Syscon Hardware: Difference between revisions
Line 56: | Line 56: | ||
|- | |- | ||
| [[DEH-ML00AK-G]] || 0x0D || [[MPX-001 (Prototype) ]] || D79F0123 ([[SW3-302]]) || 098F || ?No? || Preproduction | | [[DEH-ML00AK-G]] || 0x0D || [[MPX-001 (Prototype) ]] || D79F0123 ([[SW3-302]]) || 098F || ?No? || Preproduction | ||
|- | |||
| [[CECHAxx]]<br />[[CECHBxx]]? || 0x01<br />0x02 || [[COK-00x#COK-001|COK-001]] || [[CXR714120-304GB]] || 0F38 || ? || 40nm RSX | |||
|- | |- | ||
<!-- Not Prototype debug units - see retail --> | <!-- Not Prototype debug units - see retail --> | ||
Line 63: | Line 65: | ||
Not mentioned:<pre> | Not mentioned:<pre> | ||
0F29 | 0F29 - ?</pre> | ||
= Syscon Externalised Ports = | = Syscon Externalised Ports = |
Revision as of 22:33, 27 February 2021
Syscon is the main power controller chip of the PS3. It is responsible for powering up the various power systems and for configuring and initialising the CELL BE, RSX and South Bridge. It communicates with these devices via separate SPI busses. There is external access by JTAG (disabled from factory on retail models), an EEPROM programming interface and Serial (UART). The Syscon is a SoC and consists of an ARM7TDMI (ARMv4) CPU, a 256KB EEPROM and 16KB RAM.
Serialnumbers per SKU
Retail
Model | Product Sub Code | Motherboard | Syscon part no. |
Syscon Soft ID |
Notes |
---|---|---|---|---|---|
CECHAxx CECHBxx |
0x01 0x02 |
COK-001 | CXR713120-201GB | 0B8E | |
CECHCxx CECHExx |
0x03 0x04 |
COK-002 or COK-002W |
CXR713120-201GB or CXR713120-202GB |
0C16 | |
CECHGxx | 0x05 | SEM-001 | CXR713120-201GB or CXR713120-202GB or CXR713120-203GB |
0D52 | |
CECHHxx | 0x06 | DIA-001 | CXR714120-301GB | 0DBF | |
CECHJxx CECHKxx |
0x07 | DIA-002 | CXR714120-301GB or CXR714120-302GB |
0E69 | |
CECHLxx CECHMxx CECHPxx CECHQxx |
0x08 | VER-001 | SW-301 or SW-302 |
065D | |
CECH-20xx | 0x09 | DYN-001 | SW2-301 | 0832 | |
CECH-21xx | 0x0A | SUR-001 | SW2-301 or SW2-302 |
08A0 | |
CECH-25xx | 0x0B | JTP-001 or JSD-001 |
SW2-301 or SW2-302 or SW2-303 |
08C2 | |
CECH-30xx | 0x0C | KTE-001 | SW2-301 or SW2-302 or SW2-303 or SW3-301 |
0918 | |
CECH-40xx | 0x0D | MSX-001 or MPX-001 |
SW3-302 | 098F | |
CECH-42xxA | ? | PQX-001 | SW3-304 | ? |
Non retail
Model | Product Sub Code | Motherboard | Syscon part no. |
Syscon Soft ID |
Active JTAG | Notes |
---|---|---|---|---|---|---|
CEB-2040 | - | MPU-501 | CXR713F120GB-000 | ? | ?No? | Retail prototype |
DECR1000(A/J) | 0x01 | TMU-520 | CXR713F120A | 03FB | No | Reference tool |
DECR1400(A/J) | 0x01 | DEB-001 | CXR714120-302GB | ? | ? | Reference tool |
DEH-H1001-D | 0x01 | COOKIE-13 | CXR713F120A | 0B67 | No | Preproduction |
DEH-H1000A(S)(-E(S)) | 0x01 | COK-001 (Prototype) | CXR713F120A | 0B67 | No | Preproduction |
DEH-FH1500J-A | 0x08 | VERTIGO-02 | D79F0073 (SW-301) | 0658 | ?Yes? | Preproduction |
DEH-ML00AK-G | 0x0D | MPX-001 (Prototype) | D79F0123 (SW3-302) | 098F | ?No? | Preproduction |
CECHAxx CECHBxx? |
0x01 0x02 |
COK-001 | CXR714120-304GB | 0F38 | ? | 40nm RSX |
Not mentioned:
0F29 - ?
