Remarry Syscon

From PS3 Developer wiki
Revision as of 20:37, 23 March 2021 by M4j0r (talk | contribs) (Created page with "Replacing the Syscon requires you to remarry it to CELL. == Introduction == The System Controller does have different <i>EEPROM</i> regions of...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Replacing the Syscon requires you to remarry it to CELL.

Introduction

The System Controller does have different EEPROM regions of which two are the NVS (non-volatile storage) and the SNVS (secure NVS).
If CELL wants to access the SNVS it has to be married to the Syscon. The SNVS holds for example the secure product mode information, the lv0/lv1 hash and the SRK/SRH.
This guide will only cover the perconsole section which holds the pairing information and the SNVS section, not the NVS nor the internal (only by Syscon plain accessible) regions.
For easier reading the complete area will be called SPCR - Syscon Per Console Region.

Basic Syscon Prerequisites

In order to remarry the Syscon you have to have raw access to the corresponding EEPROM regions.
The SPCR on Mullion (CXR) models is saved at 0x0000-0x2800 while it's at 0x3000-0x5800 on Sherwood (SW) models.
For the NVS regions (and internal regions) please refer to the EEPROM page, this guide will only provide the offsets used by UM.

Case #1: A full dump of the original Syscon SPCR is available

If this is the case and you're not switching from Mullion to Sherwood or the other way around you can just copy the SPCR.

Case #2: The original Syscon SPCR is not available

The PS3 needs to run a factory (JIG) firmware in order to remarry the Syscon!
First blank the complete SPCR with hex FF. Then for the first 0x30 bytes write this:

5E B4 F7 C9 50 62 F1 B2 EC F7 EE 1A 3C E3 D8 D0
C5 C2 73 4B A4 13 3D 2C 9E EE 88 ED 0C A8 15 C7
8F 59 DC E4 35 A8 11 BD 8B EC 4E 95 09 F1 E7 38

And set offset 0x48C07 of the NVS to 00.
If you start the PS3 you should see this on PS3s with a Mullion Syscon (as part of the bootlog obtainable from the SB UART):

[INFO]: sc_init START
[INFO]: 1...o
[INFO]: 2 skip
[INFO]: 3...o
[INFO]: 4.0.1...o    4.0.2...o    4.0.3...o    4.0.4...o
[INFO]: 4.1.1...o    4.1.2...o    4.1.3...o    4.1.4...o
[INFO]: 4.2.1...o    4.2.2...o    4.2.3...o    4.2.4...o
[INFO]: 4.3.1...o    4.3.2...o    4.3.3...o    4.3.4...o
[INFO]: 4.4.1...o    4.4.2...o    4.4.3...o    4.4.4...o
[INFO]: 4.5.1...o    4.5.2...o    4.5.3...o    4.5.4...o
[INFO]: 4.6.1...o    4.6.2...o    4.6.3...o    4.6.4...o
[INFO]: 4.7.1...o    4.7.2...o    4.7.3...o    4.7.4...o
[INFO]: pre5...o
[INFO]: skip 5, 6, 7, 8 (0x31)
[INFO]: sc_init SUCCESS

and this on Sherwood models:

[INFO]: sc_init START
[INFO]: 1...o
[INFO]: 2 skip
[INFO]: 3...o
[INFO]: 4.0.1...o    4.0.2...o    4.0.3...o    4.0.4...o
[INFO]: 4.1.1...o    4.1.2...o    4.1.3...o    4.1.4...o
[INFO]: pre5...o
[INFO]: skip 5, 6, 7, 8 (0x31)
[INFO]: sc_init SUCCESS

After shutting the console down power it up again which causes the Syscon to be remarried a "2nd" time.
It'll produce the same output except that the third line changes from "[INFO]: 2 skip" to "[INFO]: 2...o".
The console will be now in product mode.

To complete the remarrying proceduce please install any firmware using the manufacturing updater (launched by lv2diag) and set offset 0x48C07 of the NVS back to FF.