Syscon Hardware: Difference between revisions
Jump to navigation
Jump to search
CelesteBlue (talk | contribs) |
|||
(27 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
Syscon is, together with | Syscon is, together with [[Southbridge]], one of the main chips responsible for taking care of the functioning of APU, peripherals, etc. | ||
PS4 Syscon is codenamed '''Colwick'''. It is a custom Renesas RL78/G13. | |||
= Hardware revisions = | |||
{| class="wikitable" | |||
! Production Start Date (<=) || PS2 Mechacon !! PSP Syscon !! PS3 Syscon !! PS Vita Syscon !! PS4 Syscon !! Used IC/CPU Core | |||
|- | |||
| <abbr title="CVN-001, SAA-001, SAB-001">07/2013</abbr> || - || - ||- || - || COL || Renesas R5F100PL (RL78/G13, 100 pin) | |||
|- | |||
| <abbr title="SAC-001, SAD-001, SAD-002, SAD-003, SAE-001, SAE-002, SAE-003, SAE-004, HAC-001, NVA-001, NVB-003, NVB-004, NVG-001, NVG-002">04/2015</abbr> || - || - ||- || - || COL2 || Renesas R5F101LL (RL78/G13, 64 pin) | |||
|} | |||
= Pictures = | |||
* [http://www.gigapan.com/gigapans/198672] | |||
= Memory Layout = | = Memory Layout = | ||
{| class="wikitable sortable" | |||
|- | |||
! Offset !! Size !! Description !! Notes | |||
|- | |||
| 0x00000 || 0x20000 || Code Flash Area || | |||
|- | |||
| 0x20000 || 0xD0000 || Reserved || OCDROM is here | |||
|- | |||
| 0xF0000 || 0x800 || Special Function Registers 2 || | |||
|- | |||
| 0xF0800 || 0x800 || Reserved (bootloader RAM) || | |||
|- | |||
| 0xF1000 || 0x1000 || Data Flash Area || | |||
|- | |||
| 0xF2000 || 0xCF00 || Mirror || Mirror of a portion of Code Flash Area | |||
|- | |||
| 0xFEF00 || 0xFE0 || RAM || Stack is usually at 0xFFE00. | |||
|- | |||
| 0xFFEE0 || 0x20 || General-Purpose Registers || | |||
|- | |||
| 0xFFF00 || 0x100 || Special Function Registers || | |||
|} | |||
= Commands = | = Commands = | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
Line 18: | Line 56: | ||
| 0x22 || Block Erase || Erases a specified area in the flash memory. || | | 0x22 || Block Erase || Erases a specified area in the flash memory. || | ||
|- | |- | ||
| 0x40 || Programming || Writes data to a specified area in the flash memory | | 0x40 || Programming || Writes data to a specified area in the flash memory. || | ||
|- | |- | ||
| | | 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer. || | ||
|- | |- | ||
| | | 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory. || | ||
|- | |- | ||
| | | 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). || | ||
|- | |- | ||
| | | 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware. || | ||
|- | |- | ||
| | | 0xB0 || Checksum || Acquires checksum data of a specified area. || | ||
|- | |- | ||
| 0xA0 || Security Set || Sets security information. || | |||
|} | |} | ||
= Statuses = | = Statuses = | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! Command ID !! Name !! Description !! Notes | ! Command ID !! Name !! Description !! Notes | ||
|- | |- | ||
| | | 0x04 || Command number error || Error returned if a command not supported is received || | ||
