08/03 || - || 0.91 | | 0B74 || v0.9.14_c1 || CYTOLOGY || 2006/08/03 || - || 0.91 || | ||
|- | |- | ||
| 0B8E || v1.0.0_k1 || COOKIE (201) || 2006 || - || - || | | 0B8E || v1.0.0_k1 || COOKIE (201) || 2006 || - || - || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0B9D || v1.0.1_c1 || CYTOLOGY || 2006/08/31 || - || 0.93 | | 0B9D || v1.0.1_c1 || CYTOLOGY || 2006/08/31 || - || 0.93 || | ||
|- | |- | ||
| 0C16 || v1.1.3_k1 || COOKIE (202) || 2006 || CokB10 || - || | | 0C16 || v1.1.3_k1 || COOKIE (202) || 2006 || CokB10 || - || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0C23 || v1.0.3_c1 || CYTOLOGY || 2006/12/04 || - || 1.50 | | 0C23 || v1.0.3_c1 || CYTOLOGY || 2006/12/04 || - || 1.50 || | ||
|- | |- | ||
| 0D52 || v1.2.3_k1 || COOKIE (203) || 2007 || CokC10, CokC11, CokC12 | | 0D52 || v1.2.3_k1 || COOKIE (203) || 2007 || CokC10, CokC11, CokC12 || - || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0D79 || v1.0.4_c1 || CYTOLOGY || 2007/06/21 || - || 1.90 | | 0D79 || v1.0.4_c1 || CYTOLOGY || 2007/06/21 || - || 1.90 || | ||
|- | |- | ||
| 0DBF || v1.3.3_k1 || COOKIE (301) || 2007 || | | 0DBF || v1.3.3_k1 || COOKIE (301) || 2007 || CokD10 || - || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0E4E || v1.0.4_c2 || CYTOLOGY || 2007/11/08 || - || 2.40 | | 0E4E || v1.0.4_c2 || CYTOLOGY || 2007/11/08 || - || 2.40 || | ||
|- | |- | ||
| 0E69 || v1.4.4_k2 || COOKIE (302) || 2007 || CokE10, Deb01 || - || | | 0E69 || v1.4.4_k2 || COOKIE (302) || 2007 || CokE10, Deb01 || - || | ||
|- | |- | ||
| 0F29 || v1.5.0_k2 || COOKIE (303) || 2009 || - || - || | | 0F29 || v1.5.0_k2 || COOKIE (303) || 2009 || - || - || Adds support for 65nm RSX | ||
|- | |- | ||
| 0F38 || v1.5.1_k2 || COOKIE (304) || 2010 || - || - || Adds support for 40nm RSX | | 0F38 || v1.5.1_k2 || COOKIE (304) || 2010 || - || - || Adds support for 40nm RSX | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0F3B || v1.0.5_c1 || CYTOLOGY || 2010/05/12 || - || 3.60 | | 0F3B || v1.0.5_c1 || CYTOLOGY || 2010/05/12 || - || 3.60 || | ||
|} | |} | ||
{| class="wikitable" | {| class="wikitable" | ||
|+Sherwood | |+Sherwood | ||
! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! <abbr title="Not final">Adds support for [[Platform ID]]s</abbr> !! | ! <abbr title="Syscon firmware build id">SoftID</abbr> !! Firmware version !! Build target !! Build date !! <abbr title="Not final">Adds support for [[Platform ID]]s</abbr> !! Dumped? | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| 0658 || ?.? | | 0658 || ??.?? || - || 2008 || CokF10 || {{NO}} | ||
|- | |- | ||
| 065D || | | 065D || 00.17 || SW-301 || 2008 || - || {{YES}} | ||
|- | |- | ||
| ???? || ?.? | | ???? || ??.?? || SW-302 || 2008 || - || {{NO}} | ||
|- | |- | ||
| 0832 || | | 0832 || 01.11 || SW2-301 || 2009 || CokG10, CokG11 || {{YES}} | ||
|- | |- | ||
| | | 08A0 || ??.?? || SW2-302 || 2009 || CokH10, CokH11 || {{NO}} | ||
|- | |- | ||
| | | 08C2 || ??.?? || SW2-303 || 2010 || CokJ13, CokJ20 || {{NO}} | ||
|- | |- | ||
| | | 0918 || 02.03 || SW3-301 || 2011 || CokK10 || {{NO}} | ||
|- | |- | ||
| | | 098F || ??.?? || SW3-302 || 2012 || CokM20, CokM40 || {{NO}} | ||
|- | |- | ||
| | | ???? || ??.?? || SW3-303 || 2013 || CokN10, CokN30 || {{NO}} | ||
|- | |- | ||
| ???? || ?.? | | ???? || ??.?? || SW3-304 || 2013 || - || <span style="color:orange;">PARTIALLY</span> | ||
|} | |} | ||
= Syscon patches = | = Syscon patches = | ||
These are in full Retail/CEX and Debug/DEX firmwares: | |||
These | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! [[Motherboard Revisions|Board]] !! [[Syscon Hardware]] !! sys_con_firmware package !! 1.00-1.30 !! 1.30-1.80 !! 1.81-2.80 !! 3.00-3.30 !! 3.40 !! 3.41-4.75 !! <abbr title="Syscon ROM Revision">SoftID</abbr> !! Notes | |||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
! rowspan=3 | | ! rowspan=3 | [[COK-00x#COK-001|COK-001]] !! rowspan=3 | [[CXR713120-201GB]] | ||
| SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} | | SYS_CON_FIRMWARE_01000004.pkg || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || 0B8E || Superseded by SYS_CON_FIRMWARE_01000005.pkg | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01000005.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0B8E || Superseded by SYS_CON_FIRMWARE_01000006.pkg | ||
|- | |- | ||
| SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01000006.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0B8E || | ||
|-{{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
! rowspan=2 | | ! rowspan=2 | [[COK-00x#COK-002|COK-002]] || rowspan=2 | [[CXR713120-201GB]]<br />[[CXR713120-202GB]] | ||
| SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01010302.pkg || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || 0C16 || Superseded by SYS_CON_FIRMWARE_01010303.pkg | ||
