Southbridge
Jump to navigation
Jump to search
PS4 southbridge contains two processors named EMC and EAP on the same die that are mainly used on boot, during rest mode and for servicing.
Components[edit | edit source]
Southbridge processors[edit | edit source]
The two processors are on the same die. It is a SoC (System on Chip).
EMC[edit | edit source]
EMC could stand for External Micro Controller. EMC was named MediaCon by some people when its name was still unknown.
The role of EMC is to load EMC Initial Program Loader, to be an interface for icc for the main APU kernel and Syscon and to offer a debug interface via UART that does not rely on Syscon or main APU. EMC runs its own FreeBSD kernel. It is a Marvell Armada, an ARM-based SoC. Sony stuck a PCIe bridge on it. It exposes ARM peripherals to the x86 side. There is some extra stuff (e.g. HPET, ACPI stuff).
EMC cpuid = 412FC231 (ARM Cortex-M3 r2p1). CPU clock: maybe about 100MHz.
EMC Initial Program Loader[edit | edit source]
EMC Initial Program Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. Its role is to launch both EAP Kernel Boot Loader and AMD bootROM.
EAP[edit | edit source]
EAP could stand for External Application Processor.
The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and HDD/SSD) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, activated to handle tasks such as downloading games updates while the PS4 is in standby.
It handles several tasks to offload the APU:
- Network connections: Wireless and GbLAN, including background downloading and PlayGo
- File handling (Bluray Drive, Harddrive and USB 3.0), including background caching
- Main serial flash handling
EAP consists of Marvell PJ4C B0 rev 1 cores, ARMv7 CORTEX-A8 running FreeBSD 9 kernel. CPU clock: 500MHz. DDR clock: 800MHz.
As EAP Core software is unsigned, unencrypted and easily replaceable on PS4 HDD with a PS4 kernel exploit, it is possible to run homebrew code on EAP processor. See eapdev by Bigboss (psxdev).
EAP Kernel Boot Loader[edit | edit source]
EAP Kernel Boot Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. The role of EAP Kernel Boot Loader is to decrypt then uncompress the EAP Kernel. The encrypted EAP Kernel is stored at virtual address 0xC1000000 and the decrypted and uncompressed EAP Kernel is located at virtual address 0xC3000000.
EAP Kernel[edit | edit source]
EAP Kernel is located at virtual address 0xC3000000. Encrypted EAP Kernel is mounted on device da0x2 along with minila file.
minila[edit | edit source]
minila is an ELF file stored in /minila/ folder in EAP virtual filesystem (packed along with EAP Kernel). Minila is "AMD SceSysCore mini" equivalent for EAP.
EAP Core[edit | edit source]
EAP Core is the only usermode executable running on EAP. It is stored unencrypted as SceEapCore.elf in PS4 HDD.
EAP Filesystem from EAP Kernel binary[edit | edit source]
/dev/ /eap_tmp/ /eap_user/ /eap_vsh/ /minila/ /minila/minila /rescue/ /update/ /user/
EAP files on HDD[edit | edit source]
- da0x2 HDD partition is mounted to /eap_kern/ but is encrypted. Only EMC Kernel Boot Loader reads and decrypts this partition then loads it in EAP DDR3 memory and launches EMC Kernel.
- da0x3 HDD partition is mounted to /eap_vsh/.
/eap_vsh/common/ /eap_vsh/common/cert/ /eap_vsh/common/cert/CA_list.cer /eap_vsh/etc/ /eap_vsh/etc/bgdc/ /eap_vsh/etc/bgdc/config.xml /eap_vsh/etc/timezone.dat /eap_vsh/SceEapCore.elf
EAP files on Serial Flash[edit | edit source]
sflash0s0x33: SLB2 container sflash0s0x33/C0010001: EMC Kernel Boot Loader sflash0s0x33/C0018001: EMC Kernel Boot Loader Information
Southbridge RAM[edit | edit source]
Southbridge chip is connected to its own DDR3 SDRAM. It is named "sbram" as abbreviation for SouthBridge RAM.
PS4 Fat and Slim[edit | edit source]
PS4 Fat and Slim Southbridge has access to one 2Gb DDR3 chip, for a total of 256MB of memory.
PS4 Pro[edit | edit source]
PS4 Pro Southbridge has access to two 4Gb DDR3 chips, for a total of 1GB of memory.
Serial Flash[edit | edit source]
Southbridge contains a 256MB Serial flash.
Aeolia has Macronix MX25L25635FMI-10G.