|- | |||
| 0x05 || Parameter error || Error returned if command information (parameter) is invalid || | |||
|- | |||
| 0x06 || Normal acknowledgment (ACK) || Normal acknowledgment || | |||
|- | |||
| 0x07 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal || | |||
|- | |||
| 0x0F || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer || | |||
|- | |||
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command || | |||
|- | |||
| 0x15 || Negative acknowledgment (NACK) || Negative acknowledgment | |||
|- | |||
| 0x1A || MRG10 error || Erase verify error || | |||
|- | |||
| 0x1B || MRG11 error || Internal verify error or blank check error during data write || | |||
|- | |||
| 0x1C || Write error || Write error || | |||
|- | |||
| 0xFF || Processing in progress (BUSY) || Busy response || | |||
|} | |||
= Command Frame Format = | |||
* SOH | LEN | COM | INFO | SUM | ETX | |||
= Data Frame Format = | |||
* STX | LEN | DAT | SUM | ETX/ETB | |||
= Description of each symbol = | |||
{| class="wikitable sortable" | |||
|- | |||
! Name !! Description !! Notes | |||
|- | |||
| SOH || Start of OH - Command Frame Header || 0x01 Always | |||
|- | |||
| STX || Start of TX - Data Frame Header || 0x02 Always | |||
|- | |||
| LEN || LENgth - Length of info || In Command frame: length of COM + command info length / In Data frame: Data info length | |||
|- | |||
| COM || COMmand - Command number || | |||
|- | |||
| SUM || checkSUM - Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT) | |||
|- | |||
| ETB || End of TB - Data frame footer || 0x17 Always | |||
|- | |||
| ETX || End of TX - Command frame footer || 0x03 Always | |||
|- | |||
|} | |||
= Pinout = | |||
== 64-pin == | |||
{| class="wikitable" | |||
|- | |||
! Pin | |||
! Description | |||
! Notes | |||
|- | |||
| 1 | |||
| P120/ANI19 | |||
| power switch (USBHUB) | |||
|- | |||
| 2 | |||
| P43 | |||
| APU-RESET# | |||
|- | |||
| 3 | |||
| P42/TI04/TO04 | |||
| (HDR-A SPI-CS) | |||
|- | |||
| 4 | |||
| P41/TI07/TO07 | |||
| power switch (PSU-7) | |||
|- | |||
| 5 | |||
| P40/TOOL0 | |||
| -> HDR-A pin 22 (open circuit between pin and header) | |||
|- | |||
| 6 | |||
| RESET | |||
| -> HDR-A pin 24 | |||
|- | |||
| 7 | |||
| P124/XT2/EXCLKS | |||
| pulldown? | |||
|- | |||
| 8 | |||
| P123/XT1 | |||
| power switch (PSU-5) | |||
|- | |||
| 9 | |||
| P137/INTP0 | |||
| testpoint? | |||
|- | |||
| 10 | |||
| P122/X2/EXCLK | |||
| -> HDR-A pin 28 (4bit input-only, port 12) | |||
|- | |||
| 11 | |||
| P121/X1 | |||
| -> HDR-A pin 29 (4bit input-only, port 12) | |||
|- | |||
| 12 | |||
| REGC | |||
| cap to GND | |||
|- | |||
| 13 | |||
| V SS | |||
| GND | |||
|- | |||
| 14 | |||
| EVSS0 | |||
| GND | |||
|- | |||
| 15 | |||
| VDD | |||
| Vcc | |||
|- | |||
| 16 | |||
| EVDD0 | |||
| Vcc | |||
|- | |||
| 17 | |||
| P60/SCLA0 | |||
| APU i2c dev 0xba | |||
|- | |||
| 18 | |||
| P61/SDAA0 | |||
| APU i2c dev 0xba | |||
|- | |||
| 19 | |||
| P62 | |||
| APU i2c dev 0x78/0x98 | |||
|- | |||
| 20 | |||
| P63 | |||