|- | |- | ||
| SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01010303.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0C16 || | ||
|- | |- | ||
! | ! [[SEM-00x|SEM-001]] || [[CXR713120-201GB]]<br />[[CXR713120-202GB]]<br />[[CXR713120-203GB]] | ||
| SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01020302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0D52 || | ||
|- | |- | ||
! | ! [[DIA-00x#DIA-001|DIA-001]] || [[CXR714120-301GB]] | ||
| SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01030302.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0DBF || | ||
|- | |- | ||
! | ! [[DIA-00x#DIA-002|DIA-002]] / [[DEB-00x#DEB-001|DEB-001]] || [[CXR714120-301GB]]<br />[[CXR714120-302GB]] | ||
| SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01040402.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0E69 || | ||
|- | |- | ||
! | ! [[COK-00x|COK-002]] with 65nm [[RSX]] || [[CXR714120-303GB]] | ||
| SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01050002.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || 0F29 || Refurbished, new 65nm RSX, new syscon | ||
|- | |- | ||
! | ! [[COK-00x|COK-001]] with 40nm [[RSX]] || [[CXR714120-304GB]] | ||
| SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || | | SYS_CON_FIRMWARE_01050101.pkg || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || 0F38 || Refurbished, new 40nm RSX, new syscon | ||
|- | |- | ||
! | ! [[VER-00x|VER-001]] || [[SW-30x]] | ||
| SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || | | || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 065D || | ||
|- | |||
! [[DYN-00x|DYN-001]] || rowspan=4 | [[SW2-30x]] | |||
| SYS_CON_FIRMWARE_S1_00010002083E0832.pkg || {{No}} || {{No}} || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || 0832 || rowspan=2 | ps3 2k series | |||
|- | |||
! [[SUR-00x|SUR-001]] | |||
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08A0 | |||
|- | |||
! [[JTP-00x|JTP-001]]<br />[[JSD-00x|JSD-001]] | |||
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 08C2 || ps3 2k5 series | |||
|- | |||
! [[KTE-00x|KTE-001]] | |||
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 0918 || ps3 3k series | |||
|- | |||
! [[MSX-00x|MSX-001]]<br />[[MPX-00x|MPX-001]] || [[SW3-30x]] | |||
| || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || 098F || ps3 4k series | |||
|} | |} | ||
This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00, 3.40 and 3.41 that affected retail and debug PS3 models | |||
*Firmware 1.30 (December 6, 2006) added Backup/Restore | |||
*Firmware 1.81 (June 15, 2007) ? | |||
*Firmware 3.00 (September 1, 2009) resulted in Class action suit for BluRay reading problems | |||
*Firmware 3.40 (June 29, 2010) ? | |||
*Firmware 3.41 (July 26, 2010) ? | |||
Which syscon version and which patches are installed can be seen in [[More_System_Information]] | |||
= Package structure = | = Package structure = | ||
Sys_con_firmware Packages can be unpacked with unpkg | Sys_con_firmware Packages can be unpacked with unpkg | ||
== | == Overview == | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
Line 216: | Line 157: | ||
| 0x00 || 0x4 || ASCI:"SCE" || SCE magic header | | 0x00 || 0x4 || ASCI:"SCE" || SCE magic header | ||
|- | |- | ||
| 0x04 || 0x4 || 0x2 || | | 0x04 || 0x4 || 0x2 || Flags | ||
|- | |- | ||
| 0x08 || | | 0x08 || 0x4 || 0x3 || Type (0x3 = PKG) | ||
|- | |- | ||
| | | 0x0C || 0x4 || 0x0 || Blank/Unknown | ||
|- | |- | ||
| | | 0x10 || 0x4 || 0x0 || Blank/Unknown | ||
|- | |- | ||
| 0x10 || 0x8 || 0x280 || | | 0x10 || 0x8 || 0x280 || Start Data Offset ('hdr_len') | ||
|- | |- | ||
| 0x18 || 0x8 || 0x1080 || | | 0x18 || 0x8 || 0x1080 || Data Size ('dec_size') | ||
|- | |- | ||
| 0x20 || 0x260 || - || | | 0x20 || 0x260 || - || Header | ||
|- | |- | ||
| 0x280 || 0x40 || - || ' | | 0x280 || 0x40 || - || 'info0' section (see below) | ||
|- | |- | ||
| 0x2C0 || 0x40 || - || ' | | 0x2C0 || 0x40 || - || 'info1' section (see below) | ||
|- | |- | ||
| 0x300 || 0x1000 || - || | | 0x300 || 0x1000 || - || 'content' | ||
|- | |- | ||
|} | |} | ||
=='info0'== | |||
== | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Address !! Length !! Value !! Description | ! Address !! Length !! Value !! Description | ||
|- | |- | ||
| 0x00 || 0x4 || 0x3 || | | 0x00 || 0x4 || 0x3 || | ||
|- | |- | ||
| 0x04 || 0x4 || 0x8 || | | 0x04 || 0x4 || 0x8 || | ||
|- | |- | ||
| 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type) | | 0x08 || 0x8 || - || SC firmware revision (the high word of it is the SC type) | ||
|- | |- | ||
