Syscon Hardware

From PS3 Developer wiki
Jump to: navigation, search
Syscon 1st Generation (BGA Packaging)

Pyramid Syscon live probing

Syscon is the main power controller chip. It is responsible for powering up the various power systems and for configuring and initialising the CELL BE, RSX and South Bridge. It communicates with these devices via seperate SPI busses. There is external access by JTAG (disabled from factory on retail models), an EEPROM programming interface and Serial (UART). The Syscon is a SoC and consists of an ARM7TDMI (ARMv4) CPU, a 256KB EEPROM and 16KB RAM.

Serialnumbers @ SKU[edit]

Retail[edit]

Model Type Board Syscon
part no.
Syscon
Soft ID
Notes
CECHAxx
CECHBxx
0x01
0x02
COK-001 CXR713120-201GB 0B8E
CECHCxx
CECHExx
0x03
0x04
COK-002 or
COK-002W
CXR713120-201GB or
CXR713120-202GB
0C16
CECHGxx 0x05 SEM-001 CXR713120-201GB or
CXR713120-202GB or
CXR713120-203GB
0D52
CECHHxx 0x06 DIA-001 CXR714120-301GB 0DBF
CECHJxx
CECHKxx
0x07 DIA-002 CXR714120-301GB or
CXR714120-302GB
0E69
CECHLxx
CECHMxx
CECHPxx
CECHQxx
0x08 VER-001 SW-301 or
SW-302
065D
CECH-20xx 0x09 DYN-001 SW2-301 0832
CECH-21xx 0x0A SUR-001 SW2-301 or
SW2-302
08A0
CECH-25xx 0x0B JTP-001 or
JSD-001
SW2-301 or
SW2-302  or
SW2-303
08C2
CECH-30xx 0x0C KTE-001 SW2-301 or
SW2-302 or
SW2-303
0918
CECH-40xx 0x0D MSX-001 or
MPX-001
SW3-302 098F

Non retail[edit]

Model Type Board Syscon
part no.
Syscon
Soft ID
Active JTAG Notes
CEB-2040 - MPU-501 CXR713F120GB-000 Yes Retail prototype
DECR1000(A/J) 0x01 TMU-520 CXR713F120A 03FB Yes Reference tool
DEH-H1000A(S)(-E(S)) 0x01 COK-001 (Prototype) CXR713F120A 0B67 Yes Preproduction
DEH-H1001-D 0x01 COOKIE-13 CXR713F120A  ?0B67? Yes Preproduction
DEH-FH1500J-A VERTIGO-02 Preproduction



Not mentioned:
0F29 - ?
0F38 - ?

Syscon Externalised Ports[edit]

Note: for more specific information per model, see the links to each subppage in the Serialnumbers @ SKU table.

Syscon UART packets[edit]

SCUART daemon (SCUARTD) packet structure[edit]

SCUARTD packets includes header of 0x3 bytes and optional payload (depending on the command). Packet IDs are not important, they are used only by clients and processed by SCUART daemon. SCUART daemon opens terminal file /dev/ttyS0 and use it to send commands and receive responses.

Offset Size Description
0x00 0x01 Magic?
0x01 0x01 Payload size
0x02 0x01 Command
0x03 Payload size Payload data

Packets[edit]

Packet ID Command/Action Description Notes
0x00 version Firmware version Gets installed syscon's firmware version (Note: backup bank contains version 0.4.5_b4 !! On CEB-2030 it is 0.3.0 )
0x01 bringup
0x02 shutdown
0x03 firmud Firmware update Notifies about firmware update operation
0x04 bsn Board Serial Number Retrieves syscon's Board Serial Number
0x05 halt Used at start of firmware update operation
0x06 cp ready
0x07 cp busy
0x08 cp reset
0x09 bestat Cell B.E. status Retrieves Cell B.E. status
0x0A powersw
0x0B resetsw
0x0C bootbeep stat
0x0D bootbeep on
0x0E bootbeep off
0x0F Reset syscon Reset Resets syscon
0x10 xdrdiag info XDR diagnostics
0x11 xdrdiag start XDR diagnostics Starts XDR diagnostics
0x12 xdrdiag result XDR diagnostics Gets a result of XDR diagnostics
0x13 xiodiag XIO diagnostics Starts XIO diagnostics and gets a result of it
0x14 fandiag Fan diagnostics Retrieves RPMs of fans
0x15 errlog Error log Retrieves a list of codes (with timestamps) of latest errors
0x16 Read line
0x17 tmpforcp <zone ID> Reference Tool's temperature Gets the temperature of reference tool
0x18 Invalid CMDs
0x19
0x1A
0x1B
0x1C
0x1E
0x1F
0x20 cp beepremote
0x21 cp beep2kn1n3
0x22 cp beep2kn2n3
 ?? csum Checksum ?? Calculates the Checksum of something (No packet ID listing on scuartd)
 ?? osbo  ??? No idea what this does, but returns
done
when it's sent
 ?? scopen returns SC_READY or ERROR 1  ???
 ?? scclose  ???

Packets Logs[edit]

Packet ID Command/Action Logs Notes
0x00 version
  version\nv1.0.4_c2\n  (END) 
0x01 bringup
   (END) 
0x02 shutdown
 Do nothing. (PowerOff State)\n (END) 
Returns (END) if the system is on
0x03 firmud
 Start...\nErase User Program Area\n  (END) 
This will brick your SYSCON if you don't feed it any argument or feed to it the wrong argument!
0x04 bsn
 bsn\nNANNNNNNNNNA\n  (END) 
N is digit and A is char (removed for privacy)
0x05 halt
 halt\n  (END)
0x06 cp ready
 cp ready\nCP READY: OK\n  (END) 
0x07 cp busy
 cp ready\nCP BUSY: OK\n  (END) 
STATUS light blinks forever
0x08 cp reset No response Should reset CP to factory settings
0x09 bestat
 (PowerOff State)\n (END) 
0x0A powersw
  (END) 
0x0B resetsw
  (END) 
0x0C bootbeep stat
 BOOT BEEP: ON\n  (END) 
when it's off BOOT BEEP status changes to OFF
0x0D bootbeep on
 BOOT BEEP ON: DONE\n  (END) 
0x0E bootbeep off
 BOOT BEEP OFF: DONE\n  (END) 
0x0F Reset syscon
0x10 xdrdiag info
 32\n  (END) 
0x11 xdrdiag start
 DIAG START\n  (END) 
0x12 xdrdiag result
 XDR OK\n  (END) 
will return ERROR NOT STARTED if xdrdiag start wasn't run previously
0x13 xiodiag
 0 903\n  (END) 
0x14 fandiag
 ERROR FAN ACTIVE\n  (END) 
0x15 errlog
 ofst[ %d]:err_code:0x%08X, clock:0x%08X  YYYY/MM/DD HH:MM:SS 
bunch of error logs. ends with (END) once they're over
0x16 Read line
0x17 tmpforcp <zone ID>
0x20 cp beepremote
  (END)
0x21 cp beep2kn1n3
  (END)
sends a beep different than SYSCON beep :)
0x22 cp beep2kn2n3
  (END)
sends two beeps different than SYSCON beeps :)
 ?? csum
Checksum: [027460C9] [68269779] [C19A855E]\n  (END)
displays 3 hexadecimal numbers inside rect parenthesis. the numbers are always the same, except when syscon version changes (v1.0.5_c1)
 ?? csum
Checksum: [02746F91] [682F04DA] [27688CF5]\n  (END)
Another response (v1.0.4_c2)
 ?? csum
Checksum: [0274C877] [684DA659] [EA426BB1]\n  (END)
Another response (v1.0.4_c1)
 ?? csum
Checksum: [027B4064] [6B450C64] [4FBF6DA3]\n  (END)
Another response (v1.0.3_c1)
 ?? csum
Checksum: [027E1B71] [6CDA9F25] [E0C67065]\n  (END)
Another response (v1.0.1_c1)
 ?? csum
Checksum: [02812855] [6E83917C] [D40F70A5]\n  (END)
Another response (v0.9.14_c1)
 ?? csum
Checksum: [02835059] [6FC5C632] [BB9BBEC3]\n  (END)
Another response (v0.9.9_c1)
 ?? osbo
done\n  (END)

Notes[edit]

  • Some commands are unavailable on earlier firmwares, for example, tmpforcp is only supported on 1.3.3+.
  • Some commands are divided into several strings, the first part (if exists) describes a command group, the second part describes the actual command and other parts describes command arguments.
  • Real syscon commands have an ASCII form (a bold text in the 2nd column) instead of bytes above.
  • Packet with ID *0x03* notifies syscon and calls SX program (based on ZMODEM protocol) to send firmware, syscon have custom or original implementation of RX program to receive firmware. An implementation of ZMODEM protocol used by Sony: http://oss.sony.net/Products/Linux/Others/Download/DECR-1000/mips_fp_le-lrzsz-0.12.20-devtool.1.src.rpm

A start of syscon's update procedure:

  • A CP development tool includes several scripts which are participated in syscon update procedure. It starts after a CP update via update_syscon.pl perl script.
  • This script checks the current syscon's firmware version. If it is in mask rom then it skips an update procedure, if not it checks major/minor/release parts of both versions and if a new version is applicable then it launches scfirmup utility and pass the firmware file path as an argument.
  • scfirmup is a stupid tool which prepares a connection to SCUARTD and sends an update packet with a file path inside it. There is no need to comment it, here is reimplementation: http://pastie.org/private/6h8mfeoics4mdxear7ayg

A syscon's update operation in SCUARTD consists of following steps:

  • 1. Check if SX program presents in /usr/bin/sx. It should be a regular file.
  • 2. Check if specified firmware file is a regular file.
  • 3. Halt syscon by sending command halt to UART, then wait some time until it prints HALT: OK.
  • 4. Reset syscon by sending byte 0x30 to GPIO register SC_PI0_DIPSW, byte 0x30 to GPIO register SC_RSTX, waiting 1 second and writing byte 0x31 to GPIO register SC_RSTX.
  • 5. Get current syscon's firmwave version by sending command version to UART. After receiving it, look for a character after the first _ (underscore) symbol from the left side of string and if it equals to the character b, then proceed to the next step, otherwise go to the (8) step. (It is possible to patch this step to allow upgrading or downgrading at will)
  • 6. Prepare syscon for an update by sending command firmud to UART, then fork the current process; the current process won't finish until a message Done from UART arrives (it is the end of update operation).
  • 7. In the forked process start SX program and pass firmware file path to it. SX program reads firmware file and transfer each chunk of it to syscon.
  • 8. After successful update operation reset syscon (a different way) by sending byte 0x31 to GPIO register SC_PI0_DIPSW, byte 0x30 to GPIO register SC_RSTX, waiting 1 second and writing byte 0x31 to GPIO register SC_RSTX.

Notes:

  • It seems all scuartds checks firmware revision and probably syscon is updated only once (after factory).
  • To be able to reflash it you need to patch SCUARTD or do a manual update without the use of SCUARTD.
  • You need to patch a single byte in SCUARTD to be able to flash any firmware (for example, to downgrade your syscon).
.text:00403A94: /* scuartd from CP 1.3.3 */
lb      $v1, 1($v0)
li      $v0, "b" /* 62 00 02 24 -> 63 00 02 24 */
bne     $v1, $v0, loc_4039F4
move    $a0, $zero
  • An actual firmware update process (without halting and resetting steps) takes about 1 minute.
  • You cannot install a corrupted firmware with scfirmup unless you corrupt the header! It seems there is a hash of sorts (possibly of the plaintext) in the header preventing scfirmup from installing something corrupt
  • Updating SYSCON requires the DECR to be in standby mode! You cannot update it while it is on.
  • Corrupting the header and the body will make firmup install the SYSCON update anyways! be careful not to do it!
  • Should you brick SYSCON, here's a patch to "unbrick" it, do not use it unless you brick it though!
.text:004038C0:
lw      $a0, 4($s4)
li      $a1, 0x400000
nop
addiu   $a1, (aHalt - 0x400000)  # "halt"
la      $t9, scuartd_send_sccmd
nop
jalr    $t9 ; scuartd_send_sccmd
nop
lw      $gp, 0x1E8+var_1D8($sp)
bnez    $v0, loc_4039B4 /* 33 00 40 14 -> 33 00 40 10 */
li      $a0, 1

Syscon UART[edit]

BGA Name Description
P16 UART0_TxD Serial Transmit
P15 UART0_RxD Serial Receive

You can attach a 3.3v TTL cable (LV-TTL) to the UART on syscon (UART0_TxD, UART0_RxD). (Convenient solder points are available on JSD/JTP-001 by the NOR test points. They are marked as '?' in marcan' noraliser / judges' NORway install picture, closest to the ground at the bottom - RX is left, TX is right) Baud rate is 57600. There is a simple plaintext protocol involved. This varies on different syscon models. Example:

<command>:<hash>

Where the hash is the sum of command bytes & 0xFF

you should terminate commands with \r\n, the syscon messages are only terminated with \n

Samples[edit]

Here are some of the commands/messages encountered:

Messages:

Power applied (standby mode)
OK 00000000:3A

Power on
# (PowerOn State):7F

Power off (Hard shutdown)
# (PowerOff State):DD

After Fan test:
# (PowerOff State) (Fatal):36

No text, invalid hash:
NG F0000002:4D

Commands:

VER:ED
OK 00000000 S1E 00 00 065D:A4

ERRLOG:CB
OK 00000000:3A

DATE:1E
NG F0000003:4E

C:F1:BUZ
E:4F:NG F0000004

C:D0:CID
E:50:NG F0000005

C:DA:EEP
E:50:NG F0000005

C:D5:FAN
E:50:NG F0000005

C:F4:KSV
E:50:NG F0000005

C:ED:REV
E:50:NG F0000005

C:F8:SPU
E:50:NG F0000005

more Syscon commands

bruteforcing commands: http://pastebin.com/CNei0xbC

VERY IMPORTANT:

  • Max size of a command is 11 characters,16 if you count with C:<hash>:
  • Sending a command with 11 chars results in NO OUTPUT
  • Sending a command with more than 11 chars results in NG F0000002
  • Max size of a command on DECR is 135, 140 if you count with C:<hash>:

Syscon (SPI) EEPROM[edit]

BGA Name Description
F16 CSB Chip Select (needs to be low)
H16 DO Serial Data Output
G16 DI Serial Data Input
E16 SKB Serial Data Clock
J15 WCB Write Protect
J16 RBB Ready/Busy
G11 VDDep + 3.3V
C15 VSSep GND

Syscon JTAG[edit]

disabled in factory after production on retailmodels

BGA Name Description
L8 JRTCK Return Test Clock
K8 JTCK Test Clock
K9 JTDO Test Data Out
L9 JTMS Test Mode State / Test Mode Select
K7 JTDI Test Data In
L7 JNTRST Test Reset

Syscon Underlaying ports[edit]

Syscon Cell SPI Bus[edit]

BGA Name Description
M2 /BE_SPI_CS Chip Select
N2 BE_SPI_DO Serial Data Output
M1 BE_SPI_DI Serial Data Input
N1 BE_SPI_CLK Serial Data Clock
P2 /BE_RESET CellBE Reset
P1 BE_POWGOOD CellBE PowerGood
T2 /BE_INT CellBE Interrupt

Syscon Southbridge SPI Bus[edit]

BGA Name Description
B9 /SB_SPI_CS Chip Select
B8 SB_SPI_DO Serial Data Output
A9 SB_SPI_DI Serial Data Input
A8 SB_SPI_CLK Serial Data Clock