Syscon Hardware: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 604: | Line 604: | ||
|} | |} | ||
= Dumping & Flashing = | = Glitching, Dumping & Flashing = | ||
Based on the attack outlined by Fail0verflow fail0verflow.com/blog/2018/ps4-syscon/ VV1LD had designed the following: github.com/VV1LD/SYSGLITCH | |||
Using VV1LD's shellcode you can copy the original Syscon and dump it to a new Renesas chip with relative ease. '''Guide available on BwE's GitHub.''' | Using VV1LD's shellcode you can copy the original Syscon and dump it to a new Renesas chip with relative ease. '''Guide available on BwE's GitHub.''' | ||
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE. | You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE. | ||
Revision as of 05:14, 10 December 2022
Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.
Hardware revisions
Production Start Date (<=) | PS2 Mechacon | PSP Syscon | PS3 Syscon | PS Vita Syscon | PS4 Syscon | Used IC/CPU Core |
---|---|---|---|---|---|---|
07/2013 | - | - | - | - | COL | Renesas R5F100PL (RL78/G13, 100 pin) |
04/2015 | - | - | - | - | COL2 | Renesas R5F101LL (RL78/G13, 64 pin) |
Pictures
Memory Layout
Offset | Size | Description | Notes |
---|---|---|---|
0x00000 | 0x20000 | Code Flash Area | |
0x20000 | 0xD0000 | Reserved | OCDROM is here |
0xF0000 | 0x800 | Special Function Registers 2 | |
0xF0800 | 0x800 | Reserved (bootloader RAM) | |
0xF1000 | 0x1000 | Data Flash Area | |
0xF2000 | 0xCF00 | Mirror | Mirror of a portion of Code Flash Area |
0xFEF00 | 0xFE0 | RAM | Stack is usually at 0xFFE00. |
0xFFEE0 | 0x20 | General-Purpose Registers | |
0xFFF00 | 0x100 | Special Function Registers |
Commands
Command ID | Name | Description | Notes |
---|---|---|---|
0x00 | Reset | Detects synchronization in communication | |
0x9A | Baud Rate Set | Sets the baud rate for single-wire UART. | |
0x20 | Chip Erase | Erases the entire flash memory area. | |
0x22 | Block Erase | Erases a specified area in the flash memory. | |
0x40 | Programming | Writes data to a specified area in the flash memory. | |
0x13 | Verify | Compares the contents in a specified area in the flash memory with data transmitted from the programmer. | |
0x32 | Block Blank Check | Checks the erase status of a specified block in the flash memory. | |
0xC0 | Silicon Signature | Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). | |
0xC5 | Version Get | Acquires version information of the 78K0R/Kx3 and firmware. | |
0xB0 | Checksum | Acquires checksum data of a specified area. | |
0xA0 | Security Set | Sets security information. |
Statuses
Command ID | Name | Description | Notes |
---|---|---|---|
0x04 | Command number error | Error returned if a command not supported is received | |
0x05 | Parameter error | Error returned if command information (parameter) is invalid | |
0x06 | Normal acknowledgment (ACK) | Normal acknowledgment | |
0x07 | Checksum error | Error returned if data in a frame transmitted from the programmer is abnormal | |
0x0F | Verify error | Error returned if a verify error has occurred upon verifying data transmitted from the programmer | |
0x10 | Protect error | Error returned if an attempt is made to execute processing that is prohibited by the Security Set command | |
0x15 | Negative acknowledgment (NACK) | Negative acknowledgment | |
0x1A | MRG10 error | Erase verify error | |
0x1B | MRG11 error | Internal verify error or blank check error during data write | |
0x1C | Write error | Write error | |
0xFF | Processing in progress (BUSY) | Busy response |
Command Frame Format