| 0x0C || 0x4 || 0x0B8E(1.30-4.84)<br />0x0C16(1.81-4.84)<br />0x0D52(3.40-4.84)<br />0x0DBF(3.40-4.84)<br />0x0E69(3.40-4.84)<br />0x0F29(3.40-4.84)<br />0x0F38(3.41-4.84)<br />0x0832(3.00-4.84) | | 0x0C || 0x4 || 0x0B8E(1.30-4.84)<br />0x0C16(1.81-4.84)<br />0x0D52(3.40-4.84)<br />0x0DBF(3.40-4.84)<br />0x0E69(3.40-4.84)<br />0x0F29(3.40-4.84)<br />0x0F38(3.41-4.84)<br />0x065D<br />0x0832(3.00-4.84)<br />0x08A0<br />0x08C2<br />0x0918 || 'SoftID' | ||
|- | |- | ||
| | | 0x10 || 0x8 || 0x0001000000000004<br />0x0001000000000005<br />0x0001000000000006<br />0x0001000100030002<br />0x0001000100030003<br />0x0001000200030002<br />0x0001000300030002<br />0x0001000400040002<br />0x0001000500000002<br />0x0001000500010001<br />0x00010002083E0832<br /> || 'PatchID' | ||
|- | |- | ||
| | | 0x18 || 0x8 || 0x1000 || 'Content' Data Size | ||
|- | |- | ||
| | | 0x20 || 0x8 || 0x1000 || 'Content' Compressed Data Size | ||
|- | |- | ||
| | | 0x28 || 0x8 || 0x0 || | ||
|- | |- | ||
| | | 0x30 || 0x10 || 0x0 || | ||
|- | |- | ||
|} | |} | ||
Line 271: | Line 207: | ||
Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs | Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs | ||
== | =='info1'== | ||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
! Address !! Length !! Value !! Description | ! Address !! Length !! Value !! Description | ||
|- | |- | ||
| 0x00 || | | 0x00 || 0x4 || 0x0 || | ||
|- | |||
| 0x04 || 0x4 || 0x3 || | |||
|- | |- | ||
| 0x08 || 0x8 || 0x40 || | | 0x08 || 0x8 || 0x40 || Offset/size? | ||
|- | |- | ||
| 0x10 || | | 0x10 || 0x4 || 0x0 || | ||
|- | |- | ||
| | | 0x14 || 0x4 || 0x0 || | ||
|- | |- | ||
| | | 0x18 || 0x8 || 0x1000 || 'Content' Data Size? | ||
|- | |- | ||
| | | 0x20 || 0x8 || 0x1 || | ||
|- | |- | ||
| | | 0x28 || 0x8 || 0x1 || | ||
|- | |- | ||
| | | 0x30 || 0x10 || 0x0 || | ||
|- | |- | ||
|} | |} | ||
=='content' overview== | |||
== | |||
{|class="wikitable" | {|class="wikitable" | ||
|- | |- | ||
Line 300: | Line 237: | ||
|- | |- | ||
|- | |- | ||
| 0x0 || 0x1000 || - || '' | | 0x0 || 0x1000 || - || 'content' | ||
|- | |- | ||
|} | |} | ||
=== | == Decryption == | ||
Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB). | |||
=== Patch Decryption/Hashing === | |||
The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch | |||
We know that: | |||
* Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc) | |||
* Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables) | |||
* Authenticated regions uses a form of what seems to be some ECB with tweak xoring (as graf once said about XTS) | |||
* XTS was introduced in 2007 and SysCon from ps3 exists for far more time than that (2003) | |||
* XEX is a close relative of XTS that was introduced in 1984 | |||
* PS4 uses XTS for Authenticated Regions or SNVS (with sector size of 0x20 being used. is this even considered safe?) | |||
* 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50) | |||
* here are the DPA bytes for each of the controlable sections: | |||
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001) -> 210623DCA298994DFE87F840FC481CBF | |||
* 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001) -> 210623DCA298994DFE87F840FC481CBF | |||
* 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content) | |||
* XX XX XX XX 7B FC 27 CD D5 9A 05 09 3A DF E4 75 (section 3/header AA from DEB-001 patch content) -> 6E9CE7C57BFC27CDD59A05093ADFE475 | |||
* 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content) | |||
* 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward) | |||
* 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse) | |||
* 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward) | |||
* 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER) -> 6B3583DA1AA6B49106E1641178EE68C8 (inverse ttables) | |||
* some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail | |||
* another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc | |||
* since key expansions take 10 "hills" in the analysis, it should be safe to assume that AES-128 is used(because it uses 10 rounds). | |||
* 6554cff202c3bfdd9740901070b705bf : correct md5 for patch content we are trying keys on (DIA-001) | |||
* 4875ad06a1499cc516a0d4d92e595794 : correct md5 for patch content we are trying keys on (DEB-001/DIA-002) | |||
* trying a different header/body patch content from another similar board will result into failure of decrypting body, which means that the header is checked for authenticity and that the header hash is NOT in the header | |||
* altering the patch header doesn't cause the patch header dpa bytes to change (a test was done with 4 bytes and the result was 16 32 47 79, which matches the other patch dpa recovered bytes) | |||
* there are in fact not 4 but 5 aes sections. the last one seems to be body related, as changing the body even one bit makes the last aes section disappear. | |||
* section 2 is divided into two sections, corresponding to TopHalf and BottomHalf of patch area. | |||