Auxiliary components[edit | edit source]
Southbridge is connected to the main APU by PCI-Express x4 and to Syscon by SPI.
Aeolia has SATA bridge MB86C311B, USB 3.0 hub GL3520, USB 3.0 hub and SATA bridge Serial Flash (Hardware) chips MX25L1006E or 25X10CLYA1, GbLAN controller 88EC060-NN82.
Southbridge revisions[edit | edit source]
There are three major hardware revisions of the PS4 southbridge, named Aeolia, Belize and Baikal.
See also Aeolia.
Motherboards per Southbridge revisions[edit | edit source]
| Southbridge Codename | Southbridge Labeling | Motherboards |
|---|---|---|
| Aeolia | CXD90025G | |
| Belize | CXD90036G | |
| Belize 2 | CXD90046GG |
NVB-003 |
| Baikal | CXD90042GG |
NVB-004 |
Southbridge revisions per chassis[edit | edit source]
| Model (chassis) | Motherboards | Southbridge Codename | Oldest Manufacturing Date | Newest Manufacturing Date |
|---|---|---|---|---|
| D1000 | All CVN | Aeolia | ||
| 1000 | All SAA | Aeolia | ||
| 1100 | All SAB | Aeolia | ||
| 1200 | All SAC | Belize | 2015-10 | |
| 2000 | SAD-001, SAD-003 (1-981-769-11) | Belize | 2016-04 | |
| 2000 | SAD-002 | Baikal | 2016-09 | |
| 2000 | SAD-003 (1-981-769-21, 1-981-769-31) | ?Belize or Belize 2? | 2016-08 | |
| D7000 | HAC-001 | Belize | ||
| 7000 | NVA-001 | Belize | 2017-05 | |
| 2100 | SAE-001, SAE-003 | Belize 2 | 2017-11 | 2017-12 |
| 2100 | SAE-002, SAE-004 | Baikal | 2017-06 | 2017-12 |
| 7100 | NVB-003 | Belize 2 | 2018-05 | 2018-08 |
| 7100 | NVB-004 | Baikal | 2017-11 | |
| 2200 | SAF-003, SAF-005 | Belize 2 | 2018-06 | 2018-09 |
| 2200 | SAF-004, SAF-006 | Baikal | 2018-03 | 2020-05 |
| 7200 | NVG-001, NVG-003 | Belize 2 | 2018-11 | 2019-05 |
| 7200 | NVG-002, NVG-004 | Baikal | 2018-09 | 2019-06 |
EMC IPL/EAP KBL Structure[edit | edit source]
magic: 0x%08x version: 0x%04x type: 0x%04x headerSize: 0x%08x bodySize: 0x%08x entryPoint: 0x%08x baseAddr: 0x%08x
EMC UART Debug Communication[edit | edit source]
See also PS3 Syscon UART RPC and PS Vita Syscon UART RPC.
Aeolia[edit | edit source]
| Command/Action | Description | Notes |
|---|---|---|
| _hdmi | Related to HDMI | |
| boot | Boot the console | |
| bootadr | ?Get boot address? | cmd>bootadr OK 00000000 FFEF 42D4 CCBE 29B9:A2 bootadr:EB # [PSQ] boot address 00:49 OK 00000000:3A |
| bootenable | Enable boot | |
| bootmode | Set boot mode (ex: automatic when AC plugged, manual) | cmd>bootmode bootmode:59 # BootMode:AUTO:CF OK 00000000:3A cmd>bootmode 1 bootmode 1:AA # BootMode:MANUAL:54 OK 00000000:3A |
| buzzer | Trigger buzzer (beep) | 7 modes (?) available |
| cb | ||
| cclog | Enable/disable Chip Communication Log | cmd>cclog cclog:08 # ChipComm Log:OFF:AA OK 00000000:3A cclog 1 cclog 1:59 # ChipComm Normal Log:ON:F5 OK 00000000:3A cclog 2 cclog 2:5A # ChipComm Error Log:ON:B6 OK 00000000:3A cmd>cclog 3 cclog 3:5B # ChipComm Normal Log:ON:F5 # ChipComm Error Log:ON:B6 OK 00000000:3A |
| ccom | Chip Communication | |
| ccul | ||
| cec | ?Enable/disable HDMI CEC? | |
| cktemprid | ?Check Temperature ID? | |
| csarea | Read Serial Flash NVS CS Area | |
| ddr | ?Get DDR information? | |
| ddrr | Read DDR | |
| ddrw | Write DDR | |
