Remarry Syscon: Difference between revisions
m (added explanation) |
(Minor language fixes) |
||
Line 2: | Line 2: | ||
== Introduction == | == Introduction == | ||
The [[Syscon Hardware|System Controller]] | The [[Syscon Hardware|System Controller]] has different <i>EEPROM</i> regions of which two are the NVS (non-volatile storage) and the SNVS (secure NVS).<br> | ||
If CELL wants to access the SNVS it has to be married to the Syscon. The SNVS holds for example the secure [[Boot_modes#JIG_.2F_Factory_Service_Mode_.2F_manufacturer|product mode]] information, the [[lv0]]/[[Lv1.self|lv1]] hash and the [[Flash:cvtrm|SRK/SRH]].<br> | If CELL wants to access the SNVS it has to be married to the Syscon. The SNVS holds for example the secure [[Boot_modes#JIG_.2F_Factory_Service_Mode_.2F_manufacturer|product mode]] information, the [[lv0]]/[[Lv1.self|lv1]] hash and the [[Flash:cvtrm|SRK/SRH]].<br> | ||
This guide will only cover the perconsole section which holds the pairing information and the SNVS section, not the NVS nor the internal (only by Syscon plain accessible) regions.<br> | This guide will only cover the perconsole section which holds the pairing information and the SNVS section, not the NVS nor the internal (only by Syscon plain accessible) regions.<br> | ||
Line 58: | Line 58: | ||
(If it instead prints error <i>800040C</i> please refer to the [[#Explanation|explanation]])<br> | (If it instead prints error <i>800040C</i> please refer to the [[#Explanation|explanation]])<br> | ||
After shutting the console down power it up again which causes the Syscon to be remarried a "2nd" time.<br> | After shutting the console down power it up again which causes the Syscon to be remarried a "2nd" time.<br> | ||
It | It will produce the same output except that the third line changes from "<i>[INFO]: 2 skip</i>" to "<i>[INFO]: 2...o</i>".<br> | ||
The console will be now in product mode.<br> | The console will be now in product mode.<br> | ||
To complete the remarrying | To complete the remarrying procedure please install any firmware using the manufacturing updater (launched by <i>lv2diag</i>) and set offset 0x48C07 of the NVS back to <i>FF</i>. | ||
== Explanation == | == Explanation == | ||
The magic bytes | The magic bytes | ||
Line 68: | Line 68: | ||
8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38 | 8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38 | ||
</pre> | </pre> | ||
consist of the ( | consist of the (uninitialized) Syscon status | ||
<pre> | <pre> | ||
00000000000000000000000000000001 | 00000000000000000000000000000001 |
Revision as of 07:57, 27 April 2021
Replacing the Syscon requires you to remarry it to CELL.
Introduction
The System Controller has different EEPROM regions of which two are the NVS (non-volatile storage) and the SNVS (secure NVS).
If CELL wants to access the SNVS it has to be married to the Syscon. The SNVS holds for example the secure product mode information, the lv0/lv1 hash and the SRK/SRH.
This guide will only cover the perconsole section which holds the pairing information and the SNVS section, not the NVS nor the internal (only by Syscon plain accessible) regions.
For easier reading the complete area will be called SPCR - Syscon Per Console Region.
Basic Syscon Prerequisites
In order to remarry the Syscon you have to have raw access to the corresponding EEPROM regions.
The SPCR on Mullion (CXR) models is saved at 0x0000-0x2800 while it's at 0x3000-0x5800 on Sherwood (SW) models.
For the NVS regions (and internal regions) please refer to the EEPROM page, this guide will only provide the offsets used by UM.
Procedure
Case #1: A full dump of the original Syscon SPCR is available
If this is the case and you're not switching from Mullion to Sherwood or the other way around you can just copy the SPCR.
Case #2: The original Syscon SPCR is not available
The PS3 needs to run a factory (JIG) firmware in order to remarry the Syscon!
First blank the complete SPCR with hex FF.
Then for the first 0x30 bytes write this:
5E B4 F7 C9 50 62 F1 B2 EC F7 EE 1A 3C E3 D8 D0 C5 C2 73 4B A4 13 3D 2C 9E EE 88 ED 0C A8 15 C7 8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38
And set offset 0x48C07 of the NVS to 00.
If you start the PS3 you should see this on PS3s with a Mullion Syscon (as part of the bootlog obtainable from the SB UART):
[INFO]: sc_init START [INFO]: 1...o [INFO]: 2 skip [INFO]: 3...o [INFO]: 4.0.1...o 4.0.2...o 4.0.3...o 4.0.4...o [INFO]: 4.1.1...o 4.1.2...o 4.1.3...o 4.1.4...o [INFO]: 4.2.1...o 4.2.2...o 4.2.3...o 4.2.4...o [INFO]: 4.3.1...o 4.3.2...o 4.3.3...o 4.3.4...o [INFO]: 4.4.1...o 4.4.2...o 4.4.3...o 4.4.4...o [INFO]: 4.5.1...o 4.5.2...o 4.5.3...o 4.5.4...o [INFO]: 4.6.1...o 4.6.2...o 4.6.3...o 4.6.4...o [INFO]: 4.7.1...o 4.7.2...o 4.7.3...o 4.7.4...o [INFO]: pre5...o [INFO]: skip 5, 6, 7, 8 (0x31) [INFO]: sc_init SUCCESS
and this on Sherwood models:
[INFO]: sc_init START [INFO]: 1...o [INFO]: 2 skip [INFO]: 3...o [INFO]: 4.0.1...o 4.0.2...o 4.0.3...o 4.0.4...o [INFO]: 4.1.1...o 4.1.2...o 4.1.3...o 4.1.4...o [INFO]: pre5...o [INFO]: skip 5, 6, 7, 8 (0x31) [INFO]: sc_init SUCCESS
(If it instead prints error 800040C please refer to the explanation)
After shutting the console down power it up again which causes the Syscon to be remarried a "2nd" time.
It will produce the same output except that the third line changes from "[INFO]: 2 skip" to "[INFO]: 2...o".
The console will be now in product mode.
To complete the remarrying procedure please install any firmware using the manufacturing updater (launched by lv2diag) and set offset 0x48C07 of the NVS back to FF.
Explanation
The magic bytes
5E B4 F7 C9 50 62 F1 B2 EC F7 EE 1A 3C E3 D8 D0 C5 C2 73 4B A4 13 3D 2C 9E EE 88 ED 0C A8 15 C7 8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38
consist of the (uninitialized) Syscon status
00000000000000000000000000000001
encrypted with Key 0x000
and the Key 0x010
5794BC8C2131B1E3E7EC61EF14C32EB5
encrypted with Key 0x020.
The last 16 bytes are the CMAC of the previous 16 bytes using Key 0x020.
The Hypervisor uses the Syscon status to determine if it needs to be remarried. 1 means that it needs to be remarried, 2 means it's already married to CELL.
The key saved at offset 0x10 is used to decrypt the second layer of the EID1 stored on the flash.
If this key is wrong, Syscon will return the error 800040C. The only time this has been observed is on prototype consoles with a Sherwood Syscon. To fix that problem you need to create your own EID1 using the eid_root_key and patch it into the Syscon firmware.