* TopHalf uses forward ttables/sbox. BottomHalf uses inverse ttables/sbox | |||
* TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10) | |||
* BottomHalf is the rest of the body itself. | |||
* DYN-001 processes one entire chunk of 0x1000 bytes, 0x40 for header and 0xFC0 for body, and not two of 0x400 and 0xC00 like the Sony models | |||
* 504 aes operations are done for the body (252/0xFC for cmac and 252/0xFC for cbc). it is unknown if cmac comes first or it is cbc. | |||
* All attacks show weak bytes in comparisson with CXR(F), likely due to CXR being optimized for the attack (removed resistors/capacitors, etc) | |||
== Header == | |||
The header format is partially unknown at this stage. | The header format is partially unknown at this stage. | ||
All the Firmwares patches are written in little endian. | All the Firmwares patches are written in little endian. | ||
Line 312: | Line 291: | ||
! Offset !! Length !! Notes !! Related DECR Error !! Notes | ! Offset !! Length !! Notes !! Related DECR Error !! Notes | ||
|- | |- | ||
| 0x0 || 0x4 || Magic || FFFFFED2 (Magic Error) || | | 0x0 || 0x4 || Magic || FFFFFED2 (Magic Error) || | ||
|- | |- | ||
| 0x4 || 0x10 || Header CMAC1 | | | 0x4 || 0x10 || Header CMAC1 || FFFFFED1 (Header Check Error) || CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes and where Header CMAC2 is zeroed Concatenated with Encrypted Body | ||
|- | |- | ||
| 0x14 || 0x10 || Header CMAC2 || CMAC of Header (where this cmac has been zeroed) | | 0x14 || 0x10 || Header CMAC2 || FFFFFED1 (Header Check Error) || CMAC of Header (where this cmac has been zeroed) | ||
|- | |- | ||
| 0x24 || 0x4 || Padding || | | 0x24 || 0x4 || Padding || FFFFFED1 (Header Check Error) || | ||
|- | |- | ||
| 0x28 || 0x4 || Total size || | | 0x28 || 0x4 || Total size || FFFFFED1 (Header Check Error) || | ||
|- | |- | ||
| | | 0x2c || 0x4 || Size of binary || FFFFFED1 (Header Check Error) || | ||
|- | |- | ||
| 0x30 || 0x10 || IV for AES-128 CBC || | | 0x30 || 0x10 || IV for AES-128 CBC || FFFFFED1 (Header Check Error) || | ||
|- | |- | ||
| 0x40 || | | 0x40 || 0xfc0 || Encrypted binary || FFFFFED0 (Data Check Error) / FFFFFECF (Data Size Check Error) || | ||
|- | |- | ||
|} | |} | ||
Line 334: | Line 313: | ||
* Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0 | * Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0 | ||
=== Samples === | |||
<pre> | <pre> | ||
00000000 1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D .-p.«^³™h þ=á€j. | 00000000 1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D .-p.«^³™h þ=á€j. | ||
Line 352: | Line 331: | ||
00000020 FF 83 0B E0 00 00 00 00 40 00 06 00 00 00 06 00 ÿƒ à @ | 00000020 FF 83 0B E0 00 00 00 00 40 00 06 00 00 00 06 00 ÿƒ à @ | ||
00000030 69 B6 02 69 3A 97 8B 1C 4E 18 D4 E0 63 7D CA 94 i¶ i:—‹ N Ôàc}Ê” | 00000030 69 B6 02 69 3A 97 8B 1C 4E 18 D4 E0 63 7D CA 94 i¶ i:—‹ N Ôàc}Ê” | ||
00000040 4B A0 79 34 79 41 BD 09 BB 68 D4 0A A0 B7 05 78 | 00000040 4B A0 79 34 79 41 BD 09 BB 68 D4 0A A0 B7 05 78 K y4yA½ »hÔ · x | ||
00000050 D9 8F 8F 28 6C 9A 1B 61 CF A1 E7 49 7D CA C4 A3 Ù (lš aÏ¡çI}ÊÄ£ | 00000050 D9 8F 8F 28 6C 9A 1B 61 CF A1 E7 49 7D CA C4 A3 Ù (lš aÏ¡çI}ÊÄ£ | ||
00000060 A4 4D 4B E0 AE 48 86 03 B1 43 F2 47 C0 C4 1D 4F ¤MKà®H† ±CòGÀÄ O | 00000060 A4 4D 4B E0 AE 48 86 03 B1 43 F2 47 C0 C4 1D 4F ¤MKà®H† ±CòGÀÄ O | ||
Line 358: | Line 337: | ||
</pre> | </pre> | ||
=== | === Observations === | ||
* The first 4 bytes (0x1B2D700F) appear static in each package. | |||
* The next 0x20 bytes appear to change with each package | |||
The | * The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (file size) and 00000fc0 is 4032 in dec (update size). | ||
* On the DECH fw, the update works in the same way: 000000004000060000000600 converted will be: 00000000 00060040 00060000, where, 00000000 is probably padding, file size 00060040, 00060000 update size | |||
* the first 0x40 bytes probably are IV + HASH + update infos. probably the algorithm used is AES. | |||
* | * algorithm used is aes 128 cbc on the body (iv is at + 0x30) | ||
* | |||
* | |||
* | |||
= Patch structure | = Patch structure = | ||
== Mullion Patch | == Mullion Patch Content == | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Offset !! Size !! | !Offset!!Size!!Notes!!Number | ||
|- | |- | ||
| 0x00 || 0x2 || Major Version || 1 | | 0x00 || 0x2 || Major Version || 1 | ||
|- | |- | ||
| 0x02 || 0x2 || Minor Version || 1 | | 0x02 || 0x2 || Minor Version || 1 | ||
|- | |- | ||
| 0x04 || 0x2 || Major Revision || 1 | | 0x04 || 0x2 || Major Revision || 1 | ||
|- | |- | ||
| 0x06 || 0x2 || Minor Revision || 1 | | 0x06 || 0x2 || Minor Revision || 1 | ||
|- | |- | ||
| 0x08 || 0x10 || Patch Addresses || 4*4 | | 0x08 || 0x10 || Patch Addresses || 4*4 | ||
