Syscon Hardware: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
 
(26 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Syscon is, together with Aeolia, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
Syscon is, together with [[Southbridge]], one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
It is actually internally codenamed '''Colwick''' on the ps4 and the chip's structure is the same as one of a Renesas RL78.
 
PS4 Syscon is codenamed '''Colwick'''. It is a custom Renesas RL78/G13.
 
= Hardware revisions =
 
{| class="wikitable"
! Production Start Date (<=) || PS2 Mechacon !! PSP Syscon !! PS3 Syscon !! PS Vita Syscon !! PS4 Syscon !! Used IC/CPU Core
|-
| <abbr title="CVN-001, SAA-001, SAB-001">07/2013</abbr> || - || - ||- || - || COL || Renesas R5F100PL (RL78/G13, 100 pin)
|-
| <abbr title="SAC-001, SAD-001, SAD-002, SAD-003, SAE-001, SAE-002, SAE-003, SAE-004, HAC-001, NVA-001, NVB-003, NVB-004, NVG-001, NVG-002">04/2015</abbr> || - || - ||- || - || COL2 || Renesas R5F101LL (RL78/G13, 64 pin)
|}
 
= Pictures =
 
* [http://www.gigapan.com/gigapans/198672]


= Memory Layout =
= Memory Layout =
* TODO
 
{| class="wikitable sortable"
|-
! Offset !! Size !! Description !! Notes
|-
| 0x00000 || 0x20000 || Code Flash Area ||
|-
| 0x20000 || 0xD0000 || Reserved || OCDROM is here
|-
| 0xF0000 || 0x800 || Special Function Registers 2 ||
|-
| 0xF0800 || 0x800 || Reserved (bootloader RAM) ||
|-
| 0xF1000 || 0x1000 || Data Flash Area ||
|-
| 0xF2000 || 0xCF00 || Mirror || Mirror of a portion of Code Flash Area
|-
| 0xFEF00 || 0xFE0 || RAM || Stack is usually at 0xFFE00.
|-
| 0xFFEE0 || 0x20 || General-Purpose Registers ||
|-
| 0xFFF00 || 0x100 || Special Function Registers ||
|}


= Commands =
= Commands =
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
Line 18: Line 56:
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
|-
|-
| 0x40 || Programming || Writes data to a specified area in the flash memory.||
| 0x40 || Programming || Writes data to a specified area in the flash memory. ||
|-
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer.||
|-
|-
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory.||
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer. ||
|-
|-
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).||
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory. ||
|-
|-
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware.||
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). ||
|-
|-
| 0xB0 || Checksum || Acquires checksum data of a specified area.||
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware. ||
|-
|-
| 0xA0 || Security Set || Sets security information.||
| 0xB0 || Checksum || Acquires checksum data of a specified area. ||
|-
|-
| 0xA0 || Security Set || Sets security information. ||
|}
|}


= Statuses =
= Statuses =
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Command ID !! Name !! Description !! Notes
! Command ID !! Name !! Description !! Notes
|-
|-
| 04|| Command number error|| Error returned if a command not supported is received ||
| 0x04 || Command number error || Error returned if a command not supported is received ||
|-
|-
| 05|| Parameter error|| Error returned if command information (parameter) is invalid ||
| 0x05 || Parameter error || Error returned if command information (parameter) is invalid ||
|-
|-
| 06|| Normal acknowledgment (ACK) || Normal acknowledgment ||
| 0x06 || Normal acknowledgment (ACK) || Normal acknowledgment ||
|-
|-
| 07|| Checksum error|| Error returned if data in a frame transmitted from the programmer is abnormal ||
| 0x07 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal ||
|-
|-
| 0F|| Verify error|| Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
| 0x0F || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
|-
|-
| 10|| Protect error|| Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
|-
|-
| 15|| Negative acknowledgment (NACK) || Negative acknowledgment
| 0x15 || Negative acknowledgment (NACK) || Negative acknowledgment
|-
|-
| 1A|| MRG10 error || Erase verify error ||
| 0x1A || MRG10 error || Erase verify error ||
|-
|-
| 1B|| MRG11 error || Internal verify error or blank check error during data write ||
| 0x1B || MRG11 error || Internal verify error or blank check error during data write ||
|-
|-
| 1C|| Write error || Write error ||
| 0x1C || Write error || Write error ||
|-
| FF||  Processing in progress (BUSY) || Busy response ||
|-
|-
| 0xFF || Processing in progress (BUSY) || Busy response ||
|}
|}


