Syscon Hardware: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 15: Line 15:
| 0x00000 || 0x20000 || Code Area ||
| 0x00000 || 0x20000 || Code Area ||
|-
|-
| 0x20000 || 0xD0000 || Reserved || OCD Rom here
| 0x20000 || 0xD0000 || Reserved || OCDROM is here
|-
|-
| 0xF0000 || 0x800 || SFR Area ||
| 0xF0000 || 0x800 || SFR Area ||
Line 30: Line 30:
|-
|-
| 0xFFF00 || 0x100 || SFR 2nd Area ||
| 0xFFF00 || 0x100 || SFR 2nd Area ||
|-
|}
|}


Line 47: Line 46:
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
|-
|-
| 0x40 || Programming || Writes data to a specified area in the flash memory.||
| 0x40 || Programming || Writes data to a specified area in the flash memory. ||
|-
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer.||
|-
|-
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory.||
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer. ||
|-
|-
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).||
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory. ||
|-
|-
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware.||
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). ||
|-
|-
| 0xB0 || Checksum || Acquires checksum data of a specified area.||
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware. ||
|-
|-
| 0xA0 || Security Set || Sets security information.||
| 0xB0 || Checksum || Acquires checksum data of a specified area. ||
|-
|-
| 0xA0 || Security Set || Sets security information. ||
|}
|}


Line 69: Line 67:
! Command ID !! Name !! Description !! Notes
! Command ID !! Name !! Description !! Notes
|-
|-
| 0x4 || Command number error || Error returned if a command not supported is received ||
| 0x04 || Command number error || Error returned if a command not supported is received ||
|-
|-
| 0x5 || Parameter error || Error returned if command information (parameter) is invalid ||
| 0x05 || Parameter error || Error returned if command information (parameter) is invalid ||
|-
|-
| 0x6 || Normal acknowledgment (ACK) || Normal acknowledgment ||
| 0x06 || Normal acknowledgment (ACK) || Normal acknowledgment ||
|-
|-
| 0x7 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal ||
| 0x07 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal ||
|-
|-
| 0xF || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
| 0x0F || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
|-
|-
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
Line 110: Line 108:
| STX || Data Frame Header || 0x02 Always
| STX || Data Frame Header || 0x02 Always
|-
|-
| LEN || Length of info || In Command Frame: length of COM + command info length/ In Data frame: Data info length
| LEN || Length of info || In Command Frame: length of COM + command info length / In Data frame: Data info length
|-
|-
| COM || Command number ||
| COM || Command number ||
|-
|-
| SUM || Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
| SUM || Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
|-  
|-  
| ETB || Footer of data frame || 0x17 Always  
| ETB || Footer of data frame || 0x17 Always  
Line 134: Line 132:
|  3    || P140        || VR-VRDY2
|  3    || P140        || VR-VRDY2
|-
|-
|  4    || P120        ||power switch(USBHUB)
|  4    || P120        || power switch (USBHUB)
|-
|-
|  5    || P47        || VR-VRHOT_ICRIT
|  5    || P47        || VR-VRHOT_ICRIT
|-
|-
|  6    || P46        || power switch(BUZZER)
|  6    || P46        || power switch (BUZZER)
|-
|-
|  7    || P45        || NC
|  7    || P45        || NC
|-
|-
|  8    || P44        || VR-PWROK + APU-PWROK
|  8    || P44        || VR-PWROK + APU-PWROK
|-
|-
|  9    || P43        || APU-RESET#
|  9    || P43        || APU-RESET#
Line 148: Line 146:
| 10    || P42        || (HDR-A SPI-CS)
| 10    || P42        || (HDR-A SPI-CS)
|-
|-
| 11    || P41        || power switch(PSU-7)
| 11    || P41        || power switch (PSU-7)
|-
|-
| 12    || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
| 12    || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
Line 154: Line 152:
| 13    || RESET#    || -> HDR-A pin 24
| 13    || RESET#    || -> HDR-A pin 24
|-
|-
| 14    || P124        ||pulldown?
| 14    || P124        || pulldown?
|-
|-
| 15    || P123        ||power switch(PSU-5)
| 15    || P123        || power switch (PSU-5)
|-
|-
| 16    || P137        ||testpoint?
| 16    || P137        || testpoint?
|-
|-
| 17    || P122        ||-> HDR-A pin 28 (4bit input-only, port 12)
| 17    || P122        || -> HDR-A pin 28 (4bit input-only, port 12)
|-
|-
| 18    || P121        ||-> HDR-A pin 29 (4bit input-only, port 12)
| 18    || P121        || -> HDR-A pin 29 (4bit input-only, port 12)
|-
|-
| 19    || REGC        ||cap to GND
| 19    || REGC        || cap to GND
|-
|-
| 20    || Vss        || GND
| 20    || Vss        || GND
Line 184: Line 182:
| 28    || P31        || FAN-CTL
| 28    || P31        || FAN-CTL
|-
|-
| 29    || P64        || power switch(HDMI-0 + APU-4)
| 29    || P64        || power switch (HDMI-0 + APU-4)
|-
|-
| 30    || P65        || LED
| 30    || P65        || LED
Line 200: Line 198:
| 36    || P74        ||  
| 36    || P74        ||  
|-
|-
| 37    || P73        || power switch(USBBRIDGE + HDD)
| 37    || P73        || power switch (USBBRIDGE + HDD)
|-
|-
| 38    || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
| 38    || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
Line 224: Line 222:
| 48    || P84        || pulldown?
| 48    || P84        || pulldown?
|-
|-
| 49    || P85        || power switch(PSU-2)
| 49    || P85        || power switch (PSU-2)
|-
|-
| 50    || P86        || power switch(APU-0) + PSW-APU-3 pin 3
| 50    || P86        || power switch (APU-0) + PSW-APU-3 pin 3
|-
|-
| 51    || P87        || VR-EN + power switch(APU-1)
| 51    || P87        || VR-EN + power switch (APU-1)
|-
|-
| 52    || P30        || NC testpoint
| 52    || P30        || NC testpoint
Line 234: Line 232:
| 53    || EVdd1      || Vcc
| 53    || EVdd1      || Vcc
|-
|-
| 54    || P50        || power switch(SB-1 + SB-2 + DDR3)
| 54    || P50        || power switch (SB-1 + SB-2 + DDR3)
|-
|-
| 55    || P51        || power switch(SB-0) (6pin near wifi + 8pin between SC/SB)
| 55    || P51        || power switch (SB-0) (6pin near wifi + 8pin between SC/SB)
|-
|-
| 56    || P52        || testpoint?
| 56    || P52        || testpoint?
|-
|-
| 57    || P53        || VR-SM_CLK
| 57    || P53        || VR-SM_CLK
|-
|-
| 58    || P54        || VR-SM_DIO
| 58    || P54        || VR-SM_DIO
|-
|-
| 59    || P55        || power switch(APU-2)
| 59    || P55        || power switch (APU-2)
|-
|-
| 60    || P56        ||  
| 60    || P56        ||  
Line 266: Line 264:
| 69    || P10        || SB-TP4 (SPI-CS)
| 69    || P10        || SB-TP4 (SPI-CS)
|-
|-
| 70    || P101        ||power switch(VR)
| 70    || P101        || power switch (VR)
|-
|-
| 71    || P110        ||
| 71    || P110        ||
Line 272: Line 270:
| 72    || P111        ||
| 72    || P111        ||
|-
|-
| 73    || P146        ||NC
| 73    || P146        || NC
|-
|-
| 74    || P147        ||power switch(HDMI-1)
| 74    || P147        || power switch (HDMI-1)
|-
|-
| 75    || P100        ||power switch(PSU-0)
| 75    || P100        || power switch (PSU-0)
|-
|-
| 76    || P156        ||pulldown?
| 76    || P156        || pulldown?
|-
|-
| 77    || P155        ||pulldown?
| 77    || P155        || pulldown?
|-
|-
| 78    || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
| 78    || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
|-
|-
| 79    || P153        ||-> HDR-G pin 11
| 79    || P153        || -> HDR-G pin 11
|-
|-
| 80    || P152        ||-> HDR-G pin 15
| 80    || P152        || -> HDR-G pin 15
|-
|-
| 81    || P151        ||power switch(PSU-3)
| 81    || P151        || power switch (PSU-3)
|-
|-
| 82    || P150        ||WIFI reset?
| 82    || P150        || WIFI reset?
|-
|-
| 83    || P27        || NC testpoint
| 83    || P27        || NC testpoint
Line 308: Line 306:
| 90    || P20        ||  
| 90    || P20        ||  
|-
|-
| 91    || P130        ||power switch(PSU-6) (P130 is tied to sc-internal RESET)
| 91    || P130        || power switch (PSU-6) (P130 is tied to sc-internal RESET)
|-
|-
| 92    || P102        ||
| 92    || P102        ||
|-
|-
| 93    || P04        || i2c (pcie clockgen smbus?)
| 93    || P04        || i2c (PCIE clockgen smbus?)
|-
|-
| 94    || P03        || -> HDR-F pin 1 (i2c (pcie clockgen smbus?))
| 94    || P03        || -> HDR-F pin 1 (i2c (PCIE clockgen smbus?))
|-
|-
| 95    || P02        || -> HDR-F pin 2 (XXX did i fuckup the HDR-F mapping here?)
| 95    || P02        || -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|-
|-
| 96    || P01        ||  
| 96    || P01        ||  
Line 326: Line 324:
| 99    || P144        ||
| 99    || P144        ||
|-
|-
| 100     || P143        ||
| 100   || P143        ||
|-
|-
|}
|}
= Dump and Restore =
We are able to make a 1:1 copy of a PS4 Syscon and put it on another chip. This allows to install a dump of a PS4 Syscon to a brand new chip then swap it.
This is often used in firmware revert [[Downgrade]] method to avoid having to flash the same chip each time one wants to revert firmware but instead only have to swap the chips.
= Syscon glitching =
By glitching Syscon, it is possible to dump its EEPROM, including NVS.
To be documented.

Revision as of 21:40, 24 February 2021

Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.

PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.

Pictures

Memory Layout

Offset Size Description Notes
0x00000 0x20000 Code Area
0x20000 0xD0000 Reserved OCDROM is here
0xF0000 0x800 SFR Area
0xF0800 0x800 Reserved
0xF1000 0x1000 Data Area
0xF2000 0xCF00 Mirror Mirror of a portion of code area
0xFEF00 0xFE0 RAM
0xFFEE0 0x20 GPR
0xFFF00 0x100 SFR 2nd Area

Commands

Command ID Name Description Notes
0x00 Reset Detects synchronization in communication
0x9A Baud Rate Set Sets the baud rate for single-wire UART.
0x20 Chip Erase Erases the entire flash memory area.
0x22 Block Erase Erases a specified area in the flash memory.
0x40 Programming Writes data to a specified area in the flash memory.
0x13 Verify Compares the contents in a specified area in the flash memory with data transmitted from the programmer.
0x32 Block Blank Check Checks the erase status of a specified block in the flash memory.
0xC0 Silicon Signature Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).
0xC5 Version Get Acquires version information of the 78K0R/Kx3 and firmware.
0xB0 Checksum Acquires checksum data of a specified area.
0xA0 Security Set Sets security information.

Statuses

Command ID Name Description Notes
0x04 Command number error Error returned if a command not supported is received
0x05 Parameter error Error returned if command information (parameter) is invalid
0x06 Normal acknowledgment (ACK) Normal acknowledgment
0x07 Checksum error Error returned if data in a frame transmitted from the programmer is abnormal
0x0F Verify error Error returned if a verify error has occurred upon verifying data transmitted from the programmer
0x10 Protect error Error returned if an attempt is made to execute processing that is prohibited by the Security Set command
0x15 Negative acknowledgment (NACK) Negative acknowledgment
0x1A MRG10 error Erase verify error
0x1B MRG11 error Internal verify error or blank check error during data write
0x1C Write error Write error
0xFF Processing in progress (BUSY) Busy response

Command Frame Format

  • SOH | LEN | COM | INFO | SUM | ETX

Data Frame Format

  • STX | LEN | DAT | SUM | ETX/ETB

Description of each symbol

Name Description Notes
SOH Command Frame Header 0x01 Always
STX Data Frame Header 0x02 Always
LEN Length of info In Command Frame: length of COM + command info length / In Data frame: Data info length
COM Command number
SUM Checksum checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
ETB Footer of data frame 0x17 Always
ETX Command frame footer 0x03 Always

Pinout (100pin)

Name Description Notes
1 P142
2 P141 VR-VRDY1
3 P140 VR-VRDY2
4 P120 power switch (USBHUB)
5 P47 VR-VRHOT_ICRIT
6 P46 power switch (BUZZER)
7 P45 NC
8 P44 VR-PWROK + APU-PWROK
9 P43 APU-RESET#
10 P42 (HDR-A SPI-CS)
11 P41 power switch (PSU-7)
12 P40 TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
13 RESET# -> HDR-A pin 24
14 P124 pulldown?
15 P123 power switch (PSU-5)
16 P137 testpoint?
17 P122 -> HDR-A pin 28 (4bit input-only, port 12)
18 P121 -> HDR-A pin 29 (4bit input-only, port 12)
19 REGC cap to GND
20 Vss GND
21 EVss0 GND
22 Vdd Vcc
23 EVdd0 == pin 22
24 P60 APU i2c dev 0xba
25 P61 APU i2c dev 0xba
26 P62 APU i2c dev 0x78/0x98
27 P63 APU i2c dev 0x78/0x98
28 P31 FAN-CTL
29 P64 power switch (HDMI-0 + APU-4)
30 P65 LED
31 P66 LED
32 P67 LED
33 P77 pulldown
34 P76
35 P75 APU?
36 P74
37 P73 power switch (USBBRIDGE + HDD)
38 P72 -> HDR-A pin 12 (HDR-A SPI-SO)
39 P71 (HDR-A SPI-SI)
40 P70 -> HDR-A pin 10 (HDR-A SPI-CLK)
41 P06 power switch(PSU-1)
42 P05
43 EVss1 GND
44 P80 STM8-PWR pin 7 (NRST)
45 P81 NC testpoint
46 P82 LED
47 P83 power switch(PSU-4)
48 P84 pulldown?
49 P85 power switch (PSU-2)
50 P86 power switch (APU-0) + PSW-APU-3 pin 3
51 P87 VR-EN + power switch (APU-1)
52 P30 NC testpoint
53 EVdd1 Vcc
54 P50 power switch (SB-1 + SB-2 + DDR3)
55 P51 power switch (SB-0) (6pin near wifi + 8pin between SC/SB)
56 P52 testpoint?
57 P53 VR-SM_CLK
58 P54 VR-SM_DIO
59 P55 power switch (APU-2)
60 P56
61 P57
62 P17
63 P16 SB-TP0 looks like SB -> SC interrupt line (INTP5)
64 P15 SB-TP1 (SPI-CLK)
65 P14 SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
66 P13 SB-TP3 (SPI-SO)
67 P12 -> HDR-A pin 15 (SC ucmd UART)
68 P11 -> HDR-A pin 16 (SC ucmd UART)
69 P10 SB-TP4 (SPI-CS)
70 P101 power switch (VR)
71 P110
72 P111
73 P146 NC
74 P147 power switch (HDMI-1)
75 P100 power switch (PSU-0)
76 P156 pulldown?
77 P155 pulldown?
78 P154 PSW-APU-2 pin 1 + PSW-APU-3 pin 1
79 P153 -> HDR-G pin 11
80 P152 -> HDR-G pin 15
81 P151 power switch (PSU-3)
82 P150 WIFI reset?
83 P27 NC testpoint
84 P26 STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
85 P25 STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
86 P24 pulldown?
87 P23 pulldown?
88 P22
89 P21 NC testpoint
90 P20
91 P130 power switch (PSU-6) (P130 is tied to sc-internal RESET)
92 P102
93 P04 i2c (PCIE clockgen smbus?)
94 P03 -> HDR-F pin 1 (i2c (PCIE clockgen smbus?))
95 P02 -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
96 P01
97 P00
98 P145
99 P144
100 P143

Dump and Restore

We are able to make a 1:1 copy of a PS4 Syscon and put it on another chip. This allows to install a dump of a PS4 Syscon to a brand new chip then swap it.

This is often used in firmware revert Downgrade method to avoid having to flash the same chip each time one wants to revert firmware but instead only have to swap the chips.

Syscon glitching

By glitching Syscon, it is possible to dump its EEPROM, including NVS.

To be documented.