Syscon Firmware: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (→‎Header: ops.. forgot to add infos. now added :D)
Line 195: Line 195:


== Access to Syscon from Linux ==
== Access to Syscon from Linux ==
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/index.php/PS3:HvReverseEngineering#SYSCON
Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON


{{Console}}
{{Console}}

Revision as of 14:32, 14 May 2012

Syscon Firmware is the firmware stored on the System Controller EEPROM (see Syscon Hardware). Updates are stored in update packages within the Update_files.tar of a Playstation Update Package (PUP). Syscon Packages appear to always be 5KB (5376 bytes) in size.


Syscon update packages

d/l: syscon_fw1.00-4.00.rar (51.74 KB)

Package structure

Sys_con_firmware Packages can be unpacked with unpkg

Overview

Address Length Value Description
0x00 0x4 ASCI:"SCE" SCE magic header
0x04 0x4 0x2 Flags
0x08 0x4 0x3 Type (0x3 = PKG)
0x0C 0x4 0x0 Blank/Unknown
0x10 0x4 0x0 Blank/Unknown
0x10 0x8 0x280 Start Data Offset ('hdr_len')
0x18 0x8 0x1080 Data Size ('dec_size')
0x20 0x260 - Header
0x280 0x40 - 'info0' section (see below)
0x2C0 0x40 - 'info1' section (see below)
0x300 0x1000 - 'content'

'info0'

Address Length Value Description
0x00 0x4 0x3
0x04 0x4 0x8
0x08 0x4 0x0 or 0x1
0x0C 0x4 0x0B8E
0x0C16
0x0D52
0x0DBF
0x0E69
0x0F29
0x0F38
0x065D
0x0832
0x08C2
0x0918
'SoftID'
0x10 0x8 0x0001000000000004
0x0001000000000005
0x0001000000000006
0x0001000100030002
0x0001000100030003
0x0001000200030002
0x0001000300030002
0x0001000400040002
0x0001000500000002
0x0001000500010001
0x00010002083E0832
'PatchID'
0x18 0x8 0x1000 'Content' Data Size?
0x20 0x8 0x1000 'Content' Data Size?
0x28 0x8 0x0
0x30 0x10 0x0

'info1'

Address Length Value Description
0x00 0x4 0x0
0x04 0x4 0x3
0x08 0x8 0x40 Offset/size?
0x10 0x4 0x0
0x14 0x4 0x0
0x18 0x8 0x1000 'Content' Data Size?
0x20 0x8 0x1
0x28 0x8 0x1
0x30 0x10 0x0

'content' overview

Address Length Value Description
0x0 0x1000 - 'content'

Known Retail syscon update packages

These are in in full Retail/CEX and Debug/DEX firmwares:

sys_con_firmware package 1.00-1.30 1.30-1.80 1.81-2.80 3.00-3.30 3.40 3.41-4.11 SoftID Notes
SYS_CON_FIRMWARE_01000004.pkg No Yes No No No No 0B8E
SYS_CON_FIRMWARE_01000005.pkg No No Yes Yes No No 0B8E
SYS_CON_FIRMWARE_01000006.pkg No No No No Yes Yes 0B8E
SYS_CON_FIRMWARE_01010302.pkg No No Yes Yes No No 0C16
SYS_CON_FIRMWARE_01010303.pkg No No No No Yes Yes 0C16
SYS_CON_FIRMWARE_01020302.pkg No No No No Yes Yes 0D52
SYS_CON_FIRMWARE_01030302.pkg No No No No Yes Yes 0DBF
SYS_CON_FIRMWARE_01040402.pkg No No No No Yes Yes 0E69
SYS_CON_FIRMWARE_01050002.pkg No No No No Yes Yes 0F29
SYS_CON_FIRMWARE_01050101.pkg No No No No No Yes 0F38
SYS_CON_FIRMWARE_S1_00010002083E0832.pkg No No No Yes Yes Yes 0832

This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00 and 3.40 of all PS3 models (FW 1.30 added Backup/Restore, FW 3.00 resulted in Class action suit for BluRay reading problems). The '01050101' patch since 3.41 was only done for 'SoftID' 0x0F38.

NonRetail syscon

Remember, Debug/DEX consoles are normal retail consoles with different TargetID, so only those that have a nonretail board have deviating patches (like the CXR713F120A found on the DECR1000A TOOL/DECR).

Tool/DECR don't have patches, they flash entire firmwares.

Deviating from Retail

Please note that without info about the SKU the listing of ID's is pretty useless

sys_con_firmware package 1.00-1.30 1.30-1.80 1.81-2.80 3.00-3.30 3.40 3.41-4.11 SoftID Notes
? ? ? ? ? ? Yes 08A0 Debug/DEX

Usage

The firmware PUP's contains a collection of patches for all the different hardware revisions of syscon's chips used in different motherboard models.

The ps3swu.self (system updater) decides wich applicable Syscon Hardware is present and installs the needed package update(s) accordingly (via updater manager ss service).

Which syscon version and which patches are installed can be seen in More_System_Information

Decryption

Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB).

Header

The header format is partially unknown at this stage. All the Firmwares patches are written in little endian.

Offset Lenght Notes
0x0 0x4 Header
0x4 0x20 header checksum?
0x24 0x4 header offset?
0x28 0x4 file size
0x2c 0x4 binary size
0x30 0x10 binary checksum?
0x40 0xfc0 binary

Sample

00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
00000010  B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA  ¸ý7ÏÍE…«Q÷.ãê2¥ê
00000020  67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00  gEùH........À...
00000030  8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D  ‹..ù›¢.:u‰ñB.YÚ.
00000040  21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63  !|¢ÃZäx...K÷¢sœc
00000050  5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA  ].]I.Ço,.3þ.Ól¡Ê
00000060  BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80  º.+þ.3q×Åæ\ÿ¿wl€
00000070  F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48  ò¾.»<RRÜ©hå$.OóH

Observations

  • The first 4 bytes (0x1B2D700F) appear static in each package.
  • The next 20 bytes appear to change with each package
  • The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (firmware size) and 00000fc0 is 4032 in dec (where the binary starts).

Access to Syscon from Linux

Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON

Template:Console