The Last Piece of the Puzzle

• http://www.psdevwiki.com/ps3/Syscon_Hardware (<SW-301)
• http://www.psdevwiki.com/ps3/Service_Connectors (Diag/Backup Mode, <3rd Generation)
• http://www.psdevwiki.com/ps3/Talk:Syscon_Hardware#Backup_Mode_.2F_Diag
• http://www.psdevwiki.com/ps3/Talk:Service_Connectors
• http://www.ps3devwiki.com/ps3/Cell_Configuration_Ring
• http://www.psdevwiki.com/ps3/SIG_File_Format
• http://i.imgur.com/xQizq0K.png
• http://www.psdevwiki.com/ps3/images/a/ac/TMU-520_1-871-645-11_A_Detail_3_%28SYSCON%29.jpg
• http://www.psdevwiki.com/ps3/File:PS3_Service_Connector_1st_Generation_COK-001.png
• http://en.wikipedia.org/wiki/ARM7#ARM7TDMI
• http://www.fpga4fun.com/images/JTAG_TAP.gif
• http://hsb.wikidot.com/arduino-jtag-finder-workshop
• https://www.youtube.com/watch?v=Up0697E5DGc
• http://urjtag.org/
• http://i.imgur.com/O10hqAK.png
• http://pastie.org/private/grd5u9izjlglkult64rta

How

• By enabling diagnostic mode on the ps3, we can enable the use of JTAG again (it's temporarily disabled when diag mode isn't set)
• It is possible to dump the syscon firmware using this method (in unencrypted state)
• The JTAG registers/TAP-controllers need to be bruteforced / reverse engineered
• The leaked service manuals present information about the pins connected to the JigPin
• The JigPin contains an object used to diagnose the ps3 using JTAG
• Using a DIY JigPin would facilitate the task
• This would probably work on ps4 too (provided that the diag pin and the JTAG pins still exist)