| APU i2c dev 0x78/0x98 | |||
|- | |||
| 21 | |||
| P31/TI03/TO03/INTP4/(PCLBUZ0) | |||
| FAN-CTL | |||
|- | |||
| 22 | |||
| P77/KR7/INTP11/(TxD2) | |||
| pulldown | |||
|- | |||
| 23 | |||
| P76/KR6/INTP10/(RxD2) | |||
| N/A | |||
|- | |||
| 24 | |||
| P75/KR5/INTP9/SCK01/SCL01 | |||
| APU? | |||
|- | |||
| 25 | |||
| P74/KR4/INTP8/SI01/SDA01 | |||
| N/A | |||
|- | |||
| 26 | |||
| P73/KR3/SO01 | |||
| power switch (USBBRIDGE + HDD) | |||
|- | |||
| 27 | |||
| P72/KR2/SO21 | |||
| -> HDR-A pin 12 (HDR-A SPI-SO) | |||
|- | |||
| 28 | |||
| P71/KR1/SI21/SDA21 | |||
| (HDR-A SPI-SI) | |||
|- | |||
| 29 | |||
| P70/KR0/SCK21/SCL21 | |||
| -> HDR-A pin 10 (HDR-A SPI-CLK) | |||
|- | |||
| 30 | |||
| P06/TI06/TO06 | |||
| power switch (PSU-1) | |||
|- | |||
| 31 | |||
| P05/TI05/TO05 | |||
| N/A | |||
|- | |||
| 32 | |||
| P30/INTP3/RTC1HZ/SCK11/SCL11 | |||
| NC testpoint | |||
|- | |||
| 33 | |||
| P50/INTP1/SI11/SDA11 | |||
| power switch (SB-1 + SB-2 + DDR3) | |||
|- | |||
| 34 | |||
| P51/INTP2/SO11 | |||
| power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) | |||
|- | |||
| 35 | |||
| P52/(INTP10) | |||
| testpoint? | |||
|- | |||
| 36 | |||
| P53/(INTP11) | |||
| VR-SM_CLK | |||
|- | |||
| 37 | |||
| P54 | |||
| N/A | |||
|- | |||
| 38 | |||
| P55/(PCLBUZ1)/(SCK00) | |||
| power switch (APU-2) | |||
|- | |||
| 39 | |||
| P17/TI02/TO02/(SO00)/(TxD0) | |||
| N/A | |||
|- | |||
| 40 | |||
| P16/TI01/TO01/INTP5/(SI00)/(RxD0) | |||
| SB-TP0 looks like SB -> SC interrupt line (INTP5) | |||
|- | |||
| 41 | |||
| P15/SCK20/SCL20/(TI02)/(TO02) | |||
| SB-TP1 (SPI-CLK) | |||
|- | |||
| 42 | |||
| P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03) | |||
| SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere | |||
|- | |||
| 43 | |||
| P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04) | |||
| SB-TP3 (SPI-SO) | |||
|- | |||
| 44 | |||
| P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05) | |||
| -> HDR-A pin 15 (SC ucmd UART) | |||
|- | |||
| 45 | |||
| P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06) | |||
| -> HDR-A pin 16 (SC ucmd UART) | |||
|- | |||
| 46 | |||
| P10/SCK00/SCL00/(TI07)/(TO07) | |||
| SB-TP4 (SPI-CS) | |||
|- | |||
| 47 | |||
| P146 | |||
| NC | |||
|- | |||
| 48 | |||
| P147/ANI18 | |||
| power switch (HDMI-1) | |||
|- | |||
| 49 | |||
| P27/ANI7 | |||
| NC testpoint | |||
|- | |||
| 50 | |||
| P26/ANI6 | |||
| STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) | |||
|- | |||
| 51 | |||
| P25/ANI5 | |||
| STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) | |||
|- | |||
| 52 | |||
| P24/ANI4 | |||
| pulldown? | |||
|- | |||
| 53 | |||
| P23/ANI3 | |||
| pulldown? | |||
|- | |||
| 54 | |||
| P22/ANI2 | |||
| N/A | |||
|- | |||
| 55 | |||
| P21/ANI1/AVREFM | |||
| NC testpoint | |||
|- | |||
| 56 | |||
| P20/ANI0/AVREFP | |||
| N/A | |||
|- | |||
| 57 | |||
| P130 | |||
| power switch (PSU-6) (P130 is tied to sc-internal RESET) | |||
|- | |||
| 58 | |||
| P04/SCK10/SCL10 | |||
| i2c (PCIe clockgen smbus?) | |||
|- | |||
| 59 | |||