Line 70: Line 107:


* STX | LEN | DAT | SUM | ETX/ETB
* STX | LEN | DAT | SUM | ETX/ETB
= Description of each symbol =
{| class="wikitable sortable"
|-
! Name !! Description !! Notes
|-
| SOH || Start of OH - Command Frame Header || 0x01 Always
|-
| STX || Start of TX -  Data Frame Header || 0x02 Always
|-
| LEN || LENgth - Length of info || In Command frame: length of COM + command info length / In Data frame: Data info length
|-
| COM || COMmand - Command number ||
|-
| SUM || checkSUM - Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
|-
| ETB || End of TB - Data frame footer || 0x17 Always
|-
| ETX || End of TX - Command frame footer || 0x03 Always
|-
|}
= Pinout =
== 64-pin ==
{| class="wikitable"
|-
! Pin
! Description
! Notes
|-
| 1
| P120/ANI19
| power switch (USBHUB)
|-
| 2
| P43
| APU-RESET#
|-
| 3
| P42/TI04/TO04
| (HDR-A SPI-CS)
|-
| 4
| P41/TI07/TO07
| power switch (PSU-7)
|-
| 5
| P40/TOOL0
| -> HDR-A pin 22 (open circuit between pin and header)
|-
| 6
| RESET
| -> HDR-A pin 24
|-
| 7
| P124/XT2/EXCLKS
| pulldown?
|-
| 8
| P123/XT1
| power switch (PSU-5)
|-
| 9
| P137/INTP0
| testpoint?
|-
| 10
| P122/X2/EXCLK
| -> HDR-A pin 28 (4bit input-only, port 12)
|-
| 11
| P121/X1
| -> HDR-A pin 29 (4bit input-only, port 12)
|-
| 12
| REGC
| cap to GND
|-
| 13
| V SS
| GND
|-
| 14
| EVSS0
| GND
|-
| 15
| VDD
| Vcc
|-
| 16
| EVDD0
| Vcc
|-
| 17
| P60/SCLA0
| APU i2c dev 0xba
|-
| 18
| P61/SDAA0
| APU i2c dev 0xba
|-
| 19
| P62
| APU i2c dev 0x78/0x98
|-
| 20
| P63
| APU i2c dev 0x78/0x98
|-
| 21
| P31/TI03/TO03/INTP4/(PCLBUZ0)
| FAN-CTL
|-
| 22
| P77/KR7/INTP11/(TxD2)
| pulldown
|-
| 23
| P76/KR6/INTP10/(RxD2)
| N/A
|-
| 24
| P75/KR5/INTP9/SCK01/SCL01
| APU?
|-
| 25
| P74/KR4/INTP8/SI01/SDA01
| N/A
|-
| 26
| P73/KR3/SO01
| power switch (USBBRIDGE + HDD)
|-
| 27
| P72/KR2/SO21
| -> HDR-A pin 12 (HDR-A SPI-SO)
|-
| 28
| P71/KR1/SI21/SDA21
| (HDR-A SPI-SI)
|-
| 29
| P70/KR0/SCK21/SCL21
| -> HDR-A pin 10 (HDR-A SPI-CLK)
|-
| 30
| P06/TI06/TO06
| power switch (PSU-1)
|-
| 31
| P05/TI05/TO05
| N/A
|-
| 32
| P30/INTP3/RTC1HZ/SCK11/SCL11
| NC testpoint
|-
| 33
| P50/INTP1/SI11/SDA11
| power switch (SB-1 + SB-2 + DDR3)
|-
| 34
| P51/INTP2/SO11
| power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
|-
| 35
| P52/(INTP10)
| testpoint?
|-
| 36
| P53/(INTP11)
| VR-SM_CLK
|-
| 37
| P54
| N/A
|-
| 38
| P55/(PCLBUZ1)/(SCK00)
| power switch (APU-2)
|-
| 39
| P17/TI02/TO02/(SO00)/(TxD0)
| N/A
|-
| 40
| P16/TI01/TO01/INTP5/(SI00)/(RxD0)
| SB-TP0 looks like SB -> SC interrupt line (INTP5)
|-
| 41
| P15/SCK20/SCL20/(TI02)/(TO02)
| SB-TP1 (SPI-CLK)
|-
| 42
| P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03)
| SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|-
| 43
| P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04)
| SB-TP3 (SPI-SO)
|-
| 44
| P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05)
| -> HDR-A pin 15 (SC ucmd UART)
|-
| 45
| P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06)
| -> HDR-A pin 16 (SC ucmd UART)
|-
| 46
| P10/SCK00/SCL00/(TI07)/(TO07)