- SOH | LEN | COM | INFO | SUM | ETX
Data Frame Format
- STX | LEN | DAT | SUM | ETX/ETB
Description of each symbol
Name | Description | Notes |
---|---|---|
SOH | Start of OH - Command Frame Header | 0x01 Always |
STX | Start of TX - Data Frame Header | 0x02 Always |
LEN | LENgth - Length of info | In Command frame: length of COM + command info length / In Data frame: Data info length |
COM | COMmand - Command number | |
SUM | checkSUM - Checksum | checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT) |
ETB | End of TB - Data frame footer | 0x17 Always |
ETX | End of TX - Command frame footer | 0x03 Always |
Pinout
64-pin
Pin | Description | Notes |
---|---|---|
1 | P120/ANI19 | power switch (USBHUB) |
2 | P43 | APU-RESET# |
3 | P42/TI04/TO04 | (HDR-A SPI-CS) |
4 | P41/TI07/TO07 | power switch (PSU-7) |
5 | P40/TOOL0 | -> HDR-A pin 22 (open circuit between pin and header) |
6 | RESET | -> HDR-A pin 24 |
7 | P124/XT2/EXCLKS | pulldown? |
8 | P123/XT1 | power switch (PSU-5) |
9 | P137/INTP0 | testpoint? |
10 | P122/X2/EXCLK | -> HDR-A pin 28 (4bit input-only, port 12) |
11 | P121/X1 | -> HDR-A pin 29 (4bit input-only, port 12) |
12 | REGC | cap to GND |
13 | V SS | GND |
14 | EVSS0 | GND |
15 | VDD | Vcc |
16 | EVDD0 | Vcc |
17 | P60/SCLA0 | APU i2c dev 0xba |
18 | P61/SDAA0 | APU i2c dev 0xba |
19 | P62 | APU i2c dev 0x78/0x98 |
20 | P63 | APU i2c dev 0x78/0x98 |
21 | P31/TI03/TO03/INTP4/(PCLBUZ0) | FAN-CTL |
22 | P77/KR7/INTP11/(TxD2) | pulldown |
23 | P76/KR6/INTP10/(RxD2) | N/A |
24 | P75/KR5/INTP9/SCK01/SCL01 | APU? |
25 | P74/KR4/INTP8/SI01/SDA01 | N/A |
26 | P73/KR3/SO01 | power switch (USBBRIDGE + HDD) |
27 | P72/KR2/SO21 | -> HDR-A pin 12 (HDR-A SPI-SO) |
28 | P71/KR1/SI21/SDA21 | (HDR-A SPI-SI) |
29 | P70/KR0/SCK21/SCL21 | -> HDR-A pin 10 (HDR-A SPI-CLK) |
30 | P06/TI06/TO06 | power switch (PSU-1) |
31 | P05/TI05/TO05 | N/A |
32 | P30/INTP3/RTC1HZ/SCK11/SCL11 | NC testpoint |
33 | P50/INTP1/SI11/SDA11 | power switch (SB-1 + SB-2 + DDR3) |
34 | P51/INTP2/SO11 | power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) |
35 | P52/(INTP10) | testpoint? |
36 | P53/(INTP11) | VR-SM_CLK |
37 | P54 | N/A |
38 | P55/(PCLBUZ1)/(SCK00) | power switch (APU-2) |
39 | P17/TI02/TO02/(SO00)/(TxD0) | N/A |
40 | P16/TI01/TO01/INTP5/(SI00)/(RxD0) | SB-TP0 looks like SB -> SC interrupt line (INTP5) |
41 | P15/SCK20/SCL20/(TI02)/(TO02) | SB-TP1 (SPI-CLK) |
42 | P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03) | SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere |
43 | P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04) | SB-TP3 (SPI-SO) |
44 | P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05) | -> HDR-A pin 15 (SC ucmd UART) |
45 | P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06) | -> HDR-A pin 16 (SC ucmd UART) |
46 | P10/SCK00/SCL00/(TI07)/(TO07) | SB-TP4 (SPI-CS) |
47 | P146 | NC |
48 | P147/ANI18 | power switch (HDMI-1) |
49 | P27/ANI7 | NC testpoint |
50 | P26/ANI6 | STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) |
51 | P25/ANI5 | STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) |
52 | P24/ANI4 | pulldown? |
53 | P23/ANI3 | pulldown? |
54 | P22/ANI2 | N/A |
55 | P21/ANI1/AVREFM | NC testpoint |
56 | P20/ANI0/AVREFP | N/A |
57 | P130 | power switch (PSU-6) (P130 is tied to sc-internal RESET) |
58 | P04/SCK10/SCL10 | i2c (PCIe clockgen smbus?) |
59 | P03/ANI16/SI10/RxD1/SDA10 | -> HDR-F pin 1 (i2c (PCIe clockgen smbus?)) |
60 | P02/ANI17/SO10/TxD1 | -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) |
61 | P01/TO00 | N/A |
62 | P00/TI00 | N/A |
63 | P141/PCLBUZ1/INTP7 | VR-VRDY1 |
64 | P140/PCLBUZ0/INTP6 | VR-VRDY2 |
100-pin
Name | Description | Notes |
---|---|---|
1 | P142 | |
2 | P141 | VR-VRDY1 |
3 | P140 | VR-VRDY2 |
4 | P120 | power switch (USBHUB) |
5 | P47 | VR-VRHOT_ICRIT |
6 | P46 | power switch (BUZZER) |
7 | P45 | NC |
8 | P44 | VR-PWROK + APU-PWROK |
9 | P43 | APU-RESET# |
10 | P42 | (HDR-A SPI-CS) |
11 | P41 | power switch (PSU-7) |
12 | P40 | TOOL0 -> HDR-A pin 22 (open circuit between pin and header) |
13 | RESET# | -> HDR-A pin 24 |
14 | P124 | pulldown? |
15 | P123 | power switch (PSU-5) |
16 | P137 | testpoint? |
17 | P122 | -> HDR-A pin 28 (4bit input-only, port 12) |
18 | P121 | -> HDR-A pin 29 (4bit input-only, port 12) |
19 | REGC | cap to GND |
20 | Vss | GND |
21 | EVss0 | GND |
22 | Vdd | Vcc |
23 | EVdd0 | == pin 22 |
24 | P60 | APU i2c dev 0xba |
25 | P61 | APU i2c dev 0xba |
26 | P62 | APU i2c dev 0x78/0x98 |
27 | P63 | APU i2c dev 0x78/0x98 |
28 | P31 | FAN-CTL |
29 | P64 | power switch (HDMI-0 + APU-4) |
30 | P65 | LED |
31 | P66 | LED |
32 | P67 | LED |
33 | P77 | pulldown |
34 | P76 | |
35 | P75 | APU? |
36 | P74 | |
37 | P73 | power switch (USBBRIDGE + HDD) |
38 | P72 | -> HDR-A pin 12 (HDR-A SPI-SO) |
39 | P71 | (HDR-A SPI-SI) |
40 | P70 | -> HDR-A pin 10 (HDR-A SPI-CLK) |
41 | P06 | power switch (PSU-1) |
42 | P05 | |
43 | EVss1 | GND |
44 | P80 | STM8-PWR pin 7 (NRST) |
45 | P81 | NC testpoint |
46 | P82 | LED |
47 | P83 | power switch(PSU-4) |
48 | P84 | pulldown? |
49 | P85 | power switch (PSU-2) |
50 | P86 | power switch (APU-0) + PSW-APU-3 pin 3 |
51 | P87 | VR-EN + power switch (APU-1) |
52 | P30 | NC testpoint |
53 | EVdd1 | Vcc |
54 | P50 | power switch (SB-1 + SB-2 + DDR3) |
55 | P51 | power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB) |
56 | P52 | testpoint? |
57 | P53 | VR-SM_CLK |
58 | P54 | VR-SM_DIO |
59 | P55 | power switch (APU-2) |
60 | P56 | |
61 | P57 | |
62 | P17 | |
63 | P16 | SB-TP0 looks like SB -> SC interrupt line (INTP5) |
64 | P15 | SB-TP1 (SPI-CLK) |
65 | P14 | SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere |
66 | P13 | SB-TP3 (SPI-SO) |
67 | P12 | -> HDR-A pin 15 (SC ucmd UART) |
68 | P11 | -> HDR-A pin 16 (SC ucmd UART) |
69 | P10 | SB-TP4 (SPI-CS) |
70 | P101 | power switch (VR) |
71 | P110 | |
72 | P111 | |
73 | P146 | NC |
74 | P147 | power switch (HDMI-1) |
75 | P100 | power switch (PSU-0) |
76 | P156 | pulldown? |
77 | P155 | pulldown? |
78 | P154 | PSW-APU-2 pin 1 + PSW-APU-3 pin 1 |
79 | P153 | -> HDR-G pin 11 |
80 | P152 | -> HDR-G pin 15 |
81 | P151 | power switch (PSU-3) |
82 | P150 | Wi-Fi reset? |
83 | P27 | NC testpoint |
84 | P26 | STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock) |
85 | P25 | STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#) |
86 | P24 | pulldown? |
87 | P23 | pulldown? |
88 | P22 | |
89 | P21 | NC testpoint |
90 | P20 | |
91 | P130 | power switch (PSU-6) (P130 is tied to sc-internal RESET) |
92 | P102 | |
93 | P04 | i2c (PCIe clockgen smbus?) |
94 | P03 | -> HDR-F pin 1 (i2c (PCIe clockgen smbus?)) |
95 | P02 | -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?) |
96 | P01 | |
97 | P00 | |
98 | P145 | |
99 | P144 | |
100 | P143 |
Glitching, Dumping & Flashing
Based on the attack outlined by Fail0verflow fail0verflow.com/blog/2018/ps4-syscon/ VV1LD had designed the following: github.com/VV1LD/SYSGLITCH
Using VV1LD's shellcode you can copy the original Syscon and dump it to a new Renesas chip with relative ease. Guide available on BwE's GitHub.
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE.