Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.
Hardware revisions
Production Start Date (<=) |
PS2 Mechacon |
PSP Syscon |
PS3 Syscon |
PS Vita Syscon |
PS4 Syscon |
Used IC/CPU Core
|
07/2013 |
- |
- |
- |
- |
COL |
Renesas R5F100PL (RL78/G13, 100 pin)
|
04/2015 |
- |
- |
- |
- |
COL2 |
Renesas R5F101LL (RL78/G13, 64 pin)
|
Pictures
Memory Layout
Offset |
Size |
Description |
Notes
|
0x00000 |
0x20000 |
Code Flash Area |
|
0x20000 |
0xD0000 |
Reserved |
OCDROM is here
|
0xF0000 |
0x800 |
Special Function Registers 2 |
|
0xF0800 |
0x800 |
Reserved (bootloader RAM) |
|
0xF1000 |
0x1000 |
Data Flash Area |
|
0xF2000 |
0xCF00 |
Mirror |
Mirror of a portion of Code Flash Area
|
0xFEF00 |
0xFE0 |
RAM |
Stack is usually at 0xFFE00.
|
0xFFEE0 |
0x20 |
General-Purpose Registers |
|
0xFFF00 |
0x100 |
Special Function Registers |
|
Commands
Command ID |
Name |
Description |
Notes
|
0x00 |
Reset |
Detects synchronization in communication |
|
0x9A |
Baud Rate Set |
Sets the baud rate for single-wire UART. |
|
0x20 |
Chip Erase |
Erases the entire flash memory area. |
|
0x22 |
Block Erase |
Erases a specified area in the flash memory. |
|
0x40 |
Programming |
Writes data to a specified area in the flash memory. |
|
0x13 |
Verify |
Compares the contents in a specified area in the flash memory with data transmitted from the programmer. |
|
0x32 |
Block Blank Check |
Checks the erase status of a specified block in the flash memory. |
|
0xC0 |
Silicon Signature |
Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). |
|
0xC5 |
Version Get |
Acquires version information of the 78K0R/Kx3 and firmware. |
|
0xB0 |
Checksum |
Acquires checksum data of a specified area. |
|
0xA0 |
Security Set |
Sets security information. |
|
Statuses
Command ID |
Name |
Description |
Notes
|
0x04 |
Command number error |
Error returned if a command not supported is received |
|
0x05 |
Parameter error |
Error returned if command information (parameter) is invalid |
|
0x06 |
Normal acknowledgment (ACK) |
Normal acknowledgment |
|
0x07 |
Checksum error |
Error returned if data in a frame transmitted from the programmer is abnormal |
|
0x0F |
Verify error |
Error returned if a verify error has occurred upon verifying data transmitted from the programmer |
|
0x10 |
Protect error |
Error returned if an attempt is made to execute processing that is prohibited by the Security Set command |
|
0x15 |
Negative acknowledgment (NACK) |
Negative acknowledgment
|
0x1A |
MRG10 error |
Erase verify error |
|
0x1B |
MRG11 error |
Internal verify error or blank check error during data write |
|
0x1C |
Write error |
Write error |
|
0xFF |
Processing in progress (BUSY) |
Busy response |
|
Command Frame Format
- SOH | LEN | COM | INFO | SUM | ETX
Data Frame Format
- STX | LEN | DAT | SUM | ETX/ETB
Description of each symbol
Name |
Description |
Notes
|
SOH |
Start of OH - Command Frame Header |
0x01 Always
|
STX |
Start of TX - Data Frame Header |
0x02 Always
|
LEN |
LENgth - Length of info |
In Command frame: length of COM + command info length / In Data frame: Data info length
|
COM |
COMmand - Command number |
|
SUM |
checkSUM - Checksum |
checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
|
ETB |
End of TB - Data frame footer |
0x17 Always
|
ETX |
End of TX - Command frame footer |
0x03 Always
|
Pinout
64-pin
Pin
|
Description
|
Notes
|
1
|
P120/ANI19
|
power switch (USBHUB)
|
2
|
P43
|
APU-RESET#
|
3
|
P42/TI04/TO04
|
(HDR-A SPI-CS)
|
4
|
P41/TI07/TO07
|
power switch (PSU-7)
|
5
|
P40/TOOL0
|
-> HDR-A pin 22 (open circuit between pin and header)
|
6
|
RESET
|
-> HDR-A pin 24
|
7
|
P124/XT2/EXCLKS
|
pulldown?
|
8
|
P123/XT1
|
power switch (PSU-5)
|
9
|
P137/INTP0
|
testpoint?