| SB-TP4 (SPI-CS)
|-
| 47
| P146
| NC
|-
| 48
| P147/ANI18
| power switch (HDMI-1)
|-
| 49
| P27/ANI7
| NC testpoint
|-
| 50
| P26/ANI6
| STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|-
| 51
| P25/ANI5
| STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|-
| 52
| P24/ANI4
| pulldown?
|-
| 53
| P23/ANI3
| pulldown?
|-
| 54
| P22/ANI2
| N/A
|-
| 55
| P21/ANI1/AVREFM
| NC testpoint
|-
| 56
| P20/ANI0/AVREFP
| N/A
|-
| 57
| P130
| power switch (PSU-6) (P130 is tied to sc-internal RESET)
|-
| 58
| P04/SCK10/SCL10
| i2c (PCIe clockgen smbus?)
|-
| 59
| P03/ANI16/SI10/RxD1/SDA10
| -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
|-
| 60
| P02/ANI17/SO10/TxD1
| -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|-
| 61
| P01/TO00
| N/A
|-
| 62
| P00/TI00
| N/A
|-
| 63
| P141/PCLBUZ1/INTP7
| VR-VRDY1
|-
| 64
| P140/PCLBUZ0/INTP6
| VR-VRDY2
|}
== 100-pin ==
{| class="wikitable sortable"
|-
! Name !! Description !! Notes
|-
|  1    || P142        ||
|-
|  2    || P141        || VR-VRDY1
|-
|  3    || P140        || VR-VRDY2
|-
|  4    || P120        || power switch (USBHUB)
|-
|  5    || P47        || VR-VRHOT_ICRIT
|-
|  6    || P46        || power switch (BUZZER)
|-
|  7    || P45        || NC
|-
|  8    || P44        || VR-PWROK + APU-PWROK
|-
|  9    || P43        || APU-RESET#
|-
| 10    || P42        || (HDR-A SPI-CS)
|-
| 11    || P41        || power switch (PSU-7)
|-
| 12    || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
|-
| 13    || RESET#    || -> HDR-A pin 24
|-
| 14    || P124        || pulldown?
|-
| 15    || P123        || power switch (PSU-5)
|-
| 16    || P137        || testpoint?
|-
| 17    || P122        || -> HDR-A pin 28 (4bit input-only, port 12)
|-
| 18    || P121        || -> HDR-A pin 29 (4bit input-only, port 12)
|-
| 19    || REGC        || cap to GND
|-
| 20    || Vss        || GND
|-
| 21    || EVss0      || GND
|-
| 22    || Vdd        || Vcc
|-
| 23    || EVdd0      || == pin 22
|-
| 24    || P60        || APU i2c dev 0xba
|-
| 25    || P61        || APU i2c dev 0xba
|-
| 26    || P62        || APU i2c dev 0x78/0x98
|-
| 27    || P63        || APU i2c dev 0x78/0x98
|-
| 28    || P31        || FAN-CTL
|-
| 29    || P64        || power switch (HDMI-0 + APU-4)
|-
| 30    || P65        || LED
|-
| 31    || P66        || LED
|-
| 32    || P67        || LED
|-
| 33    || P77        || pulldown
|-
| 34    || P76        ||
|-
| 35    || P75        || APU?
|-
| 36    || P74        ||
|-
| 37    || P73        || power switch (USBBRIDGE + HDD)
|-
| 38    || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
|-
| 39    || P71        || (HDR-A SPI-SI)
|-
| 40    || P70        || -> HDR-A pin 10 (HDR-A SPI-CLK)
|-
| 41    || P06        || power switch (PSU-1)
|-
| 42    || P05        ||
|-
| 43    || EVss1      || GND
|-
| 44    || P80        || STM8-PWR pin 7 (NRST)
|-
| 45    || P81        || NC testpoint
|-
| 46    || P82        || LED
|-
| 47    || P83        || power switch(PSU-4)
|-
| 48    || P84        || pulldown?