| devpm | Device Power Management | cmd>devpm devpm:1C # wlan on:F2 # hdd on:70 # usb on:8A # bd on:06 # acdc on:CB # pg3 on:4A # hdmi on:E2 # gbe off:CC # sdio off:4D OK 00000000:3A |
| dled | Maybe related to LED. | |
| dsarea | Read Serial Flash NVS DS Area | |
| ejectsw | Toggle BD eject switch | ps3 |
| errlog | Get error log | ps3, 32 possibilities (0-1F) errlog 0:DB # No Code Rtc PowState UpCause SeqNo DevPm T(SoC) T(Exhaust):C4 # 00 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:17 OK 00000000 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:2E |
| etempr | ?Get temperature limit events? | cmd>etempr get etempr get:ED # Main Soc ::E7 # Alert Limits = 0x6000:F8 # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x6100:34 # Intake ::B9 # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 # Exhaust ::1F # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 OK 00000000:3A |
| fdownmode | ?Enter Fataldown mode? | fdownmode fdownmode:C3 # FataldownMode:RUN:97 OK 00000000:3A fdownmode 1 fdownmode 1:14 # FataldownMode:STOP:E8 OK 00000000:3A |
| fduty | ?Execute fan duty (ex: get)? | fduty get fduty get:8C # duty=0x0100(25):67 OK 00000000:3A |
| flimit | Set fan limits | flimit get flimit get:E5 # MainSoc : max_duty=0x0400 min_duty=0x0100 :4A # Environment : max_duty=0x0400 min_duty=0x00CD :DB OK 00000000:3A |
| fmode | Set fan mode | fmode fmode:0B # Fan Mode List:B9 # no:00 mode:AutoServo:61 # no:01 mode:Maximun:99 # no:02 mode:Minimun:98 # no:03 mode:Manual:1A # no:04 mode:end:F4 OK 00000000:3A |
| fservo | Get fan servo information | cmd>fservo get fservo get:F5 # MainSoc ::E7 # SetVal = 0x00005000:9C # PGain = 0x00000800:3F # IGain = 0x00000080:38 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00005000:DF # DifLimit = 0x00000900:43 # DifDLimit = 0x00450000:87 # MaxDduty = 0x00900000:61 # Environment ::52 # SetVal = 0x00003B00:AC # PGain = 0x00000500:3C # IGain = 0x00000005:35 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00000000:DA # DifLimit = 0x0FFFFFFF:D4 # DifDLimit = 0x0FFFFFFF:18 # MaxDduty = 0x0FFFFFFF:F2 OK 00000000:3A |
| fsstate | ?Get fan servo state? | cmd>fsstate get fsstate get:5A # 0: ctempr=29.50(0x1D80), err=0xFFFFCD80, ierr=0x00000000, duty=0x0100(25):BD # 1: ctempr=22.75(0x16C0), err=0xFFFFDBC0, ierr=0x00000000, duty=0x00CD(20):E6 OK 00000000:3A |
| fstartup | ?Startup fan? | |
| getmacadr | Get MAC Address | |
| ftable | ?Get fan table? | |
| halt | Halt the console | ps3 |
| haltmode | ||
| hdmir | HDMI ?read? | |
| hdmis | HDMI ?sync? | |
| hdmistate | Get HDMI state | cmd>hdmistate hdmistate:C3 # == DP Video Setting ==:20 # MVID : 0x0:C5 # NVID : 0x0:C6 # MISC 0 : 0:29 # MISC 1 : 0:2A # H Total : 0:F9 # V Total : 0:07 # H Start : 0:03 # V Start : 0:11 # Hsync Width : 0:32 # Hsync Porality : High Active:F2 # Vsync Height : 0:79 # Vsync Porality : High Active:00 # Video Width : 0:24 # Video Height : 0:5D # Wait Power On State.:31 OK 00000000:3A |
| hdmiw | HDMI ?write? | |