| P03/ANI16/SI10/RxD1/SDA10 | |||
| -> HDR-F pin 1 (i2c (PCIe clockgen smbus?)) | |||
|- | |||
| 60 | |||
| P02/ANI17/SO10/TxD1 | |||
| -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) | |||
|- | |||
| 61 | |||
| P01/TO00 | |||
| N/A | |||
|- | |||
| 62 | |||
| P00/TI00 | |||
| N/A | |||
|- | |||
| 63 | |||
| P141/PCLBUZ1/INTP7 | |||
| VR-VRDY1 | |||
|- | |||
| 64 | |||
| P140/PCLBUZ0/INTP6 | |||
| VR-VRDY2 | |||
|} | |||
== 100-pin == | |||
{| class="wikitable sortable" | |||
|- | |||
! Name !! Description !! Notes | |||
|- | |||
| 1 || P142 || | |||
|- | |||
| 2 || P141 || VR-VRDY1 | |||
|- | |||
| 3 || P140 || VR-VRDY2 | |||
|- | |||
| 4 || P120 || power switch (USBHUB) | |||
|- | |||
| 5 || P47 || VR-VRHOT_ICRIT | |||
|- | |||
| 6 || P46 || power switch (BUZZER) | |||
|- | |||
| 7 || P45 || NC | |||
|- | |||
| 8 || P44 || VR-PWROK + APU-PWROK | |||
|- | |||
| 9 || P43 || APU-RESET# | |||
|- | |||
| 10 || P42 || (HDR-A SPI-CS) | |||
|- | |||
| 11 || P41 || power switch (PSU-7) | |||
|- | |||
| 12 || P40 || TOOL0 -> HDR-A pin 22 (open circuit between pin and header) | |||
|- | |||
| 13 || RESET# || -> HDR-A pin 24 | |||
|- | |||
| 14 || P124 || pulldown? | |||
|- | |||
| 15 || P123 || power switch (PSU-5) | |||
|- | |||
| 16 || P137 || testpoint? | |||
|- | |||
| 17 || P122 || -> HDR-A pin 28 (4bit input-only, port 12) | |||
|- | |||
| 18 || P121 || -> HDR-A pin 29 (4bit input-only, port 12) | |||
|- | |||
| 19 || REGC || cap to GND | |||
|- | |||
| 20 || Vss || GND | |||
|- | |||
| 21 || EVss0 || GND | |||
|- | |||
| 22 || Vdd || Vcc | |||
|- | |||
| 23 || EVdd0 || == pin 22 | |||
|- | |||
| 24 || P60 || APU i2c dev 0xba | |||
|- | |||
| 25 || P61 || APU i2c dev 0xba | |||
|- | |||
| 26 || P62 || APU i2c dev 0x78/0x98 | |||
|- | |||
| 27 || P63 || APU i2c dev 0x78/0x98 | |||
|- | |||
| 28 || P31 || FAN-CTL | |||
|- | |||
| 29 || P64 || power switch (HDMI-0 + APU-4) | |||
|- | |||
| 30 || P65 || LED | |||
|- | |||
| 31 || P66 || LED | |||
|- | |||
| 32 || P67 || LED | |||
|- | |||
| 33 || P77 || pulldown | |||
|- | |||
| 34 || P76 || | |||
|- | |||
| 35 || P75 || APU? | |||
|- | |||
| 36 || P74 || | |||
|- | |||
| 37 || P73 || power switch (USBBRIDGE + HDD) | |||
|- | |||
| 38 || P72 || -> HDR-A pin 12 (HDR-A SPI-SO) | |||
|- | |||
| 39 || P71 || (HDR-A SPI-SI) | |||
|- | |||
| 40 || P70 || -> HDR-A pin 10 (HDR-A SPI-CLK) | |||
|- | |||
| 41 || P06 || power switch (PSU-1) | |||
|- | |||
| 42 || P05 || | |||
|- | |||
| 43 || EVss1 || GND | |||
|- | |||
| 44 || P80 || STM8-PWR pin 7 (NRST) | |||
|- | |||
| 45 || P81 || NC testpoint | |||
|- | |||
| 46 || P82 || LED | |||
|- | |||
| 47 || P83 || power switch(PSU-4) | |||
|- | |||
| 48 || P84 || pulldown? | |||
|- | |||
| 49 || P85 || power switch (PSU-2) | |||
|- | |||
| 50 || P86 || power switch (APU-0) + PSW-APU-3 pin 3 | |||
|- | |||
| 51 || P87 || VR-EN + power switch (APU-1) | |||
|- | |||
| 52 || P30 || NC testpoint | |||
|- | |||
| 53 || EVdd1 || Vcc | |||
|- | |||
| 54 || P50 || power switch (SB-1 + SB-2 + DDR3) | |||