|-
| 49    || P85        || power switch (PSU-2)
|-
| 50    || P86        || power switch (APU-0) + PSW-APU-3 pin 3
|-
| 51    || P87        || VR-EN + power switch (APU-1)
|-
| 52    || P30        || NC testpoint
|-
| 53    || EVdd1      || Vcc
|-
| 54    || P50        || power switch (SB-1 + SB-2 + DDR3)
|-
| 55    || P51        || power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
|-
| 56    || P52        || testpoint?
|-
| 57    || P53        || VR-SM_CLK
|-
| 58    || P54        || VR-SM_DIO
|-
| 59    || P55        || power switch (APU-2)
|-
| 60    || P56        ||
|-
| 61    || P57        ||
|-
| 62    || P17        ||
|-
| 63    || P16        || SB-TP0 looks like SB -> SC interrupt line (INTP5)
|-
| 64    || P15        || SB-TP1 (SPI-CLK)
|-
| 65    || P14        || SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|-
| 66    || P13        || SB-TP3 (SPI-SO)
|-
| 67    || P12        || -> HDR-A pin 15 (SC ucmd UART)
|-
| 68    || P11        || -> HDR-A pin 16 (SC ucmd UART)
|-
| 69    || P10        || SB-TP4 (SPI-CS)
|-
| 70    || P101        || power switch (VR)
|-
| 71    || P110        ||
|-
| 72    || P111        ||
|-
| 73    || P146        || NC
|-
| 74    || P147        || power switch (HDMI-1)
|-
| 75    || P100        || power switch (PSU-0)
|-
| 76    || P156        || pulldown?
|-
| 77    || P155        || pulldown?
|-
| 78    || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
|-
| 79    || P153        || -> HDR-G pin 11
|-
| 80    || P152        || -> HDR-G pin 15
|-
| 81    || P151        || power switch (PSU-3)
|-
| 82    || P150        || Wi-Fi reset?
|-
| 83    || P27        || NC testpoint
|-
| 84    || P26        || STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|-
| 85    || P25        || STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|-
| 86    || P24        || pulldown?
|-
| 87    || P23        || pulldown?
|-
| 88    || P22        ||
|-
| 89    || P21        || NC testpoint
|-
| 90    || P20        ||
|-
| 91    || P130        || power switch (PSU-6) (P130 is tied to sc-internal RESET)
|-
| 92    || P102        ||
|-
| 93    || P04        || i2c ([[PCIe]] clockgen smbus?)
|-
| 94    || P03        || -> HDR-F pin 1 (i2c ([[PCIe]] clockgen smbus?))
|-
| 95    || P02        || -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|-
| 96    || P01        ||
|-
| 97    || P00        ||
|-
| 98    || P145        ||
|-
| 99    || P144        ||
|-
| 100    || P143        ||
|-
|}
= Glitching, Dumping & Flashing =
== Method 1 ==
Based on the attack outlined by Fail0verflow [https://fail0verflow.com/blog/2018/ps4-syscon] '''Wildcard''' designed the following glitch using a Teensy: [https://github.com/VV1LD/SYSGLITCH].
Using '''Wildcard''''s shellcode but using a different methodology on his GitHub, you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. '''Guide available on BwE's GitHub.'''
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by [[User:BwE]].
== Method 2 ==
See Abkarino's publications.