| help | help:A9 # ANY "R16":A8 # ANY "R32":A6 # ANY "R8":79 # ANY "W16":AD # ANY "W32":AB # ANY "W8":7E # ANY "_hdmi":F0 # ANY "boot":A3 # ANY "bootadr":DA # ANY "bootenable":0A # ANY "bootmode":48 # ANY "buzzer":91 # ANY "cb":B4 # ANY "cclog":F7 # ANY "ccul":96 # ANY "cec":1A # ANY "cktemprid":B2 # ANY "combuf":6B # ANY "comlog":70 # ANY "csarea":5E # ANY "ddr":29 # ANY "ddrc":8C # ANY "ddrr":9B # ANY "ddrw":A0 # ANY "devpm":0B # ANY "dled":88 # ANY "dsarea":5F # ANY "ejectsw":E4 # ANY "errlog":7A # ANY "etempr":7C # ANY "fdownmode":B2 # ANY "fduty":1B # ANY "flimit":74 # ANY "fmode":FA # ANY "fservo":84 # ANY "fsstate":E9 # ANY "fstartup":68 # ANY "getmacadr":97 # ANY "halt":98 # ANY "haltmode":3D # ANY "hdmir":03 # ANY "hdmis":04 # ANY "hdmistate":B2 # ANY "hdmiw":08 # ANY "help":98 # ANY "mbu":33 # ANY "mduty":22 # ANY "nvscsum":FE # ANY "nvsinit":FA # ANY "nvsl2sw":CE # ANY "osarea":6A # ANY "osbootparam":96 # ANY "osdebuginfo":84 # ANY "osstate":F2 # ANY "pcie":90 # ANY "pdarea":5C # ANY "powcount":6E # ANY "powersw":06 # ANY "powupcause":3B # ANY "qafinfo":D3 # ANY "r16":C8 # ANY "r32":C6 # ANY "r8":99 # ANY "resetsw":FC # ANY "rtc":38 # ANY "runseq":8D # ANY "s3state":B6 # ANY "sb":C4 # ANY "sbnvs":1B # ANY "scfupdbegin":79 # ANY "scfupddl":44 # ANY "scfupdend":AB # ANY "scnvsinit":D0 # ANY "scpdis":75 # ANY "screset":E8 # ANY "scversion":CB # ANY "sdkversion":37 # ANY "sdnvs":1D # ANY "smlog":11 # ANY "socdmode":3D # ANY "socuid":76 # ANY "spoff":0D # ANY "spon":AF # ANY "sqlog":15 # ANY "ssbdis":77 # ANY "startwd":F8 # ANY "state":10 # ANY "stinfo":82 # ANY "stopwd":90 # ANY "stwb":AF # ANY "subsysid":65 # ANY "subsysinfo":44 # ANY "syspowdown":5C # ANY "task":A2 # ANY "tempr":17 # ANY "temprlog":59 # ANY "testpcie":50 # ANY "thrm":AA # ANY "uareq1":3E # ANY "uareq2":3F # ANY "version":F5 # ANY "vshinfo":EC # ANY "w16":CD # ANY "w32":CB # ANY "w8":9E # ANY "wsc":3C OK 00000000:3A | |
| mbu | ||
| mduty | cmd>mduty get mduty get:93 # MainSoc : duty=0x0000(0):F3 # Environment : duty=0x0000(0):5E OK 00000000:3A | |
| nvscsum | Get Serial Flash NVS checksum | cmd>nvscsum OK 00000000 FFEF 42D4 CCBE 29B9:A2 nvscsum:0F |
| nvsinit | Maybe Init Serial Flash NVS | |
| osarea | Read Serial Flash NVS OS Area | |
| osbootparam | ?Read? Serial Flash NVS Bootparam area (probably DIP Switches) | |
| osstate | ||
| pcie | Get PCI-express information | cmd>pcie pcie:A1 # <PCIe Debug>:05 # PHY Link : Up:A1 # Data Link : Up:0A # :43 # <PCIe Link Control and Status>:A4 # Active State Link PM : Disabled:BD # Read Completion Boundary(RCB) : 64byte:FD # Retrain Link : 1:71 # Enable Clock Power Management : Disable:EE # Hardware Autonomous Width : Enable:0C # Link Bandwidth Management Interrupt: Disable:DE # Link Autonomous Bandwidth Interrupt: Disable:1B # Link Speed : Gen1:E7 # Link Width : x4:57 # Link Traing : Done:76 # :43 # <Calib Value>:B5 # LANE 0 : 0x60:FB # LANE 1 : 0x5E:10 # LANE 2 : 0x5D:10 # LANE 3 : 0x5C:10 # :43 # <PCIe Device Status>:12 # Correctable Error : Yes:DE # Non-Fatal Error : No:84 # Fatal Error : No:AC # Unsupported Request Detected : Yes:E2 OK 00000000:3A |
| pdarea | Read Serial Flash NVS PD Area | |
| powersw | Toggle power switch | ps3 |
| powupcause | Get power-up cause | cmd>powupcause powupcause:4C # 04000000 02 00 02 00 00:4B OK 00000000:3A |
| r16 | Read 16bits (to document) | |
| R16 | Read 16bits (to document | |
| R32 | Read 32bits (to document | |