Syscon Externalised Ports
Note: for more specific information per model, see the links to each subpage in the Serialnumbers per SKU table.
Syscon UART packets
SCUART daemon (SCUARTD) packet structure
SCUARTD packets includes header of 0x3 bytes and optional payload (depending on the command).
Packet IDs are not important, they are used only by clients and processed by SCUART daemon. SCUART daemon opens terminal file /dev/ttyS0 and use it to send commands and receive responses.
Offset | Size | Description |
---|---|---|
0x00 | 0x01 | Magic? |
0x01 | 0x01 | Payload size |
0x02 | 0x01 | Command |
0x03 | Payload size | Payload data |
Packets
Packet ID | Command/Action | Description | Notes |
---|---|---|---|
0x00 | version | Firmware version | Gets installed syscon's firmware version (Note: backup bank contains version 0.4.5_b4 !! On CEB-2030 it is 0.3.0 ) |
0x01 | bringup | Bring up | |
0x02 | shutdown | Shutdown | |
0x03 | firmud | Firmware update | Notifies about firmware update operation |
0x04 | bsn | Board Serial Number | Retrieves syscon's Board Serial Number |
0x05 | halt | Halt | Used at start of firmware update operation |
0x06 | cp ready | Communication Processor Ready | |
0x07 | cp busy | Communication Processor Busy | |
0x08 | cp reset | Communication Processor Reset | |
0x09 | bestat | Cell B.E. status | Retrieves Cell B.E. status |
0x0A | powersw | Power switch | toggles power switch button short pressing |
0x0B | resetsw | Reset switch | toggles reset switch button holding |
0x0C | bootbeep stat | Boot Beep Status | |
0x0D | bootbeep on | Boot Beep On | |
0x0E | bootbeep off | Boot Beep Off | |
0x0F | Reset syscon | Reset Syscon | Resets syscon |
0x10 | xdrdiag info | XDR diagnostics Information | |
0x11 | xdrdiag start | XDR diagnostics Start | Starts XDR diagnostics |
0x12 | xdrdiag result | XDR diagnostics Result | Gets a result of XDR diagnostics |
0x13 | xiodiag | XIO diagnostics | Starts XIO diagnostics and gets a result of it |
0x14 | fandiag | Fan diagnostics | Retrieves RPMs of fans |
0x15 | errlog | Error log | Retrieves a list of codes (with timestamps) of latest errors |
0x16 | Read line | Read Line | |
0x17 | tmpforcp <zone ID> | Reference Tool's temperature For Communication Processor | Gets the temperature of reference tool |
0x18 | Invalid CMDs | ||
0x19 | |||
0x1A | |||
0x1B | |||
0x1C | |||
0x1E | |||
0x1F | |||
0x20 | cp beepremote | Communication Processor Beep Remote | |
0x21 | cp beep2kn1n3 | ||
0x22 | cp beep2kn2n3 | ||
?? | csum | Checksum | Calculates the Checksum of something (No packet ID listing on scuartd) |
?? | osbo | ?Operating System Boot? | No idea what this does, but returns donewhen it's sent |
?? | scopen | Syscon Open | returns SC_READY or ERROR 1 |
?? | scclose | Syscon Close | ??? |
?? | ejectsw | Eject Switch | toggles eject switch button pressing (3 beeps) |
Packets Logs
Packet ID | Command/Action | Logs | Notes |
---|---|---|---|
0x00 | version | version\nv1.0.4_c2\n (END) |
|
0x01 | bringup | (END) |