|- | |- | ||
| 0x18 || 0x10 || Patch Instruction / Data || 4*4 | | 0x18 || 0x10 || Patch Instruction / Data || 4*4 | ||
|- | |- | ||
| 0x28 || 0x10 || Patch Jump Instruction Addresses || 4*4 | | 0x28 || 0x10 || Patch Jump Instruction Addresses || 4*4 | ||
|- | |- | ||
| 0x38 || 0x388 || Additional Patch Instructions || 1 | | 0x38 || 0x388 || Additional Patch Instructions || 1 | ||
|- | |- | ||
| 0x3C0 || 0xC00 || HDMI Patch || 1 | | 0x3C0 || 0xC00 || HDMI Patch || 1 | ||
|- | |- | ||
|} | |} | ||
== Sherwood Patch | == Sherwood Patch Content == | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Offset !! Size !! | !Offset!!Size!!Notes!!Number | ||
|- | |- | ||
| 0x00 || 0x4 || Magic || 1 | | 0x00 || 0x4 || Magic || 1 | ||
|- | |- | ||
| 0x04 || 0x2 || Major Version || 1 | | 0x04 || 0x2 || Major Version || 1 | ||
|- | |- | ||
| 0x06 || 0x2 || Minor Version || 1 | | 0x06 || 0x2 || Minor Version || 1 | ||
|- | |- | ||
| 0x08 || 0x2 || Major Revision || 1 | | 0x08 || 0x2 || Major Revision || 1 | ||
|- | |- | ||
| 0x0A || 0x2 || Minor Revision || 1 | | 0x0A || 0x2 || Minor Revision || 1 | ||
|- | |- | ||
| 0x0C || 0x4 || Absolute Table Address || 1 | | 0x0C || 0x4 || Absolute Table Address || 1 | ||
|- | |- | ||
| 0x10 || 0x2 || Data Size || 1 | | 0x10 || 0x2 || Data Size || 1 | ||
|- | |- | ||
| 0x12 || 0x2 || Data Checksum || 1 | | 0x12 || 0x2 || Data Checksum || 1 | ||
|- | |- | ||
| 0x14 || 0x2 || Patch Checksum || 1 | | 0x14 || 0x2 || Patch Checksum || 1 | ||
|- | |- | ||
| 0x16 || 0x2 || Relative Data Address || 1 | | 0x16 || 0x2 || Relative (0x2000) Data Address || 1 | ||
|- | |- | ||
| 0x18 || 0x2 || Relative Table Address || 1 | | 0x18 || 0x2 || Relative (0x2000) Table Address || 1 | ||
|- | |- | ||
| | | ------ || 0x80 || Table with Addresses || 32*4 | ||
|- | |- | ||
| | | ------ || ------ || Data (not parsed on SW) || - | ||
|- | |- | ||
|} | |} | ||
= Command list = | = Command list (Mullion) = | ||
== | == External commands == | ||
{| class="wikitable" | |||
{| class="wikitable | |||
! Address !! Command !! Subcommand !! Permission | ! Address !! Command !! Subcommand !! Permission | ||
|- | |- | ||
Line 569: | Line 503: | ||
|} | |} | ||
== Internal commands == | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
Line 614: | Line 548: | ||
|disp_err ||0x25911 || 0xDD0C0000|| - || Displays errors | |disp_err ||0x25911 || 0xDD0C0000|| - || Displays errors | ||
|- | |- | ||
|duty || 0x9B23 || 0xDD0C0000 || get/getmin/getmax/ | |duty || 0x9B23 || 0xDD0C0000 || get/set/getmin/setmin/getmax/setmax/getinmin/setinmin/getinmax/setinmax || Fan policy | ||
|- | |- | ||
|dve || 0x2995D || 0xDC0C0000 || help/set/save/show || DVE chip parameters | |dve || 0x2995D || 0xDC0C0000 || help/set/save/show || DVE chip parameters | ||
|- | |- | ||
|eepcsum || 0xAA65 || 0xDD0C0000|| - || | |eepcsum || 0xAA65 || 0xDD0C0000|| - || Does nothing | ||
|- | |- | ||
|eepromcheck || 0x9A1D || 0x000C0000 || [id] || Check eeprom | |eepromcheck || 0x9A1D || 0x000C0000 || [id] || Check eeprom | ||
Line 636: | Line 566: | ||
|fanconautotype || 0xC075 || 0xDD0C0000|| - || Does nothing | |fanconautotype || 0xC075 || 0xDD0C0000|| - || Does nothing | ||
|- | |- | ||
|fanconmode || 0xBF35 || 0xDD0C0000 || get || Fan control mode | |fanconmode || 0xBF35 || 0xDD0C0000 || get || Fan control mode | ||
|- | |- | ||
|fanconpolicy || 0xBBC9 || 0xDD0C0000 || get/set/getini/setini || Fan control policy | |fanconpolicy || 0xBBC9 || 0xDD0C0000 || get/set/getini/setini || Fan control policy | ||
|- | |- | ||
|fandiag || 0x1E91B || 0xF0000000|| - || Fan | |fandiag || 0x1E91B || 0xF0000000|| - || Fan test | ||
|- | |- | ||
|faninictrl || 0xD3D9 || 0x0D000000|| - || Does nothing | |faninictrl || 0xD3D9 || 0x0D000000|| - || Does nothing | ||
Line 656: | Line 578: | ||
|fanservo || 0xBF29 || 0xDD0C0000|| - || Does nothing | |fanservo || 0xBF29 || 0xDD0C0000|| - || Does nothing | ||
|- | |- | ||
|fantbl || 0xC087 || 0xDD0C0000 || get/set/getini/setini/gettable/settable | |fantbl || 0xC087 || 0xDD0C0000 || get/set/getini/setini/gettable/settable || Fan table: get/set - currently in RAM/in use ; getini/setini - stored in EEPROM (!! in COK the chksum does not updated automatically !!) | ||
<pre> | <pre> | ||
fantbl - Fan Table set/get command | |||
Usage: fantbl set fanconNo pNo tempD tempU duty | Usage: fantbl set fanconNo pNo tempD tempU duty | ||
ex. fantbl set 0 p1 0x1400 0x1E40 0xC0 | ex. fantbl set 0 p1 0x1400 0x1E40 0xC0 | ||
Line 703: | Line 626: | ||
|hdmiid2 || 0x29D81 || 0xDC0F0000|| - || Get HDMI id's | |hdmiid2 || 0x29D81 || 0xDC0F0000|| - || Get HDMI id's | ||
|- | |- | ||
|hversion || 0x2422F || 0xDD0C0000|| - || | |hversion || 0x2422F || 0xDD0C0000|| - || Platform ID | ||
|- | |- | ||