| r32 | Read 32bits (to document | |
| R8 | Read 8bits (to document | |
| r8 | Read 8bits (to document | |
| resetsw | Toggle reset switch (equivalent to 7 seconds hold of power switch) | ps3 |
| rtc | Get RTC | cmd>rtc rtc:49 # RTC Counter : 318078913:DE # RTC Status(0x000001FC) : OK:87 OK 00000000 12F57FC1 000001FC:F3 |
| sb | Maybe switch active/inactive banks in Serial Flash and/or in Syscon NVS and/or in internal HDD | sb sb:D5 # [Active bank] : Second:E9 OK 00000000:3A |
| sbnvs | Maybe switch active/inactive banks or read in Serial Flash NVS (partition number to pass as argument) | cmd>sbnvs sbnvs:2C # sbnvs : [partitin number]:B5 # [UCMD] Arguments err.:91 NG F0000001:4C |
| scfupdbegin | Begin Syscon firmware update | |
| scfupddl | Download Syscon firmware update | |
| scfupdend | End Syscon firmware update | |
| scnvsinit | Init Syscon NVS | |
| scpdis | Disable ?Syscon? | |
| screset | Reset Syscon | ps3 |
| scversion | Get Syscon Version | cmd>scversion scversion:DC # 1.0.0 ET r1808 p1:2D OK 00000000 C1ET 0001 0000 0000 0710 0001:D1 |
| sdnvs | Maybe read ?SD? NVS (partition number to pass as argument) | cmd>sdnvs sdnvs:2E # sdnvs : [partitin number] [bank number] :F4 # [UCMD] Arguments err.:91 NG F0000001:4C |
| smlog | Enable/disable some ?Secure Module? Packet Log | cmd>smlog smlog:22 # Packet Log:OFF:F2 OK 00000000:3A cmd>smlog 1 smlog 1:73 # Packet Log:ON:B4 OK 00000000:3A |
| socdmode | Enter SoC Download mode | cmd>socdmode socdmode:4E # [PSQ] Soc download mode : 0:1B OK 00000000:3A |
| socuid | Read SoC UID | Also found in Serial Flash NVS DS Area. |
| ssbdis | System State Disable Boot | cmd>ssbdis ssbdis:88 # [PSQ] boot disable 00:37 OK 00000000:3A |
| startwd | ||
| state | Get System State (ex: idle) | cmd>state state:21 # system:SSC_SYSTEMSTATE_SOC_UP_IDLE:95 OK 00000000 0005 FF:CB |
| stinfo | Get Statistics Info from Serial Flash NVS | cmd>stinfo stinfo:93 # Updated Sector Adr = 0x1C5000 (table = 0x02 i=0,j=1):29 OK 00000000:3A |
| stopwd | ||
| stwb | ||
| syspowdown | Power down system | |
| tempr | Get temperatures | cmd>tempr get tempr get:88 # get all:DC # MainSoc : t=30.25(0x1E40):83 # Intake : Disable:8D # Exhaust : t=24.00(0x1800):A6 OK 00000000 1E40 FFFF 1800:55 |
| testpcie | Test PCI-express | |
| thrm | ?thermal? | |
| uareq1 | Request ?user-agent? #1 | command to gain more privileges, RSA verification |
| uareq2 | Request ?user-agent? #2 | command to gain more privileges, RSA verification |
| version | Get EMC Version | ps3, cmd>version version:06 # 1.19.0 E r4336 :51 OK 00000000 E1E 0001 0013 0000 10F0:B1 |
| vshinfo | ?Get VSH information? | |
| W16 | Write 16bits (to document) | |
| w16 | Write 16bits (to document) | |
| W32 | Write 32bits (to document) | |
| w32 | Write 32bits (to document) | |
| w8 | Write 8bits (to document) | |
| W8 | Write 8bits (to document) | |
| wsc |
See also:
EMC Patches[edit | edit source]
God Mode (All Commands Unlocked)[edit | edit source]
- Change all instances of 03 00 FD 00 to 0F 00 FD 00
- Change all instances of 07 00 FD 00 to 0F 00 FD 00
- Be extremely careful as this might brick your console if you try weird commands!
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