|
0x02 | shutdown | Do nothing. (PowerOff State)\n (END) |
Returns (END) if the system is on |
0x03 | firmud | Start...\nErase User Program Area\n (END) |
This will brick your SYSCON if you don't feed it any argument or feed to it the wrong argument! |
0x04 | bsn | bsn\nNANNNNNNNNNA\n (END) |
N is digit and A is char (removed for privacy) |
0x05 | halt | halt\n (END) |
|
0x06 | cp ready | cp ready\nCP READY: OK\n (END) |
|
0x07 | cp busy | cp ready\nCP BUSY: OK\n (END) |
STATUS light blinks forever |
0x08 | cp reset | No response | Should reset CP to factory settings |
0x09 | bestat | (PowerOff State)\n (END) |
|
0x0A | powersw | (END) |
|
0x0B | resetsw | (END) |
|
0x0C | bootbeep stat | BOOT BEEP: ON\n (END) |
when it's off BOOT BEEP status changes to OFF |
0x0D | bootbeep on | BOOT BEEP ON: DONE\n (END) |
|
0x0E | bootbeep off | BOOT BEEP OFF: DONE\n (END) |
|
0x0F | Reset syscon | ||
0x10 | xdrdiag info | 32\n (END) |
|
0x11 | xdrdiag start | DIAG START\n (END) |
|
0x12 | xdrdiag result | XDR OK\n (END) |
will return ERROR NOT STARTED if xdrdiag start wasn't run previously |
0x13 | xiodiag | 0 903\n (END) |
|
0x14 | fandiag | ERROR FAN ACTIVE\n (END) |
|
0x15 | errlog | ofst[ %d]:err_code:0x%08X, clock:0x%08X YYYY/MM/DD HH:MM:SS |
bunch of error logs. ends with (END) once they're over |
0x16 | Read line | ||
0x17 | tmpforcp <zone ID> | ||
0x20 | cp beepremote | (END) |
|
0x21 | cp beep2kn1n3 | (END) |
sends a beep different than SYSCON beep :) |
0x22 | cp beep2kn2n3 | (END) |
sends two beeps different than SYSCON beeps :) |
?? | csum | Checksum: [027460C9] [68269779] [C19A855E]\n (END) |
displays 3 hexadecimal numbers inside rect parenthesis. the numbers are always the same, except when syscon version changes (v1.0.5_c1) |
?? | csum | Checksum: [02746F91] [682F04DA] [27688CF5]\n (END) |
Another response (v1.0.4_c2) |
?? | csum | Checksum: [0274C877] [684DA659] [EA426BB1]\n (END) |
Another response (v1.0.4_c1) |
?? | csum | Checksum: [027B4064] [6B450C64] [4FBF6DA3]\n (END) |
Another response (v1.0.3_c1) |
?? | csum | Checksum: [027E1B71] [6CDA9F25] [E0C67065]\n (END) |
Another response (v1.0.1_c1) |
?? | csum | Checksum: [02812855] [6E83917C] [D40F70A5]\n (END) |
Another response (v0.9.14_c1) |
?? | csum | Checksum: [02835059] [6FC5C632] [BB9BBEC3]\n (END) |
Another response (v0.9.9_c1) |
?? | csum | Checksum: [026F7951] [66CB09FF] [4EA06B56]\n (END) |
Another response (v0.8.4_c8) |
?? | osbo | done\n (END) |
|
?? | scopen | SC_READY\nERROR 1\n\n*** Invalid Argument ***\n\n[mullion]$ |
|
?? | scclose | \n\n\nSC_SUCCESS\n\n[mullion]$ |
Notes
- Some commands are unavailable on earlier firmwares, for example, tmpforcp is only supported on 1.3.3+.
- Some commands are divided into several strings, the first part (if exists) describes a command group, the second part describes the actual command and other parts describes command arguments.
- Real syscon commands have an ASCII form (a bold text in the 2nd column) instead of bytes above.