|hyst || 0xAEF5 || 0xDD0C0000 || get/set/getini/setini || | |hyst || 0xAEF5 || 0xDD0C0000 || get/set/getini/setini || Temperature zones | ||
|- | |- | ||
|lasterrlog || 0xB7FF || 0xDD0C0000|| - || Last error from log | |lasterrlog || 0xB7FF || 0xDD0C0000|| - || Last error from log | ||
Line 764: | Line 680: | ||
|restartlogerrtoeep || 0xB903 || 0xDD0C0000|| - || Reenable error logging to eeprom | |restartlogerrtoeep || 0xB903 || 0xDD0C0000|| - || Reenable error logging to eeprom | ||
|- | |- | ||
|revision || 0xD7E1 || 0xFFFF0000|| - || Get | |revision || 0xD7E1 || 0xFFFF0000|| - || Get softid | ||
|- | |- | ||
|rrsxc || 0xD313 || 0xDD0C0000 || [offset] [length] || Read from RSX | |rrsxc || 0xD313 || 0xDD0C0000 || [offset] [length] || Read from RSX | ||
Line 792: | Line 708: | ||
|task || 0x15005 || 0xDD0C0000|| - || Print tasks | |task || 0x15005 || 0xDD0C0000|| - || Print tasks | ||
|- | |- | ||
|thalttest || 0xD813 || 0x000F0000|| - || | |thalttest || 0xD813 || 0x000F0000|| - || Does nothing | ||
|- | |- | ||
|thermfatalmode || 0xCA3B || 0xDD0C0000 || canboot/cannotboot || Set boot mode | |thermfatalmode || 0xCA3B || 0xDD0C0000 || canboot/cannotboot || Set thermal boot mode | ||
|- | |- | ||
|therrclr || 0xD3E5 || 0xDD0C0000|| - || | |therrclr || 0xD3E5 || 0xDD0C0000|| - || Thermal register clear | ||
|- | |- | ||
|thrm || 0xBF1D || 0xDD0C0000|| - || Does nothing | |thrm || 0xBF1D || 0xDD0C0000|| - || Does nothing | ||
|- | |- | ||
|tmp ||0xAA69 || 0xDD0C0000 || [ | |tmp ||0xAA69 || 0xDD0C0000 || [zone] || Get temperature | ||
|- | |- | ||
|trace || 0xB951 || 0xDD0C0000 || ... || Trace tasks (use help) | |trace || 0xB951 || 0xDD0C0000 || ... || Trace tasks (use help) | ||
Line 816: | Line 728: | ||
</pre> | </pre> | ||
|- | |- | ||
|trp ||0xAB2F || 0xDD0C0000 || get/set/getini/setini || | |trp ||0xAB2F || 0xDD0C0000 || get/set/getini/setini || Temperature zones | ||
|- | |- | ||
|tsensor || 0xA279 || 0xDD0C0000 || [ | |tsensor || 0xA279 || 0xDD0C0000 || [sensor] || Get raw temperature | ||
|- | |- | ||
|tshutdown || 0xB2A1 || 0xDD0C0000 || get/set/getini/setini || Thermal shutdown | |tshutdown || 0xB2A1 || 0xDD0C0000 || get/set/getini/setini || Thermal shutdown | ||
|- | |- | ||
|tshutdowntime || 0xC95D || 0xDD0C0000 || | |tshutdowntime || 0xC95D || 0xDD0C0000 || [time] || Thermal shutdown time | ||
|- | |- | ||
|tzone || 0xB5E1 || 0xDD0C0000|| - || | |tzone || 0xB5E1 || 0xDD0C0000|| - || Show thermal zones | ||
|- | |- | ||
|version || 0xD65F || 0xFFFF0000|| - || | |version || 0xD65F || 0xFFFF0000|| - || SC firmware version | ||
|- | |- | ||
|w ||0x8BF9 || 0xDD0C0000 || [offset] [value] || Write byte to SC | |w ||0x8BF9 || 0xDD0C0000 || [offset] [value] || Write byte to SC | ||
Line 890: | Line 754: | ||
|wrsxc || 0xD279 || 0xDD0C0000 || [offset] [value] || Write to RSX | |wrsxc || 0xD279 || 0xDD0C0000 || [offset] [value] || Write to RSX | ||
|- | |- | ||
|xdrdiag || 0x1E711 || 0xF0000000 || start/info/result || XDR | |xdrdiag || 0x1E711 || 0xF0000000 || start/info/result || XDR diag | ||
|- | |- | ||
|xiodiag || 0x1E875 || 0xF0000000|| - || XIO | |xiodiag || 0x1E875 || 0xF0000000|| - || XIO diag | ||
|- | |- | ||
|xrcv || 0x25313 || 0xDC0C0000|| - || Xmodem receive | |xrcv || 0x25313 || 0xDC0C0000|| - || Xmodem receive | ||
Line 898: | Line 762: | ||
|} | |} | ||
= | = Command list (Sherwood) = | ||
== SW-301 Command List == | |||
{| class="wikitable sortable | * A_AUTH = 0x0700 | ||
| | * B_AUTH = 0x0B00 | ||
! | * INT = 0x0300 | ||
* ANY = 0x0F00 | |||
{| class="wikitable sortable" | |||
|- | |||
!Address!! Command!! Permission | |||
|- | |||
|0x32030|| hdmi ||A_AUTH | |||
|- | |||
|0x2FB30|| tsensor ||A_AUTH | |||
|- | |||
|0x2FE7F|| tmp ||A_AUTH | |||
|- | |||
|0x2FFA6|| trp ||A_AUTH | |||
|- | |||
|0x301D8|| tshutdown ||A_AUTH | |||
|- | |||
|0x3041B|| tzone ||A_AUTH | |||
|- | |||
|0x30482|| thrm ||A_AUTH | |||
|- | |||
|0x307EF|| duty ||A_AUTH | |||
|- | |||
|0x30C0D|| fanconpolicy ||A_AUTH | |||
|- | |||
|0x30DF9|| fanconmode ||A_AUTH | |||
|- | |||
|0x30F3B|| fantbl ||A_AUTH | |||
|- | |||
|0x305F2|| hyst ||A_AUTH | |||
|- | |||
|0x313EB|| powupcause ||A_AUTH | |||
|- | |||
|0x31460|| syspowdown ||A_AUTH | |||
|- | |||
|0x316C6|| devpm ||A_AUTH | |||
|- | |||
|0x318CF|| powerstate ||A_AUTH | |||
|- | |||
|0x31AC2|| nonfatalerror ||A_AUTH | |||
|- | |||
|0x2F82A|| getrtc ||INT | |||
|- | |||
|0x2ED2B|| help ||A_AUTH | |||
|- | |||
|0x2EED7|| meminfo ||INT | |||
|- | |||
|0x2EF63|| rbe ||INT | |||
|- | |||
|0x2F1FC|| DISABLEALLERASE ||A_AUTH | |||
|- | |||
|0x2F281|| task ||INT | |||
|- | |||
|0x2F460|| cleareep ||INT | |||
|- | |||
|0x2F499|| commt ||INT | |||
|- | |||
|0x2F79B|| bestat ||A_AUTH | |||
|- | |||
|0x2DAC3|| bringup ||A_AUTH | |||
|- | |||
|0x2DC1C|| shutdown ||A_AUTH | |||
|- | |||
|0x2DC9B|| r ||A_AUTH | |||
|- | |||
|0x2DC9B|| r16 ||A_AUTH | |||
|- | |||
|0x2DC9B|| r32 ||A_AUTH | |||
|- | |||
|0x2E7BC|| r64 ||A_AUTH | |||
|- | |||
|0x2E7BC|| r64d ||A_AUTH | |||
|- | |||
|0x2E03B|| w ||A_AUTH | |||
|- | |||
|0x2E03B|| w16 ||A_AUTH | |||
|- | |||
|0x2E03B|| w32 ||A_AUTH | |||
|- | |||
|0x2E6C1|| w64 ||A_AUTH | |||
|- | |||
|0x2E6C1|| wbe ||A_AUTH | |||
|- | |||
|0x2DAC3|| BOOT ||A_AUTH | |||
|- | |||
|0x2DC1C|| HALT ||A_AUTH | |||
|- | |||
|0x2DC7B|| BOOTENABLE ||A_AUTH | |||
|- | |||
|0x2DC9B|| R8 ||A_AUTH | |||
|- | |||
|0x2DC9B|| R16 ||A_AUTH | |||
|- | |||
|0x2DC9B|| R32 ||A_AUTH | |||
|- | |||
|0x2E03B|| W8 ||A_AUTH | |||
|- | |||
|0x2E03B|| W16 ||A_AUTH | |||
|- | |||
|0x2E03B|| W32 ||A_AUTH | |||
|- | |||
|0x2E8C2|| EEP ||A_AUTH | |||
|- | |||
|0x2E9B8|| PDAREA ||A_AUTH | |||
|- | |||
|0x2E9B8|| CSAREA ||A_AUTH | |||
|- | |||
|0x2EC36|| portset ||INT | |||
|- | |||
|0x2ECF9|| extend ||A_AUTH | |||
|- | |||
|0x80D0 || version ||ANY | |||
|- | |||
|0x812B || revision ||ANY | |||
|- | |||
|0x8251 || setcmdlong ||ANY | |||
|- | |||
|0x81C3 || VER ||ANY | |||
|- | |||
|0x8251 || SETCMDLONG ||ANY | |||
|- | |||
|0x8356 || csum ||A_AUTH | |||
|- | |||
|0x8555 || AUTH1 ||B_AUTH | |||
|- | |||
|0x8555 || AUTH2 ||B_AUTH | |||
|- | |||
|0x86FB || AUTHVER ||ANY | |||
|- | |||
|0x311DA|| ERRLOG ||ANY | |||
|- | |||
|0x311DA|| errlog ||ANY | |||
|- | |||
|0x31C87|| powersw ||A_AUTH | |||
|- | |||
|0x31CA5|| ejectsw ||A_AUTH | |||
|- | |||
|0x31CC5|| buzzduty ||INT | |||
|- | |||
|0x31D24|| buzz ||INT | |||
|- | |||
|0x33F98|| VID ||A_AUTH | |||
|- | |||
|0x340BF|| CID ||A_AUTH | |||
|- | |||
|0x340BF|| ECID ||A_AUTH | |||
|- | |||
|0x34211|| SPU ||A_AUTH | |||
|- | |||
|0x342BC|| REV ||A_AUTH | |||
|- | |||
|0x34363|| KSV ||A_AUTH | |||
|- | |||
|0x3441B|| portscan ||A_AUTH | |||
|- | |||
|0x33F46|| eepcsum ||A_AUTH | |||
|- | |||
|0x346DD|| patchinfo ||A_AUTH | |||
|- | |||
|0x346F3|| poll ||INT | |||
|- | |||
|0x3470F|| recv ||INT | |||
|- | |||
|0x3472B|| send ||INT | |||
|- | |||
|0x34747|| LS ||INT | |||
|- | |||
|0x34763|| hversion ||INT | |||
|- | |||
|} | |||
== SW2-301 Command List == | |||
* A_AUTH = 0x0700 | |||
* B_AUTH = 0x0B00 | |||
* INT = 0x0300 | |||
* ANY = 0x0F00 | |||
{| class="wikitable sortable" | |||
|- | |||
!Address!! Command !!Permission | |||
|- | |||
|0x3D989|| hdmi ||A_AUTH | |||
|- | |||
|0x3B1CF|| tsensor ||A_AUTH | |||
|- | |||
|0x3B3D5|| tmp ||A_AUTH | |||
|- | |||
|0x3B627|| trp ||A_AUTH | |||
|- | |||
|0x3B645|| tshutdown ||A_AUTH | |||
|- | |||
|0x3B663|| tzone ||A_AUTH | |||
|- | |||
|0x3B6C9|| thrm ||A_AUTH | |||
|- | |||
|0x3B95D|| duty ||A_AUTH | |||
|- | |||
|0x3BBB9|| fanconpolicy ||A_AUTH | |||
|- | |||
|0x3BD48|| fanconmode ||A_AUTH | |||
|- | |||
|0x3BE58|| fantbl ||A_AUTH | |||
|- | |||
|0x3C07D|| fanservo ||A_AUTH | |||
|- | |||
|0x3C2E2|| fanservostat ||A_AUTH | |||
|- | |||
|0x3B7F0|| hyst ||A_AUTH | |||
|- | |||
|0x3C695|| powupcause ||A_AUTH | |||
|- | |||
|0x3C70A|| syspowdown ||A_AUTH | |||
|- | |||
|0x3C98A|| devpm ||A_AUTH | |||
|- | |||
|0x3CB93|| powerstate ||A_AUTH | |||
|- | |||
|0x3CDF0|| nonfatalerror ||A_AUTH | |||
|- | |||
|0x3AD68|| getrtc ||INT | |||
|- | |||
|0x3A280|| help ||A_AUTH | |||
|- | |||
|0x3A42C|| meminfo ||INT | |||
|- | |||
|0x3A4B8|| rbe ||INT | |||
|- | |||
|0x3A751|| DISABLEALLERASE ||A_AUTH | |||
|- | |||
|0x3A7D6|| task ||INT | |||
|- | |||
|0x3A99E|| cleareep ||INT | |||
|- | |||
|0x3A9D7|| commt ||INT | |||
|- | |||
|0x3ACD9|| bestat ||A_AUTH | |||
|- | |||
|0x39018|| bringup ||A_AUTH | |||
|- | |||
|0x39171|| shutdown ||A_AUTH | |||
|- | |||
|0x391F0|| r ||A_AUTH | |||
|- | |||
|0x391F0|| r16 ||A_AUTH | |||
|- | |||
|0x391F0|| r32 ||A_AUTH | |||
|- | |||
|0x39D11|| r64 ||A_AUTH | |||
|- | |||
|0x39D11|| r64d ||A_AUTH | |||
|- | |||
|0x39590|| w ||A_AUTH | |||
|- | |||
|0x39590|| w16 ||A_AUTH | |||
|- | |||
|0x39590|| w32 ||A_AUTH | |||
|- | |||
|0x39C16|| w64 ||A_AUTH | |||
|- | |||
|0x39C16|| wbe ||A_AUTH | |||
|- | |||
|0x39018|| BOOT ||A_AUTH | |||
|- | |||
|0x39171|| HALT ||A_AUTH | |||
|- | |||
|0x391D0|| BOOTENABLE ||A_AUTH | |||
|- | |||
|0x391F0|| R8 ||A_AUTH | |||
|- | |||
|0x391F0|| R16 ||A_AUTH | |||
|- | |||
|0x391F0|| R32 ||A_AUTH | |||
|- | |||
|0x39590|| W8 ||A_AUTH | |||
|- | |||
|0x39590|| W16 ||A_AUTH | |||
|- | |||
|0x39590|| W32 ||A_AUTH | |||
|- | |||
|0x39E17|| EEP ||A_AUTH | |||
|- | |||
|0x39F0D|| PDAREA ||A_AUTH | |||
|- | |||
|0x39F0D|| CSAREA ||A_AUTH | |||
|- | |||
|0x3A18B|| portset ||INT | |||
|- | |||
|0x3A24E|| extend ||A_AUTH | |||
|- | |||
|0xA0F1 || version ||ANY | |||
|- | |||
|0xA14C || revision ||ANY | |||
|- | |||
|0xA272 || setcmdlong ||ANY | |||
|- | |||
|0xA1E4 || VER ||ANY | |||
|- | |||
|0xA272 || SETCMDLONG ||ANY | |||