|- | |||
| 55 || P51 || power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) | |||
|- | |||
| 56 || P52 || testpoint? | |||
|- | |||
| 57 || P53 || VR-SM_CLK | |||
|- | |||
| 58 || P54 || VR-SM_DIO | |||
|- | |||
| 59 || P55 || power switch (APU-2) | |||
|- | |||
| 60 || P56 || | |||
|- | |||
| 61 || P57 || | |||
|- | |||
| 62 || P17 || | |||
|- | |||
| 63 || P16 || SB-TP0 looks like SB -> SC interrupt line (INTP5) | |||
|- | |||
| 64 || P15 || SB-TP1 (SPI-CLK) | |||
|- | |||
| 65 || P14 || SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere | |||
|- | |||
| 66 || P13 || SB-TP3 (SPI-SO) | |||
|- | |- | ||
| | | 67 || P12 || -> HDR-A pin 15 (SC ucmd UART) | ||
|- | |- | ||
| | | 68 || P11 || -> HDR-A pin 16 (SC ucmd UART) | ||
|- | |- | ||
| | | 69 || P10 || SB-TP4 (SPI-CS) | ||
|- | |- | ||
| | | 70 || P101 || power switch (VR) | ||
|- | |- | ||
| | | 71 || P110 || | ||
|- | |- | ||
| | | 72 || P111 || | ||
|- | |- | ||
| | | 73 || P146 || NC | ||
|- | |- | ||
| | | 74 || P147 || power switch (HDMI-1) | ||
|- | |- | ||
| | | 75 || P100 || power switch (PSU-0) | ||
|- | |- | ||
| | | 76 || P156 || pulldown? | ||
|- | |||
| 77 || P155 || pulldown? | |||
|- | |||
| 78 || P154 || PSW-APU-2 pin 1 + PSW-APU-3 pin 1 | |||
|- | |||
| 79 || P153 || -> HDR-G pin 11 | |||
|- | |||
| 80 || P152 || -> HDR-G pin 15 | |||
|- | |||
| 81 || P151 || power switch (PSU-3) | |||
|- | |||
| 82 || P150 || Wi-Fi reset? | |||
|- | |||
| 83 || P27 || NC testpoint | |||
|- | |||
| 84 || P26 || STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) | |||
|- | |||
| 85 || P25 || STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) | |||
|- | |||
| 86 || P24 || pulldown? | |||
|- | |||
| 87 || P23 || pulldown? | |||
|- | |||
| 88 || P22 || | |||
|- | |||
| 89 || P21 || NC testpoint | |||
|- | |||
| 90 || P20 || | |||
|- | |||
| 91 || P130 || power switch (PSU-6) (P130 is tied to sc-internal RESET) | |||
|- | |||
| 92 || P102 || | |||
|- | |||
| 93 || P04 || i2c ([[PCIe]] clockgen smbus?) | |||
|- | |||
| 94 || P03 || -> HDR-F pin 1 (i2c ([[PCIe]] clockgen smbus?)) | |||
|- | |||
| 95 || P02 || -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) | |||
|- | |||
| 96 || P01 || | |||
|- | |||
| 97 || P00 || | |||
|- | |||
| 98 || P145 || | |||
|- | |||
| 99 || P144 || | |||
|- | |||
| 100 || P143 || | |||
|- | |- | ||
|} | |} | ||
= Glitching, Dumping & Flashing = | |||
== Method 1 == | |||
Based on the attack outlined by Fail0verflow [https://fail0verflow.com/blog/2018/ps4-syscon] '''Wildcard''' designed the following glitch using a Teensy: [https://github.com/VV1LD/SYSGLITCH]. | |||
Using '''Wildcard''''s shellcode but using a different methodology on his GitHub, you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. '''Guide available on BwE's GitHub.''' | |||
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by [[User:BwE]]. | |||
== Method 2 == | |||
See Abkarino's publications. |
Latest revision as of 01:08, 10 July 2023
Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.
Hardware revisions[edit | edit source]
Production Start Date (<=) | PS2 Mechacon | PSP Syscon | PS3 Syscon | PS Vita Syscon | PS4 Syscon | Used IC/CPU Core |
---|---|---|---|---|---|---|
07/2013 | - | - | - | - | COL | Renesas R5F100PL (RL78/G13, 100 pin) |
04/2015 | - | - | - | - | COL2 | Renesas R5F101LL (RL78/G13, 64 pin) |
Pictures[edit | edit source]
Memory Layout[edit | edit source]
Offset | Size | Description | Notes |
---|---|---|---|
0x00000 | 0x20000 | Code Flash Area | |
0x20000 | 0xD0000 | Reserved | OCDROM is here |
0xF0000 | 0x800 | Special Function Registers 2 | |
0xF0800 | 0x800 | Reserved (bootloader RAM) | |
0xF1000 | 0x1000 | Data Flash Area | |
0xF2000 | 0xCF00 | Mirror | Mirror of a portion of Code Flash Area |
0xFEF00 | 0xFE0 | RAM | Stack is usually at 0xFFE00. |
0xFFEE0 | 0x20 | General-Purpose Registers | |
0xFFF00 | 0x100 | Special Function Registers |
Commands[edit | edit source]
Command ID | Name | Description | Notes |
---|---|---|---|
0x00 | Reset | Detects synchronization in communication | |
0x9A | Baud Rate Set | Sets the baud rate for single-wire UART. | |
0x20 | Chip Erase | Erases the entire flash memory area. | |
0x22 | Block Erase | Erases a specified area in the flash memory. | |
0x40 | Programming | Writes data to a specified area in the flash memory. | |
0x13 | Verify | Compares the contents in a specified area in the flash memory with data transmitted from the programmer. | |
0x32 | Block Blank Check | Checks the erase status of a specified block in the flash memory. | |
0xC0 | Silicon Signature | Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). | |
0xC5 | Version Get | Acquires version information of the 78K0R/Kx3 and firmware. | |
0xB0 | Checksum | Acquires checksum data of a specified area. | |
0xA0 | Security Set | Sets security information. |
Statuses[edit | edit source]
Command ID | Name | Description | Notes |
---|---|---|---|
0x04 | Command number error | Error returned if a command not supported is received | |
0x05 | Parameter error | Error returned if command information (parameter) is invalid | |
0x06 | Normal acknowledgment (ACK) | Normal acknowledgment | |
0x07 | Checksum error | Error returned if data in a frame transmitted from the programmer is abnormal | |
0x0F | Verify error | Error returned if a verify error has occurred upon verifying data transmitted from the programmer | |
0x10 | Protect error | Error returned if an attempt is made to execute processing that is prohibited by the Security Set command | |
0x15 | Negative acknowledgment (NACK) | Negative acknowledgment | |
0x1A | MRG10 error | Erase verify error | |
0x1B | MRG11 error | Internal verify error or blank check error during data write | |
0x1C | Write error | Write error | |
0xFF | Processing in progress (BUSY) | Busy response |
Command Frame Format[edit | edit source]
- SOH | LEN | COM | INFO | SUM | ETX
Data Frame Format[edit | edit source]
- STX | LEN | DAT | SUM | ETX/ETB
Description of each symbol[edit | edit source]
Name | Description | Notes |
---|---|---|
SOH | Start of OH - Command Frame Header | 0x01 Always |
STX | Start of TX - Data Frame Header | 0x02 Always |
LEN | LENgth - Length of info | In Command frame: length of COM + command info length / In Data frame: Data info length |
COM | COMmand - Command number | |
SUM | checkSUM - Checksum | checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT) |