- Packet with ID *0x03* notifies syscon and calls SX program (based on ZMODEM protocol) to send firmware, syscon have custom or original implementation of RX program to receive firmware. An implementation of ZMODEM protocol used by Sony: http://oss.sony.net/Products/Linux/Others/Download/DECR-1000/mips_fp_le-lrzsz-0.12.20-devtool.1.src.rpm
A start of syscon's update procedure:
- A CP development tool includes several scripts which are participated in syscon update procedure. It starts after a CP update via update_syscon.pl perl script.
- This script checks the current syscon's firmware version. If it is in mask rom then it skips an update procedure, if not it checks major/minor/release parts of both versions and if a new version is applicable then it launches scfirmup utility and pass the firmware file path as an argument.
- scfirmup is a stupid tool which prepares a connection to SCUARTD and sends an update packet with a file path inside it. There is no need to comment it, here is reimplementation: http://pastie.org/private/6h8mfeoics4mdxear7ayg
A syscon's update operation in SCUARTD consists of following steps:
- 1. Check if SX program presents in /usr/bin/sx. It should be a regular file.
- 2. Check if specified firmware file is a regular file.
- 3. Halt syscon by sending command halt to UART, then wait some time until it prints HALT: OK.
- 4. Reset syscon by sending byte 0x30 to GPIO register SC_PI0_DIPSW, byte 0x30 to GPIO register SC_RSTX, waiting 1 second and writing byte 0x31 to GPIO register SC_RSTX.
- 5. Get current syscon's firmwave version by sending command version to UART. After receiving it, look for a character after the first _ (underscore) symbol from the left side of string and if it equals to the character b, then proceed to the next step, otherwise go to the (8) step. (It is possible to patch this step to allow upgrading or downgrading at will)
- 6. Prepare syscon for an update by sending command firmud to UART, then fork the current process; the current process won't finish until a message Done from UART arrives (it is the end of update operation).
- 7. In the forked process start SX program and pass firmware file path to it. SX program reads firmware file and transfer each chunk of it to syscon.
- 8. After successful update operation reset syscon (a different way) by sending byte 0x31 to GPIO register SC_PI0_DIPSW, byte 0x30 to GPIO register SC_RSTX, waiting 1 second and writing byte 0x31 to GPIO register SC_RSTX.
Notes:
- It seems all scuartds checks firmware revision and probably syscon is updated only once (after factory).
- To be able to reflash it you need to patch SCUARTD or do a manual update without the use of SCUARTD.
- You need to patch a single byte in SCUARTD to be able to flash any firmware (for example, to downgrade your syscon).
.text:00403A94: /* scuartd from CP 1.3.3 */
lb $v1, 1($v0)
li $v0, "b" /* 62 00 02 24 -> 63 00 02 24 */
bne $v1, $v0, loc_4039F4
move $a0, $zero
- An actual firmware update process (without halting and resetting steps) takes about 1 minute.
- You cannot install a corrupted firmware with scfirmup unless you corrupt the header! It seems there is a hash of sorts (possibly of the plaintext) in the header preventing scfirmup from installing something corrupt
- Updating SYSCON requires the DECR to be in standby mode! You cannot update it while it is on.
- Corrupting the header and the body will make firmup install the SYSCON update anyways! be careful not to do it!
- Should you brick SYSCON, here's a patch to "unbrick" it, do not use it unless you brick it though!
.text:004038C0:
lw $a0, 4($s4)
li $a1, 0x400000
nop
addiu $a1, (aHalt - 0x400000) # "halt"
la $t9, scuartd_send_sccmd
nop
jalr $t9 ; scuartd_send_sccmd
nop
lw $gp, 0x1E8+var_1D8($sp)
bnez $v0, loc_4039B4 /* 33 00 40 14 -> 33 00 40 10 */
li $a0, 1
- You can use this bruteforcer to try your luck when finding new packets: https://hastebin.com/vomogesaru.cpp
Syscon UART
BGA | Name | Description |
---|---|---|
P16 | UART0_TxD | Serial Transmit |
P15 | UART0_RxD | Serial Receive |
You can attach a 3.3v TTL cable (LV-TTL) to the UART on syscon (UART0_TxD, UART0_RxD). (Convenient solder points are available on JSD-001 / JTP-001 by the NOR test points. They are marked as '?' in marcan' noraliser / judges' NORway install picture, closest to the ground at the bottom - RX is left, TX is right) Baud rate is 57600. There is a simple plaintext protocol involved. This varies on different syscon models. Example:
<command>:<hash>
Where the hash is the sum of command bytes & 0xFF.
