Talk:Syscon Firmware: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (→‎sc auth keys old: Deleted dead link and the keys that was published on Keys#sc_iso. Please someone review the remaining keys and delete them from here)
m (→‎Updating Syscon on Tool/DECR: Deleted dead link)
Line 165: Line 165:


== Updating Syscon on Tool/DECR ==
== Updating Syscon on Tool/DECR ==
[https://cdn.anonfiles.com/1355932907234.rar v1.0.4c2_TMU510_u.bin]


'''Q: How is syscon updated on Reference Tool / DECR models?''' <br />
'''Q: How is syscon updated on Reference Tool / DECR models?''' <br />
Line 173: Line 171:


'''A: In DECR-1000A Syscon is located on the motherboard. The Communication Processor talks to it through UART and updates it with the firmud command.'''  <br />
'''A: In DECR-1000A Syscon is located on the motherboard. The Communication Processor talks to it through UART and updates it with the firmud command.'''  <br />
List of main IC's on the board:
List of main IC's on the motherboard:
* SCEI CXR713F120A ([[Syscon Hardware]])
* SCEI [[CXR713F120A]] ([[Syscon Hardware|Syscon]])
* 1x Samsung K9F2G08U0M ([http://www.ps3devwiki.com/index.php?title=Flash_(Hardware) Flash] 2Gbit)
* 1x Samsung [[K9F2G08U0M]] ([[Flash_(Hardware)|Flash]])
* SCEI CXD4302GB ([[Starship2]])
* SCEI [[CXD4302GB]] ([[Starship2]])
* SCEI CXD9790GG (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."
* SCEI [[CXD9790GG]] (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."
[http://www.ps3news.com/ps3-hacks-jailbreak/ps3-tool-decr-1000a-system-controller-flash-chips-detailed/ archaic source1] [http://www.ps3news.com/ps3-hacks-jailbreak/ps3-tool-decr-1000a-internals-the-communication-processor/ archaic source2]
[http://www.ps3news.com/ps3-hacks-jailbreak/ps3-tool-decr-1000a-system-controller-flash-chips-detailed/ archaic source1] [http://www.ps3news.com/ps3-hacks-jailbreak/ps3-tool-decr-1000a-internals-the-communication-processor/ archaic source2]



Revision as of 15:54, 20 April 2021

LV1 - System Controller (SC) manager

  • sc_mgr_get_srh (0x9001)
  • sc_mgr_set_srh (0x9002)
  • sc_mgr_encrypt (0x9003)
  • sc_mgr_decrypt (0x9004)
  • Init For VTRM (0x9005)
  • sc_mgr_get_region_data (0x9006)
  • sc_mgr_set_region_data (0x9007)
  • Set RTC (0x9008)
  • Get Time (0x9009)
  • Set Time (0x900A)
  • sc_mgr_read_eprom (0x900B)
  • sc_mgr_write_eprom (0x900C)
  • Init For Updater (0x900D)
  • sc_mgr_get_sc_status (0x900E)
  • sc_iso_header (sc_iso_sc_binary_patch - 0x9011)
  • SC RTC Factory (0x9012)
  • Correct RTC Factory (0x9013)
  • Set SC Status (0x9014)
  • Backup Root Info (0x9015)
  • Restore Root Info (0x9016)
  • Read System Data From SC EEPROM - Indi Info Manager 0x17007)

SC - sc_iso.self

  • sc_iso_sc_binary_patch
  • sc_iso_get_sc_status
  • sc_iso_get_property
  • sb_iso_get_rnd
  • sb_iso_encdec_key
  • sc_iso_module::calculate_drift_time
  • sc_iso_module::generate_key
  • sc_iso_module::generate_all_key
  • sc_iso_module::authenticate
  • sc_iso_module::change_to_old_key
  • sc_iso_module::do_process
  • sc_iso_module::get_system_info
  • sc_iso_module::get_system_version
  • sc_iso_module::do_set_rtc_status
  • sc_iso_module::do_get_rtc_status
  • sc_iso_module::do_set_rtc2
  • sc_iso_module::set_rtc
  • sc_iso_module::do_set_drift_time
  • sc_iso_module::do_get_time
  • sc_iso_module::set_time
  • sc_iso_module::get_time
  • sc_iso_module::read_data2
  • sc_iso_module::write_data2
  • sc_iso_module::write_binary_patch
  • sc_iso_module::read_data
  • sc_iso_module::write_data
  • sc_iso_module::write_region_data
  • sc_iso_module::set_region_data
  • sc_iso_module::write_srh
  • sc_iso_module::set_srh
  • sc_iso_module::write_key
  • sc_iso_module::write_mngblk
  • sc_iso_module::initialize_updater_block
  • sc_iso_module::read_region_data
  • sc_iso_module::get_region_data
  • sc_iso_module::get_srh
  • sc_iso_module::read_key
  • sc_iso_module::do_crypt
  • sc_iso_module::decrypt
  • sc_iso_module::encrypt
  • sc_iso_module::read_mngblk
  • sc_iso_module::set_sc_status
  • sc_iso_module::get_sc_status
  • sc_iso_module::init_for_updater
  • sc_iso_module::init_for_vtrm
  • sc_iso_module::start

This should be a good starting point but leaves enough to explore yourself though: http://pastebin.com/NxVkGCdp (for version 1.02)

See Graf's PSGroove Payload and HV page #0x9000 - SC_Manager / HVpage #System Controller


Updater log lines related to syscon

Updater log lines related to Syscon just after BD firmware, Multi-Card controller, BlueTooth firmware (in this case CEX 3.55) just before post processing and cleanup update status :

Update System controller firmware
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
Update System controller firmware done(0x8002f000)

PS3 Retail == PS3 TEST != PS3 TOOL I try to get PS3 TOOL SC Firmwares.


It is suggested that the Syscon EEPROM is 512KB and the full (encrypted) firmware is <400KB (on Ref.Tool the Syscon is updated by overwiting the whole Syscon firmware : e.g. v1.0.5c1_TMU510_u.bin 384KB)

Syscon commands

Syscon commands:

ver
errlog
auth1
auth2
fandiag
xdrdiag
xiodiag
bestat
sysdiag
syslog
bringup (PowerOn State)
shutdown (PowerOff State)
powersw
resetsw
bootbeep
stat
bootbeep on BOOT BEEP ON: DONE
bootbeep off BOOT BEEP OFF: DONE
xdrdiag
start
errlog tmpforcp
cp beepremote
cp beep2kn1n3
cp beep2kn2n3 /usr/bin/sx
halt HALT: OK
version
firmud Done.
cp ready CP READY: OK
cp busy CP BUSY: OK
cp reset CP RESET: OK
bestat
xdrdiag info
xdrdiag result
xiodiag
fandiag 
diagnose

The diag commands are usually for the backup bank, the main only supports firmud

CP root pass on Ref.Tool: cytology


sc auth keys old

sc auth keys old:
See: Keys#sc_iso
sc auth key seeds:
auth_1_0x00: 63DCA7D3FEE47F749A408363F1104E8F
auth_2_0x00: 4D10094324009CC8E6B69C70328E34C5
auth_1_0x01: D97949BAD8DA69D0E01BF31523732832
auth_2_0x01: C9D1DD3CE27E356697E26C12A7B316A8
auth_1_0x06: 4420ED722FEA35021955AB40C78EE6DF
auth_2_0x06: 3E67C2D9432E15D09BEF0E6C6492455D
the new auth keys are generated involving 256bit aes encryption (iv is all zeroes)

dump sysrom

dump_sysrom.pkg of dump-flash+syscon.rar (280.51 KB) (http://git.gitbrew.org/ps3/?p=otheros-utils/dump_sysrom.git) seems to output wrong on MFW315:

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00000000  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 00000010  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 ...   ...   ...   
 0003FFE0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 0003FFF0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...

Updating Syscon on Tool/DECR

Q: How is syscon updated on Reference Tool / DECR models?
There are no syscon PKG's in the DECR PUPs and CP .bin file contains one large binary encrypted gibberish. it is suggested it uses full syscon updates, but how are files like "v1.0.5c1_TMU510_u.bin" send to syscon for updating? With/via Communication Processor?

A: In DECR-1000A Syscon is located on the motherboard. The Communication Processor talks to it through UART and updates it with the firmud command.
List of main IC's on the motherboard:

  • SCEI CXR713F120A (Syscon)
  • 1x Samsung K9F2G08U0M (Flash)
  • SCEI CXD4302GB (Starship2)
  • SCEI CXD9790GG (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."

archaic source1 archaic source2

The SysCon Bootloader

  • This is what the BL does at startup (DECR). One of these flags could enable JTAG
--- BL
*0x3100004 = 0x03
Check 0x3101080 & 1
*0x3803000 = 0x1020000 or 0x1001000
*0x3803004 = 0x00
*0x3803008 = 0x18000 or 0x8000
*0x3803044 = 0x00
*0x380300C = 0x2CC001
*0x3803040 = 0x01
*0x3800004 = 0x02

*0x310FFFC = 0xFFFF

--- FW
*0x3100004 = 0x03
*0x3100008 = 0x0A
*0x3100008 = 0x03
*0x3100020 = 0x86
*0x3100028 = 0x10
WAIT 152 cycles
*0x3100010 = 0x01
*0x3100008 = 0x0A
*0x3100008 = 0x06
*0x3100004 = 0x00

*0x3808070 = 0x00
*0x3808064 = 0x0F

*0x3005404 = 0x0C67
*0x3005400 = 0x0C

Syscon patches template

This template started as something experimental, eventually could be used in frontpage

Syscon Patches
PS3 Model PS3 Type Motherboard Syscon Hardware SoftID.SysconPatch@SC Syscon Firmware Patches Notes
File Name Version Installed from
DECR-1000 0x01 TMU-520 CXR713F120A 0F3B.0000000000000000@SC v1.0.5c1_TMU510_u.bin v1.0.5 c 1 CP ver 1.33 Full firmware overwrite from Communication Processor
DEH-H1001-D 0x01 COOKIE-13 CXR713F120A 0B67.0000000000000000@SC n/a n/a n/a
DEH-H1000A 0x01 COK-001 (proto) CXR713F120A 0B67.0000000000000000@SC n/a n/a n/a
CECHAxx 0x01 COK-001 CXR713120 series 0B8E.0001000000000004@SC
0B8E.0001000000000005@SC
0B8E.0001000000000006@SC
SYS_CON_FIRMWARE_01000004.pkg
SYS_CON_FIRMWARE_01000005.pkg
SYS_CON_FIRMWARE_01000006.pkg
v1.0.0 release 4
v1.0.0 release 5
v1.0.0 release 6
1.30 Firmware
1.81 Firmware
3.40 Firmware
CECHBxx 0x02
CECHCxx 0x03 COK-002 0C16.0001000100030002@SC
0C16.0001000100030003@SC
SYS_CON_FIRMWARE_01010302.pkg
SYS_CON_FIRMWARE_01010303.pkg
v1.1.3 release 2
v1.1.3 release 3
1.81 Firmware
3.40 Firmware
CECHExx 0x04
CECHGxx 0x05 SEM-001 0D52.0001000200030002@SC SYS_CON_FIRMWARE_01020302.pkg v1.2.3 release 2 3.40 Firmware
CECHHxx 0x06 DIA-001 CXR714120 series 0DBF.0001000300030002@SC SYS_CON_FIRMWARE_01030302.pkg v1.3.3 release 2 3.40 Firmware
CECHJxx 0x07 DIA-002 0E69.0001000400040001@SC
0E69.0001000400040002@SC
n/a
SYS_CON_FIRMWARE_01040402.pkg
v1.4.4 release 1
v1.4.4 release 2
Factory ?
3.40 Firmware
CECHKxx
DECR-1400 0x09 DEB-001 CXR713120 series 0E69.0001000400040001@SC n/a v1.4.4 release 1 Factory ?
CECHCxx 0x03 COK-002 with 65nm RSX CXR714120 series 0F29.0001000500000002@SC SYS_CON_FIRMWARE_01050002.pkg v1.5.0 release 2 3.40 Firmware Refurbished, new 65nm RSX, new syscon
CECHAxx 0x01 COK-001 with 40nm RSX CXR714120 series 0F38.0001000500010001@SC SYS_CON_FIRMWARE_01050101.pkg v1.5.1 release 1 3.41 Firmware Refurbished, new 40nm RSX, new syscon
CECHLxx 0x08 VER-001 SW-30x series 065D.0000000000000000@SC n/a n/a Factory No patches availables in System Firmware
CECHMxx
CECHPxx
CECHQxx
CECH-20xx 0x09 DYN-001 SW2-30x series 0832.00010002083E0832@SC SYS_CON_FIRMWARE_S1_00010002083E0832.pkg ??? 3.00 Firmware
CECH-21xx 0x0A SUR-001 08A0.0000000000000000@SC n/a n/a Factory No patches availables in System Firmware
CECH-25xx 0x0B JTP-001 or
JSD-001
08C2.0000000000000000@SC n/a n/a Factory No patches availables in System Firmware
CECH-30xx 0x0C KTE-001 SW3-30x series 0918.0000000000000000@SC n/a n/a Factory No patches availables in System Firmware
CECH-40xx 0x0D MSX-001 or
MPX-001 or
NPX-001
SW3-30x series 098F.0000000000000000@SC n/a n/a Factory No patches availables in System Firmware
CECH-42xx ? ? ? ? ? ? ? No patches availables in System Firmware
CECH-43xx ? ? ? ? ? ? ? No patches availables in System Firmware
Rows marked in grey are "reference tool" models
Rows marked in blue are "preproduction" models
Rows marked in red are "refurbished" models