Latest revision as of 01:08, 10 July 2023

Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.

PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.

Hardware revisions[edit | edit source]

Production Start Date (<=) PS2 Mechacon PSP Syscon PS3 Syscon PS Vita Syscon PS4 Syscon Used IC/CPU Core
07/2013 - - - - COL Renesas R5F100PL (RL78/G13, 100 pin)
04/2015 - - - - COL2 Renesas R5F101LL (RL78/G13, 64 pin)

Pictures[edit | edit source]

Memory Layout[edit | edit source]

Offset Size Description Notes
0x00000 0x20000 Code Flash Area
0x20000 0xD0000 Reserved OCDROM is here
0xF0000 0x800 Special Function Registers 2
0xF0800 0x800 Reserved (bootloader RAM)
0xF1000 0x1000 Data Flash Area
0xF2000 0xCF00 Mirror Mirror of a portion of Code Flash Area
0xFEF00 0xFE0 RAM Stack is usually at 0xFFE00.
0xFFEE0 0x20 General-Purpose Registers
0xFFF00 0x100 Special Function Registers

Commands[edit | edit source]

Command ID Name Description Notes
0x00 Reset Detects synchronization in communication
0x9A Baud Rate Set Sets the baud rate for single-wire UART.
0x20 Chip Erase Erases the entire flash memory area.
0x22 Block Erase Erases a specified area in the flash memory.
0x40 Programming Writes data to a specified area in the flash memory.
0x13 Verify Compares the contents in a specified area in the flash memory with data transmitted from the programmer.
0x32 Block Blank Check Checks the erase status of a specified block in the flash memory.
0xC0 Silicon Signature Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).
0xC5 Version Get Acquires version information of the 78K0R/Kx3 and firmware.
0xB0 Checksum Acquires checksum data of a specified area.
0xA0 Security Set Sets security information.

Statuses[edit | edit source]

Command ID Name Description Notes
0x04 Command number error Error returned if a command not supported is received
0x05 Parameter error Error returned if command information (parameter) is invalid
0x06 Normal acknowledgment (ACK) Normal acknowledgment
0x07 Checksum error Error returned if data in a frame transmitted from the programmer is abnormal
0x0F Verify error Error returned if a verify error has occurred upon verifying data transmitted from the programmer
0x10 Protect error Error returned if an attempt is made to execute processing that is prohibited by the Security Set command
0x15 Negative acknowledgment (NACK) Negative acknowledgment
0x1A MRG10 error Erase verify error
0x1B MRG11 error Internal verify error or blank check error during data write
0x1C Write error Write error
0xFF Processing in progress (BUSY) Busy response

Command Frame Format[edit | edit source]

  • SOH | LEN | COM | INFO | SUM | ETX

Data Frame Format[edit | edit source]

  • STX | LEN | DAT | SUM | ETX/ETB

Description of each symbol[edit | edit source]

Name Description Notes
SOH Start of OH - Command Frame Header 0x01 Always
STX Start of TX - Data Frame Header 0x02 Always
LEN LENgth - Length of info In Command frame: length of COM + command info length / In Data frame: Data info length
COM COMmand - Command number
SUM checkSUM - Checksum checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
ETB End of TB - Data frame footer 0x17 Always
ETX End of TX - Command frame footer 0x03 Always

Pinout[edit | edit source]