You should terminate commands with \r\n, the syscon messages are only terminated with \n.
Samples
Here are some of the commands/messages encountered:
Messages:
Power applied (standby mode) OK 00000000:3A Power on # (PowerOn State):7F Power off (Hard shutdown) # (PowerOff State):DD After Fan test: # (PowerOff State) (Fatal):36 No text, invalid hash: NG F0000002:4D
Commands:
VER:ED OK 00000000 S1E 00 00 065D:A4 OK 00000000 S1E 01 0B 00 0832:A3 (on DYN-001 board) OK 00000000 S1E 02 03 00 0918:9A (on KTE-001 board) ERRLOG:CB OK 00000000:3A DATE:1E NG F0000003:4E C:F1:BUZ E:4F:NG F0000004 E:50:NG F0000005 (in DIAG mode) C:D0:CID E:50:NG F0000005 C:D0:CID GET E:50:NG F0000005 C:DA:EEP E:50:NG F0000005 C:DA:EEP GET E:50:NG F0000005 C:E6:EEP SET E:50:NG F0000005 C:D5:FAN E:50:NG F0000005 C:83:FAN START E:50:NG F0000005 C:3B:FAN STOP E:50:NG F0000005 C:F4:KSV E:50:NG F0000005 C:ED:REV E:50:NG F0000005 C:F8:SPU E:50:NG F0000005 C:FD:AUTH1 0000802000000000003000309C0EDB3F E603EDB98A38DDC09400A2AB2DDE8CAB 0AECFE951FF7E2E8D8A7CF2202719F81 2F36DE83B424C27063C274CB0000E46B <Important Note: 0x40 bytes> E:5D:NG E00000C0 C:34:BOOT E:50:NG F0000005
See also Syscon commands.
Bruteforcing commands: http://pastebin.com/CNei0xbC
VERY IMPORTANT:
- Max size of a command is 11 characters, 16 if you count with C:<hash>:
- Sending a command with 11 chars results in NO OUTPUT
- Sending a command with more than 11 chars results in NG F0000002
- Max size of a command on DECR is 135, 140 if you count with C:<hash>:
Syscon EEPROM (SPI)
BGA | Name | Description |
---|---|---|
F16 | CSB | Chip Select (needs to be low) |
H16 | DO | Serial Data Output |
G16 | DI | Serial Data Input |
E16 | SKB | Serial Data Clock |
J15 | WCB | Write Protect |
J16 | RBB | Ready/Busy |
G11 | VDDep | + 3.3V |
C15 | VSSep | GND |
Syscon JTAG
It is disabled in factory after production on retail models.
BGA | Name | Description |
---|---|---|
L8 | JRTCK | Return Test Clock |
K8 | JTCK | Test Clock |
K9 | JTDO | Test Data Out |
L9 | JTMS | Test Mode State / Test Mode Select |
K7 | JTDI | Test Data In |
L7 | JNTRST | Test Reset |
Syscon underlying ports
Syscon Cell SPI Bus
BGA | Name | Description |
---|---|---|
M2 | /BE_SPI_CS | Chip Select |
N2 | BE_SPI_DO | Serial Data Output |
M1 | BE_SPI_DI | Serial Data Input |
N1 | BE_SPI_CLK | Serial Data Clock |
P2 | /BE_RESET | CellBE Reset |
P1 | BE_POWGOOD | CellBE PowerGood |
T2 | /BE_INT | CellBE Interrupt |
Syscon Southbridge SPI Bus
BGA | Name | Description |
---|---|---|
B9 | /SB_SPI_CS | Chip Select |
B8 | SB_SPI_DO | Serial Data Output |
A9 | SB_SPI_DI | Serial Data Input |
A8 | SB_SPI_CLK | Serial Data Clock |
|