|- | |||
|0xA37B || csum ||A_AUTH | |||
|- | |||
|0xA5AF || AUTH1 ||B_AUTH | |||
|- | |||
|0xA5AF || AUTH2 ||B_AUTH | |||
|- | |||
|0xA755 || AUTHVER ||ANY | |||
|- | |||
|0x3C484|| ERRLOG ||ANY | |||
|- | |||
|0x3C484|| errlog ||ANY | |||
|- | |||
|0x3D005|| powersw ||A_AUTH | |||
|- | |||
|0x3D023|| ejectsw ||A_AUTH | |||
|- | |||
|0x3D043|| buzzduty ||INT | |||
|- | |||
|0x3D0A2|| buzz ||INT | |||
|- | |||
|0x3FC43|| VID ||A_AUTH | |||
|- | |||
|0x3FD6A|| CID ||A_AUTH | |||
|- | |||
|0x3FD6A|| ECID ||A_AUTH | |||
|- | |||
|0x3FEBC|| SPU ||A_AUTH | |||
|- | |||
|0x3FF67|| REV ||A_AUTH | |||
|- | |||
|0x4000E|| KSV ||A_AUTH | |||
|- | |||
|0x400C6|| portscan ||A_AUTH | |||
|- | |||
|0x3FBF1|| eepcsum ||A_AUTH | |||
|- | |||
|0x40388|| patchinfo ||A_AUTH | |||
|- | |||
|0x4039E|| poll ||INT | |||
|- | |||
|0x403BA|| recv ||INT | |||
|- | |||
|0x403D6|| send ||INT | |||
|- | |||
|0x403F2|| LS ||INT | |||
|- | |||
|0x4040E|| hversion ||INT | |||
|- | |||
|} | |||
* Note: Very similar to ps4 southbridge firmware. Only difference here is the string is Playstation 3 | |||
== SW3-304 Commandlist == | |||
{| class="wikitable sortable" | |||
|- | |||
! Address!! Command!! Permission | |||
|- | |||
|0x3E21D|| hdmi ||A_AUTH | |||
|- | |||
|0x3B8F0|| tsensor ||A_AUTH | |||
|- | |||
|0x3BAF6|| tmp ||A_AUTH | |||
|- | |||
|0x3BD48|| trp ||A_AUTH | |||
|- | |||
|0x3BD66|| tshutdown ||A_AUTH | |||
|- | |||
|0x3BD84|| tzone ||A_AUTH | |||
|- | |||
|0x3BDEA|| thrm ||A_AUTH | |||
|- | |||
|0x3C07E|| duty ||A_AUTH | |||
|- | |||
|0x3C2DA|| fanconpolicy ||A_AUTH | |||
|- | |||
|0x3C469|| fanconmode ||A_AUTH | |||
|- | |||
|0x3C579|| fantbl ||A_AUTH | |||
|- | |||
|0x3C79E|| fanservo ||A_AUTH | |||
|- | |||
|0x3CA03|| fanservostat ||A_AUTH | |||
|- | |||
|0x3CB6B|| fanservosetval ||A_AUTH | |||
|- | |||
|0x3BF11|| hyst ||A_AUTH | |||
|- | |||
|0x3CE8E|| powupcause ||A_AUTH | |||
|- | |||
|0x3CF03|| syspowdown ||A_AUTH | |||
|- | |||
|0x3D183|| devpm ||A_AUTH | |||
|- | |||
|0x3D38C|| powerstate ||A_AUTH | |||
|- | |||
|0x3D5E9|| nonfatalerror ||A_AUTH | |||
|- | |||
|0x3B489|| getrtc ||INT | |||
|- | |||
|0x3A9A1|| help ||A_AUTH | |||
|- | |||
|0x3AB4D|| meminfo ||INT | |||
|- | |||
|0x3ABD9|| rbe ||INT | |||
|- | |||
|0x3AE72|| DISABLEALLERASE ||A_AUTH | |||
|- | |||
|0x3AEF7|| task ||INT | |||
|- | |||
|0x3B0BF|| cleareep ||INT | |||
|- | |||
|0x3B0F8|| commt ||INT | |||
|- | |||
|0x3B3FA|| bestat ||A_AUTH | |||
|- | |||
|0x39739|| bringup ||A_AUTH | |||
|- | |||
|0x39892|| shutdown ||A_AUTH | |||
|- | |||
|0x39911|| r ||A_AUTH | |||
|- | |||
|0x39911|| r16 ||A_AUTH | |||
|- | |||
|0x39911|| r32 ||A_AUTH | |||
|- | |||
|0x3A432|| r64 ||A_AUTH | |||
|- | |||
|0x3A432|| r64d ||A_AUTH | |||
|- | |||
|0x39CB1|| w ||A_AUTH | |||
|- | |||
|0x39CB1|| w16 ||A_AUTH | |||
|- | |||
|0x39CB1|| w32 ||A_AUTH | |||
|- | |||
|0x3A337|| w64 ||A_AUTH | |||
|- | |||
|0x3A337|| wbe ||A_AUTH | |||
|- | |||
|0x39739|| BOOT ||A_AUTH | |||
|- | |||
|0x39892|| HALT ||A_AUTH | |||
|- | |||
|0x398F1|| BOOTENABLE ||A_AUTH | |||
|- | |||
|0x39911|| R8 ||A_AUTH | |||
|- | |||
|0x39911|| R16 ||A_AUTH | |||
|- | |||
|0x39911|| R32 ||A_AUTH | |||
|- | |||
|0x39CB1|| W8 ||A_AUTH | |||
|- | |||
|0x39CB1|| W16 ||A_AUTH | |||
|- | |||
|0x39CB1|| W32 ||A_AUTH | |||
|- | |||
|0x3A538|| EEP ||A_AUTH | |||
|- | |||
|0x3A62E|| PDAREA ||A_AUTH | |||
|- | |||
|0x3A62E|| CSAREA ||A_AUTH | |||
|- | |||
|0x3A8AC|| portset ||INT | |||
|- | |||
|0x3A96F|| extend ||A_AUTH | |||
|- | |||
|0xA0FF || version ||ANY | |||
|- | |||
|0xA15A || revision ||ANY | |||
|- | |||
|0xA280 || setcmdlong ||ANY | |||
|- | |||
|0xA1F2 || VER ||ANY | |||
|- | |||
|0xA280 || SETCMDLONG ||ANY | |||
|- | |||
|0xA389 || csum ||A_AUTH | |||
|- | |||
|0xA5BD || AUTH1 ||B_AUTH | |||
|- | |||
|0xA5BD || AUTH2 ||B_AUTH | |||
|- | |||
|0xA763 || AUTHVER ||ANY | |||
|- | |||
|0x3CC7D|| ERRLOG ||ANY | |||
|- | |||
|0x3CC7D|| errlog ||ANY | |||
|- | |||
|0x3D7FE|| powersw ||A_AUTH | |||
|- | |||
|0x3D81C|| ejectsw ||A_AUTH | |||
|- | |||
|0x3D83C|| doorsw ||A_AUTH | |||
|- | |||
|0x3D8D7|| buzzduty ||INT | |||
|- | |||
|0x3D936|| buzz ||INT | |||
|- | |||
|0x404D8|| VID ||A_AUTH | |||
|- | |||
|0x405FF|| CID ||A_AUTH | |||
|- | |||
|0x405FF|| ECID ||A_AUTH | |||
|- | |||
|0x40751|| SPU ||A_AUTH | |||
|- | |||
|0x407FC|| REV ||A_AUTH | |||
|- | |||
|0x408A3|| KSV ||A_AUTH | |||
|- | |||
|0x4095B|| MOUNTINFO ||A_AUTH | |||
|- | |||
|0x40A2A|| portscan ||A_AUTH | |||
|- | |||
|0x40486|| eepcsum ||A_AUTH | |||
|- | |||
|0x40CF2|| patchinfo ||A_AUTH | |||
|- | |||
|0x40D08|| poll ||INT | |||
|- | |||
|0x40D24|| recv ||INT | |||
|- | |||
|0x40D40|| send ||INT | |||
|- | |- | ||
|0x40D5C|| LS ||INT | |||
|- | |- | ||
| | |0x40D78|| hversion ||INT | ||
| | |||
| | |||
|} | |} | ||