|
10
|
P122/X2/EXCLK
|
-> HDR-A pin 28 (4bit input-only, port 12)
|
11
|
P121/X1
|
-> HDR-A pin 29 (4bit input-only, port 12)
|
12
|
REGC
|
cap to GND
|
13
|
V SS
|
GND
|
14
|
EVSS0
|
GND
|
15
|
VDD
|
Vcc
|
16
|
EVDD0
|
Vcc
|
17
|
P60/SCLA0
|
APU i2c dev 0xba
|
18
|
P61/SDAA0
|
APU i2c dev 0xba
|
19
|
P62
|
APU i2c dev 0x78/0x98
|
20
|
P63
|
APU i2c dev 0x78/0x98
|
21
|
P31/TI03/TO03/INTP4/(PCLBUZ0)
|
FAN-CTL
|
22
|
P77/KR7/INTP11/(TxD2)
|
pulldown
|
23
|
P76/KR6/INTP10/(RxD2)
|
N/A
|
24
|
P75/KR5/INTP9/SCK01/SCL01
|
APU?
|
25
|
P74/KR4/INTP8/SI01/SDA01
|
N/A
|
26
|
P73/KR3/SO01
|
power switch (USBBRIDGE + HDD)
|
27
|
P72/KR2/SO21
|
-> HDR-A pin 12 (HDR-A SPI-SO)
|
28
|
P71/KR1/SI21/SDA21
|
(HDR-A SPI-SI)
|
29
|
P70/KR0/SCK21/SCL21
|
-> HDR-A pin 10 (HDR-A SPI-CLK)
|
30
|
P06/TI06/TO06
|
power switch (PSU-1)
|
31
|
P05/TI05/TO05
|
N/A
|
32
|
P30/INTP3/RTC1HZ/SCK11/SCL11
|
NC testpoint
|
33
|
P50/INTP1/SI11/SDA11
|
power switch (SB-1 + SB-2 + DDR3)
|
34
|
P51/INTP2/SO11
|
power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
|
35
|
P52/(INTP10)
|
testpoint?
|
36
|
P53/(INTP11)
|
VR-SM_CLK
|
37
|
P54
|
N/A
|
38
|
P55/(PCLBUZ1)/(SCK00)
|
power switch (APU-2)
|
39
|
P17/TI02/TO02/(SO00)/(TxD0)
|
N/A
|
40
|
P16/TI01/TO01/INTP5/(SI00)/(RxD0)
|
SB-TP0 looks like SB -> SC interrupt line (INTP5)
|
41
|
P15/SCK20/SCL20/(TI02)/(TO02)
|
SB-TP1 (SPI-CLK)
|
42
|
P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03)
|
SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|
43
|
P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04)
|
SB-TP3 (SPI-SO)
|
44
|
P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05)
|
-> HDR-A pin 15 (SC ucmd UART)
|
45
|
P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06)
|
-> HDR-A pin 16 (SC ucmd UART)
|
46
|
P10/SCK00/SCL00/(TI07)/(TO07)
|
SB-TP4 (SPI-CS)
|
47
|
P146
|
NC
|
48
|
P147/ANI18
|
power switch (HDMI-1)
|
49
|
P27/ANI7
|
NC testpoint
|
50
|
P26/ANI6
|
STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|
51
|
P25/ANI5
|
STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|
52
|
P24/ANI4
|
pulldown?
|
53
|
P23/ANI3
|
pulldown?
|
54
|
P22/ANI2
|
N/A
|
55
|
P21/ANI1/AVREFM
|
NC testpoint
|
56
|
P20/ANI0/AVREFP
|
N/A
|
57
|
P130
|
power switch (PSU-6) (P130 is tied to sc-internal RESET)
|
58
|
P04/SCK10/SCL10
|
i2c (PCIe clockgen smbus?)
|
59
|
P03/ANI16/SI10/RxD1/SDA10
|
-> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
|
60
|
P02/ANI17/SO10/TxD1
|
-> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|
61
|
P01/TO00
|
N/A
|
62
|
P00/TI00
|
N/A
|
63
|
P141/PCLBUZ1/INTP7
|
VR-VRDY1
|
64
|
P140/PCLBUZ0/INTP6
|
VR-VRDY2
|
100-pin
Name |
Description |
Notes
|
1 |
P142 |
|
2 |
P141 |
VR-VRDY1
|
3 |
P140 |
VR-VRDY2
|
4 |
P120 |
power switch (USBHUB)
|
5 |
P47 |
VR-VRHOT_ICRIT
|
6 |
P46 |
power switch (BUZZER)
|
7 |
P45 |
NC
|
8 |
P44 |
VR-PWROK + APU-PWROK
|
9 |
P43 |
APU-RESET#
|
10 |
P42 |
(HDR-A SPI-CS)
|
11 |
P41 |
power switch (PSU-7)
|
12 |
P40 |
TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
|
13 |
RESET# |
-> HDR-A pin 24
|
14 |
P124 |
pulldown?