64-pin[edit | edit source]

Pin Description Notes
1 P120/ANI19 power switch (USBHUB)
2 P43 APU-RESET#
3 P42/TI04/TO04 (HDR-A SPI-CS)
4 P41/TI07/TO07 power switch (PSU-7)
5 P40/TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
6 RESET -> HDR-A pin 24
7 P124/XT2/EXCLKS pulldown?
8 P123/XT1 power switch (PSU-5)
9 P137/INTP0 testpoint?
10 P122/X2/EXCLK -> HDR-A pin 28 (4bit input-only, port 12)
11 P121/X1 -> HDR-A pin 29 (4bit input-only, port 12)
12 REGC cap to GND
13 V SS GND
14 EVSS0 GND
15 VDD Vcc
16 EVDD0 Vcc
17 P60/SCLA0 APU i2c dev 0xba
18 P61/SDAA0 APU i2c dev 0xba
19 P62 APU i2c dev 0x78/0x98
20 P63 APU i2c dev 0x78/0x98
21 P31/TI03/TO03/INTP4/(PCLBUZ0) FAN-CTL
22 P77/KR7/INTP11/(TxD2) pulldown
23 P76/KR6/INTP10/(RxD2) N/A
24 P75/KR5/INTP9/SCK01/SCL01 APU?
25 P74/KR4/INTP8/SI01/SDA01 N/A
26 P73/KR3/SO01 power switch (USBBRIDGE + HDD)
27 P72/KR2/SO21 -> HDR-A pin 12 (HDR-A SPI-SO)
28 P71/KR1/SI21/SDA21 (HDR-A SPI-SI)
29 P70/KR0/SCK21/SCL21 -> HDR-A pin 10 (HDR-A SPI-CLK)
30 P06/TI06/TO06 power switch (PSU-1)
31 P05/TI05/TO05 N/A
32 P30/INTP3/RTC1HZ/SCK11/SCL11 NC testpoint
33 P50/INTP1/SI11/SDA11 power switch (SB-1 + SB-2 + DDR3)
34 P51/INTP2/SO11 power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
35 P52/(INTP10) testpoint?
36 P53/(INTP11) VR-SM_CLK
37 P54 N/A
38 P55/(PCLBUZ1)/(SCK00) power switch (APU-2)
39 P17/TI02/TO02/(SO00)/(TxD0) N/A
40 P16/TI01/TO01/INTP5/(SI00)/(RxD0) SB-TP0 looks like SB -> SC interrupt line (INTP5)
41 P15/SCK20/SCL20/(TI02)/(TO02) SB-TP1 (SPI-CLK)
42 P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03) SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
43 P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04) SB-TP3 (SPI-SO)
44 P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05) -> HDR-A pin 15 (SC ucmd UART)
45 P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06) -> HDR-A pin 16 (SC ucmd UART)
46 P10/SCK00/SCL00/(TI07)/(TO07) SB-TP4 (SPI-CS)
47 P146 NC
48 P147/ANI18 power switch (HDMI-1)
49 P27/ANI7 NC testpoint
50 P26/ANI6 STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
51 P25/ANI5 STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
52 P24/ANI4 pulldown?
53 P23/ANI3 pulldown?
54 P22/ANI2 N/A
55 P21/ANI1/AVREFM NC testpoint
56 P20/ANI0/AVREFP N/A
57 P130 power switch (PSU-6) (P130 is tied to sc-internal RESET)
58 P04/SCK10/SCL10 i2c (PCIe clockgen smbus?)
59 P03/ANI16/SI10/RxD1/SDA10 -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
60 P02/ANI17/SO10/TxD1 -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
61 P01/TO00 N/A
62 P00/TI00 N/A
63 P141/PCLBUZ1/INTP7 VR-VRDY1
64 P140/PCLBUZ0/INTP6 VR-VRDY2

100-pin[edit | edit source]

Name Description Notes
1 P142
2 P141 VR-VRDY1
3 P140 VR-VRDY2
4 P120 power switch (USBHUB)
5 P47 VR-VRHOT_ICRIT
6 P46 power switch (BUZZER)
7 P45 NC
8 P44 VR-PWROK + APU-PWROK
9 P43 APU-RESET#
10 P42 (HDR-A SPI-CS)
11 P41 power switch (PSU-7)
12 P40 TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
13 RESET# -> HDR-A pin 24
14 P124 pulldown?
15 P123 power switch (PSU-5)
16 P137 testpoint?
17 P122 -> HDR-A pin 28 (4bit input-only, port 12)
18 P121 -> HDR-A pin 29 (4bit input-only, port 12)
19 REGC cap to GND
20 Vss GND
21 EVss0 GND
22 Vdd Vcc
23 EVdd0 == pin 22
24 P60 APU i2c dev 0xba
25 P61 APU i2c dev 0xba
26 P62 APU i2c dev 0x78/0x98
27 P63 APU i2c dev 0x78/0x98
28 P31 FAN-CTL
29 P64 power switch (HDMI-0 + APU-4)
30 P65 LED
31 P66 LED
32 P67 LED
33 P77 pulldown
34 P76
35 P75 APU?
36 P74
37 P73 power switch (USBBRIDGE + HDD)
38 P72 -> HDR-A pin 12 (HDR-A SPI-SO)
39 P71 (HDR-A SPI-SI)
40 P70 -> HDR-A pin 10 (HDR-A SPI-CLK)
41 P06 power switch (PSU-1)
42 P05
43 EVss1 GND
44 P80 STM8-PWR pin 7 (NRST)
45 P81 NC testpoint
46 P82 LED
47 P83 power switch(PSU-4)
48 P84 pulldown?
49 P85 power switch (PSU-2)
50 P86 power switch (APU-0) + PSW-APU-3 pin 3
51 P87 VR-EN + power switch (APU-1)
52 P30 NC testpoint
53 EVdd1 Vcc
54 P50 power switch (SB-1 + SB-2 + DDR3)
55 P51 power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
56 P52 testpoint?
57 P53 VR-SM_CLK
58 P54 VR-SM_DIO
59 P55 power switch (APU-2)
60 P56
61 P57
62 P17
63 P16 SB-TP0 looks like SB -> SC interrupt line (INTP5)
64 P15 SB-TP1 (SPI-CLK)
65 P14 SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
66 P13 SB-TP3 (SPI-SO)
67 P12 -> HDR-A pin 15 (SC ucmd UART)
68 P11 -> HDR-A pin 16 (SC ucmd UART)
69 P10 SB-TP4 (SPI-CS)
70 P101 power switch (VR)
71 P110
72 P111
73 P146 NC
74 P147 power switch (HDMI-1)
75 P100 power switch (PSU-0)
76 P156 pulldown?
77 P155 pulldown?
78 P154 PSW-APU-2 pin 1 + PSW-APU-3 pin 1
79 P153 -> HDR-G pin 11
80 P152 -> HDR-G pin 15
81 P151 power switch (PSU-3)
82 P150 Wi-Fi reset?
83 P27 NC testpoint
84 P26 STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
85 P25 STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
86 P24 pulldown?
87 P23 pulldown?
88 P22
89 P21 NC testpoint
90 P20
91 P130 power switch (PSU-6) (P130 is tied to sc-internal RESET)
92 P102
93 P04 i2c (PCIe clockgen smbus?)
94 P03 -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
95 P02 -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
96 P01
97 P00
98 P145
99 P144
100 P143

Glitching, Dumping & Flashing[edit | edit source]

Method 1[edit | edit source]

Based on the attack outlined by Fail0verflow [2] Wildcard designed the following glitch using a Teensy: [3].

Using Wildcard's shellcode but using a different methodology on his GitHub, you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. Guide available on BwE's GitHub.

You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by User:BwE.

Method 2[edit | edit source]

See Abkarino's publications.