ETB | End of TB - Data frame footer | 0x17 Always |
ETX | End of TX - Command frame footer | 0x03 Always |
Pinout[edit | edit source]
64-pin[edit | edit source]
Pin | Description | Notes |
---|---|---|
1 | P120/ANI19 | power switch (USBHUB) |
2 | P43 | APU-RESET# |
3 | P42/TI04/TO04 | (HDR-A SPI-CS) |
4 | P41/TI07/TO07 | power switch (PSU-7) |
5 | P40/TOOL0 | -> HDR-A pin 22 (open circuit between pin and header) |
6 | RESET | -> HDR-A pin 24 |
7 | P124/XT2/EXCLKS | pulldown? |
8 | P123/XT1 | power switch (PSU-5) |
9 | P137/INTP0 | testpoint? |
10 | P122/X2/EXCLK | -> HDR-A pin 28 (4bit input-only, port 12) |
11 | P121/X1 | -> HDR-A pin 29 (4bit input-only, port 12) |
12 | REGC | cap to GND |
13 | V SS | GND |
14 | EVSS0 | GND |
15 | VDD | Vcc |
16 | EVDD0 | Vcc |
17 | P60/SCLA0 | APU i2c dev 0xba |
18 | P61/SDAA0 | APU i2c dev 0xba |
19 | P62 | APU i2c dev 0x78/0x98 |
20 | P63 | APU i2c dev 0x78/0x98 |
21 | P31/TI03/TO03/INTP4/(PCLBUZ0) | FAN-CTL |
22 | P77/KR7/INTP11/(TxD2) | pulldown |
23 | P76/KR6/INTP10/(RxD2) | N/A |
24 | P75/KR5/INTP9/SCK01/SCL01 | APU? |
25 | P74/KR4/INTP8/SI01/SDA01 | N/A |
26 | P73/KR3/SO01 | power switch (USBBRIDGE + HDD) |
27 | P72/KR2/SO21 | -> HDR-A pin 12 (HDR-A SPI-SO) |
28 | P71/KR1/SI21/SDA21 | (HDR-A SPI-SI) |
29 | P70/KR0/SCK21/SCL21 | -> HDR-A pin 10 (HDR-A SPI-CLK) |
30 | P06/TI06/TO06 | power switch (PSU-1) |
31 | P05/TI05/TO05 | N/A |
32 | P30/INTP3/RTC1HZ/SCK11/SCL11 | NC testpoint |
33 | P50/INTP1/SI11/SDA11 | power switch (SB-1 + SB-2 + DDR3) |
34 | P51/INTP2/SO11 | power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) |
35 | P52/(INTP10) | testpoint? |
36 | P53/(INTP11) | VR-SM_CLK |
37 | P54 | N/A |
38 | P55/(PCLBUZ1)/(SCK00) | power switch (APU-2) |
39 | P17/TI02/TO02/(SO00)/(TxD0) | N/A |
40 | P16/TI01/TO01/INTP5/(SI00)/(RxD0) | SB-TP0 looks like SB -> SC interrupt line (INTP5) |
41 | P15/SCK20/SCL20/(TI02)/(TO02) | SB-TP1 (SPI-CLK) |
42 | P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03) | SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere |
43 | P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04) | SB-TP3 (SPI-SO) |
44 | P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05) | -> HDR-A pin 15 (SC ucmd UART) |
45 | P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06) | -> HDR-A pin 16 (SC ucmd UART) |
46 | P10/SCK00/SCL00/(TI07)/(TO07) | SB-TP4 (SPI-CS) |
47 | P146 | NC |
48 | P147/ANI18 | power switch (HDMI-1) |
49 | P27/ANI7 | NC testpoint |
50 | P26/ANI6 | STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) |
51 | P25/ANI5 | STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) |
52 | P24/ANI4 | pulldown? |
53 | P23/ANI3 | pulldown? |
54 | P22/ANI2 | N/A |
55 | P21/ANI1/AVREFM | NC testpoint |
56 | P20/ANI0/AVREFP | N/A |
57 | P130 | power switch (PSU-6) (P130 is tied to sc-internal RESET) |
58 | P04/SCK10/SCL10 | i2c (PCIe clockgen smbus?) |
59 | P03/ANI16/SI10/RxD1/SDA10 | -> HDR-F pin 1 (i2c (PCIe clockgen smbus?)) |
60 | P02/ANI17/SO10/TxD1 | -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) |
61 | P01/TO00 | N/A |
62 | P00/TI00 | N/A |
63 | P141/PCLBUZ1/INTP7 | VR-VRDY1 |
64 | P140/PCLBUZ0/INTP6 | VR-VRDY2 |
100-pin[edit | edit source]
Name | Description | Notes |
---|---|---|
1 | P142 | |
2 | P141 | VR-VRDY1 |
3 | P140 | VR-VRDY2 |
4 | P120 | power switch (USBHUB) |
5 | P47 | VR-VRHOT_ICRIT |
6 | P46 | power switch (BUZZER) |