|
15 |
P123 |
power switch (PSU-5)
|
16 |
P137 |
testpoint?
|
17 |
P122 |
-> HDR-A pin 28 (4bit input-only, port 12)
|
18 |
P121 |
-> HDR-A pin 29 (4bit input-only, port 12)
|
19 |
REGC |
cap to GND
|
20 |
Vss |
GND
|
21 |
EVss0 |
GND
|
22 |
Vdd |
Vcc
|
23 |
EVdd0 |
== pin 22
|
24 |
P60 |
APU i2c dev 0xba
|
25 |
P61 |
APU i2c dev 0xba
|
26 |
P62 |
APU i2c dev 0x78/0x98
|
27 |
P63 |
APU i2c dev 0x78/0x98
|
28 |
P31 |
FAN-CTL
|
29 |
P64 |
power switch (HDMI-0 + APU-4)
|
30 |
P65 |
LED
|
31 |
P66 |
LED
|
32 |
P67 |
LED
|
33 |
P77 |
pulldown
|
34 |
P76 |
|
35 |
P75 |
APU?
|
36 |
P74 |
|
37 |
P73 |
power switch (USBBRIDGE + HDD)
|
38 |
P72 |
-> HDR-A pin 12 (HDR-A SPI-SO)
|
39 |
P71 |
(HDR-A SPI-SI)
|
40 |
P70 |
-> HDR-A pin 10 (HDR-A SPI-CLK)
|
41 |
P06 |
power switch (PSU-1)
|
42 |
P05 |
|
43 |
EVss1 |
GND
|
44 |
P80 |
STM8-PWR pin 7 (NRST)
|
45 |
P81 |
NC testpoint
|
46 |
P82 |
LED
|
47 |
P83 |
power switch(PSU-4)
|
48 |
P84 |
pulldown?
|
49 |
P85 |
power switch (PSU-2)
|
50 |
P86 |
power switch (APU-0) + PSW-APU-3 pin 3
|
51 |
P87 |
VR-EN + power switch (APU-1)
|
52 |
P30 |
NC testpoint
|
53 |
EVdd1 |
Vcc
|
54 |
P50 |
power switch (SB-1 + SB-2 + DDR3)
|
55 |
P51 |
power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
|
56 |
P52 |
testpoint?
|
57 |
P53 |
VR-SM_CLK
|
58 |
P54 |
VR-SM_DIO
|
59 |
P55 |
power switch (APU-2)
|
60 |
P56 |
|
61 |
P57 |
|
62 |
P17 |
|
63 |
P16 |
SB-TP0 looks like SB -> SC interrupt line (INTP5)
|
64 |
P15 |
SB-TP1 (SPI-CLK)
|
65 |
P14 |
SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|
66 |
P13 |
SB-TP3 (SPI-SO)
|
67 |
P12 |
-> HDR-A pin 15 (SC ucmd UART)
|
68 |
P11 |
-> HDR-A pin 16 (SC ucmd UART)
|
69 |
P10 |
SB-TP4 (SPI-CS)
|
70 |
P101 |
power switch (VR)
|
71 |
P110 |
|
72 |
P111 |
|
73 |
P146 |
NC
|
74 |
P147 |
power switch (HDMI-1)
|
75 |
P100 |
power switch (PSU-0)
|
76 |
P156 |
pulldown?
|
77 |
P155 |
pulldown?
|
78 |
P154 |
PSW-APU-2 pin 1 + PSW-APU-3 pin 1
|
79 |
P153 |
-> HDR-G pin 11
|
80 |
P152 |
-> HDR-G pin 15
|
81 |
P151 |
power switch (PSU-3)
|
82 |
P150 |
Wi-Fi reset?
|
83 |
P27 |
NC testpoint
|
84 |
P26 |
STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|
85 |
P25 |
STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|
86 |
P24 |
pulldown?
|
87 |
P23 |
pulldown?
|
88 |
P22 |
|
89 |
P21 |
NC testpoint
|
90 |
P20 |
|
91 |
P130 |
power switch (PSU-6) (P130 is tied to sc-internal RESET)
|
92 |
P102 |
|
93 |
P04 |
i2c (PCIe clockgen smbus?)
|
94 |
P03 |
-> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
|
95 |
P02 |
-> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|
96 |
P01 |
|
97 |
P00 |
|
98 |
P145 |
|
99 |
P144 |
|
100 |
P143 |
|
Glitching, Dumping & Flashing
Based on the attack outlined by Fail0verflow fail0verflow.com/blog/2018/ps4-syscon/ VV1LD had designed the following: github.com/VV1LD/SYSGLITCH
Using VV1LD's shellcode but using a different methodology on his GitHub you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. Guide available on BwE's GitHub.
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE.