Remarry Syscon: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
(Minor language fixes)
 
(One intermediate revision by one other user not shown)
Line 17: Line 17:


=== Case #2: The original Syscon SPCR is not available ===
=== Case #2: The original Syscon SPCR is not available ===
<b>The PS3 needs to run a factory (JIG) firmware in order to remarry the Syscon!</b><br>
<b>The PS3 needs to run a factory (JIG) firmware with a complete factory [[lv1.self|LV1]] (which includes ss_sc_init_pu.fself) in order to remarry the Syscon!</b><br>
First blank the complete SPCR with hex <i>FF</i>.
First blank the complete SPCR with hex <i>FF</i>.
Then for the first 0x30 bytes write this:
Then for the first 0x30 bytes write this:
Line 61: Line 61:
The console will be now in product mode.<br>
The console will be now in product mode.<br>
To complete the remarrying procedure please install any firmware using the manufacturing updater (launched by <i>lv2diag</i>) and set offset 0x48C07 of the NVS back to <i>FF</i>.
To complete the remarrying procedure please install any firmware using the manufacturing updater (launched by <i>lv2diag</i>) and set offset 0x48C07 of the NVS back to <i>FF</i>.
== Explanation ==
== Explanation ==
The magic bytes
The magic bytes
Line 81: Line 82:
The Hypervisor uses the Syscon status to determine if it needs to be remarried. 1 means that it needs to be remarried, 2 means it's already married to CELL.<br>
The Hypervisor uses the Syscon status to determine if it needs to be remarried. 1 means that it needs to be remarried, 2 means it's already married to CELL.<br>
The key saved at offset 0x10 is used to decrypt the second layer of the [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] stored on the [[Flash|flash]].<br>
The key saved at offset 0x10 is used to decrypt the second layer of the [[Flash:Encrypted_Individual_Data_-_eEID#EID1|EID1]] stored on the [[Flash|flash]].<br>
If this key is wrong, Syscon will return the error <i>800040C</i>. The only time this has been observed is on prototype consoles with a Sherwood Syscon. To fix that problem you need to create your own EID1 using the eid_root_key and patch it into the [[System Controller Firmware|Syscon firmware]].<br><br>
If this key is wrong, Syscon will return the error <i>800040C</i>. The only time this has been observed is on prototype consoles with a Sherwood Syscon. To fix that problem you need to create your own EID1 using the eid_root_key and patch it into the [[Syscon Firmware]].<br><br>


{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>
{{Reverse engineering}}<noinclude>[[Category:Main]]</noinclude>

Latest revision as of 12:09, 30 September 2023

Replacing the Syscon requires you to remarry it to CELL.

Introduction[edit | edit source]

The System Controller has different EEPROM regions of which two are the NVS (non-volatile storage) and the SNVS (secure NVS).
If CELL wants to access the SNVS it has to be married to the Syscon. The SNVS holds for example the secure product mode information, the lv0/lv1 hash and the SRK/SRH.
This guide will only cover the perconsole section which holds the pairing information and the SNVS section, not the NVS nor the internal (only by Syscon plain accessible) regions.
For easier reading the complete area will be called SPCR - Syscon Per Console Region.

Basic Syscon Prerequisites[edit | edit source]

In order to remarry the Syscon you have to have raw access to the corresponding EEPROM regions.
The SPCR on Mullion (CXR) models is saved at 0x0000-0x2800 while it's at 0x3000-0x5800 on Sherwood (SW) models.
For the NVS regions (and internal regions) please refer to the EEPROM page, this guide will only provide the offsets used by UM.

Procedure[edit | edit source]

Case #1: A full dump of the original Syscon SPCR is available[edit | edit source]

If this is the case and you're not switching from Mullion to Sherwood or the other way around you can just copy the SPCR.

Case #2: The original Syscon SPCR is not available[edit | edit source]

The PS3 needs to run a factory (JIG) firmware with a complete factory LV1 (which includes ss_sc_init_pu.fself) in order to remarry the Syscon!
First blank the complete SPCR with hex FF. Then for the first 0x30 bytes write this:

5E B4 F7 C9 50 62 F1 B2 EC F7 EE 1A 3C E3 D8 D0
C5 C2 73 4B A4 13 3D 2C 9E EE 88 ED 0C A8 15 C7
8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38

And set offset 0x48C07 of the NVS to 00.
If you start the PS3 you should see this on PS3s with a Mullion Syscon (as part of the bootlog obtainable from the SB UART):

[INFO]: sc_init START
[INFO]: 1...o
[INFO]: 2 skip
[INFO]: 3...o
[INFO]: 4.0.1...o    4.0.2...o    4.0.3...o    4.0.4...o
[INFO]: 4.1.1...o    4.1.2...o    4.1.3...o    4.1.4...o
[INFO]: 4.2.1...o    4.2.2...o    4.2.3...o    4.2.4...o
[INFO]: 4.3.1...o    4.3.2...o    4.3.3...o    4.3.4...o
[INFO]: 4.4.1...o    4.4.2...o    4.4.3...o    4.4.4...o
[INFO]: 4.5.1...o    4.5.2...o    4.5.3...o    4.5.4...o
[INFO]: 4.6.1...o    4.6.2...o    4.6.3...o    4.6.4...o
[INFO]: 4.7.1...o    4.7.2...o    4.7.3...o    4.7.4...o
[INFO]: pre5...o
[INFO]: skip 5, 6, 7, 8 (0x31)
[INFO]: sc_init SUCCESS

and this on Sherwood models:

[INFO]: sc_init START
[INFO]: 1...o
[INFO]: 2 skip
[INFO]: 3...o
[INFO]: 4.0.1...o    4.0.2...o    4.0.3...o    4.0.4...o
[INFO]: 4.1.1...o    4.1.2...o    4.1.3...o    4.1.4...o
[INFO]: pre5...o
[INFO]: skip 5, 6, 7, 8 (0x31)
[INFO]: sc_init SUCCESS

(If it instead prints error 800040C please refer to the explanation)
After shutting the console down power it up again which causes the Syscon to be remarried a "2nd" time.
It will produce the same output except that the third line changes from "[INFO]: 2 skip" to "[INFO]: 2...o".
The console will be now in product mode.
To complete the remarrying procedure please install any firmware using the manufacturing updater (launched by lv2diag) and set offset 0x48C07 of the NVS back to FF.

Explanation[edit | edit source]

The magic bytes

5E B4 F7 C9 50 62 F1 B2 EC F7 EE 1A 3C E3 D8 D0
C5 C2 73 4B A4 13 3D 2C 9E EE 88 ED 0C A8 15 C7
8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38

consist of the (uninitialized) Syscon status

00000000000000000000000000000001

encrypted with Key 0x000
and the Key 0x010

5794BC8C2131B1E3E7EC61EF14C32EB5

encrypted with Key 0x020.
The last 16 bytes are the CMAC of the previous 16 bytes using Key 0x020.

The Hypervisor uses the Syscon status to determine if it needs to be remarried. 1 means that it needs to be remarried, 2 means it's already married to CELL.
The key saved at offset 0x10 is used to decrypt the second layer of the EID1 stored on the flash.
If this key is wrong, Syscon will return the error 800040C. The only time this has been observed is on prototype consoles with a Sherwood Syscon. To fix that problem you need to create your own EID1 using the eid_root_key and patch it into the Syscon Firmware.