7 | P45 | NC |
8 | P44 | VR-PWROK + APU-PWROK |
9 | P43 | APU-RESET# |
10 | P42 | (HDR-A SPI-CS) |
11 | P41 | power switch (PSU-7) |
12 | P40 | TOOL0 -> HDR-A pin 22 (open circuit between pin and header) |
13 | RESET# | -> HDR-A pin 24 |
14 | P124 | pulldown? |
15 | P123 | power switch (PSU-5) |
16 | P137 | testpoint? |
17 | P122 | -> HDR-A pin 28 (4bit input-only, port 12) |
18 | P121 | -> HDR-A pin 29 (4bit input-only, port 12) |
19 | REGC | cap to GND |
20 | Vss | GND |
21 | EVss0 | GND |
22 | Vdd | Vcc |
23 | EVdd0 | == pin 22 |
24 | P60 | APU i2c dev 0xba |
25 | P61 | APU i2c dev 0xba |
26 | P62 | APU i2c dev 0x78/0x98 |
27 | P63 | APU i2c dev 0x78/0x98 |
28 | P31 | FAN-CTL |
29 | P64 | power switch (HDMI-0 + APU-4) |
30 | P65 | LED |
31 | P66 | LED |
32 | P67 | LED |
33 | P77 | pulldown |
34 | P76 | |
35 | P75 | APU? |
36 | P74 | |
37 | P73 | power switch (USBBRIDGE + HDD) |
38 | P72 | -> HDR-A pin 12 (HDR-A SPI-SO) |
39 | P71 | (HDR-A SPI-SI) |
40 | P70 | -> HDR-A pin 10 (HDR-A SPI-CLK) |
41 | P06 | power switch (PSU-1) |
42 | P05 | |
43 | EVss1 | GND |
44 | P80 | STM8-PWR pin 7 (NRST) |
45 | P81 | NC testpoint |
46 | P82 | LED |
47 | P83 | power switch(PSU-4) |
48 | P84 | pulldown? |
49 | P85 | power switch (PSU-2) |
50 | P86 | power switch (APU-0) + PSW-APU-3 pin 3 |
51 | P87 | VR-EN + power switch (APU-1) |
52 | P30 | NC testpoint |
53 | EVdd1 | Vcc |
54 | P50 | power switch (SB-1 + SB-2 + DDR3) |
55 | P51 | power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) |
56 | P52 | testpoint? |
57 | P53 | VR-SM_CLK |
58 | P54 | VR-SM_DIO |
59 | P55 | power switch (APU-2) |
60 | P56 | |
61 | P57 | |
62 | P17 | |
63 | P16 | SB-TP0 looks like SB -> SC interrupt line (INTP5) |
64 | P15 | SB-TP1 (SPI-CLK) |
65 | P14 | SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere |
66 | P13 | SB-TP3 (SPI-SO) |
67 | P12 | -> HDR-A pin 15 (SC ucmd UART) |
68 | P11 | -> HDR-A pin 16 (SC ucmd UART) |
69 | P10 | SB-TP4 (SPI-CS) |
70 | P101 | power switch (VR) |
71 | P110 | |
72 | P111 | |
73 | P146 | NC |
74 | P147 | power switch (HDMI-1) |
75 | P100 | power switch (PSU-0) |
76 | P156 | pulldown? |
77 | P155 | pulldown? |
78 | P154 | PSW-APU-2 pin 1 + PSW-APU-3 pin 1 |
79 | P153 | -> HDR-G pin 11 |
80 | P152 | -> HDR-G pin 15 |
81 | P151 | power switch (PSU-3) |
82 | P150 | Wi-Fi reset? |
83 | P27 | NC testpoint |
84 | P26 | STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) |
85 | P25 | STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) |
86 | P24 | pulldown? |
87 | P23 | pulldown? |
88 | P22 | |
89 | P21 | NC testpoint |
90 | P20 | |
91 | P130 | power switch (PSU-6) (P130 is tied to sc-internal RESET) |
92 | P102 | |
93 | P04 | i2c (PCIe clockgen smbus?) |
94 | P03 | -> HDR-F pin 1 (i2c (PCIe clockgen smbus?)) |
95 | P02 | -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) |
96 | P01 | |
97 | P00 | |
98 | P145 | |
99 | P144 | |
100 | P143 |
Glitching, Dumping & Flashing[edit | edit source]
Method 1[edit | edit source]
Based on the attack outlined by Fail0verflow [2] Wildcard designed the following glitch using a Teensy: [3].
Using Wildcard's shellcode but using a different methodology on his GitHub, you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. Guide available on BwE's GitHub.
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by User:BwE.
Method 2[edit | edit source]
See Abkarino's publications.