Talk:Communication Processor: Difference between revisions
(extra infos) |
m (Text replacement - "playstationdev.wiki/psvitadevwiki" to "psdevwiki.com/vita") |
||
(21 intermediate revisions by 9 users not shown) | |||
Line 8: | Line 8: | ||
update.bin = v1.0.4c2_TMU510_u.bin - first 32 bytes (IV + Hash) | update.bin = v1.0.4c2_TMU510_u.bin - first 32 bytes (IV + Hash) | ||
{{keyboard|content=openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv 737973317347595DFB853B7B4A28105D -in update.bin -out update.tar.gz | {{keyboard|content=<syntaxhighlight lang="bash">openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv 737973317347595DFB853B7B4A28105D -in update.bin -out update.tar.gz</syntaxhighlight>}} | ||
< | |||
Output: | Output: | ||
<pre> | <pre> | ||
Line 31: | Line 27: | ||
Thanks, | Thanks, | ||
{{keyboard|content=openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv FB306DA62E530EB13FB9D0EF8615060A -in reftool_cp_133.bin -out reftool_cp_133.tar.gz | {{keyboard|content=<syntaxhighlight lang="bash">openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv FB306DA62E530EB13FB9D0EF8615060A -in reftool_cp_133.bin -out reftool_cp_133.tar.gz</syntaxhighlight>}} | ||
}} | |||
works. (I should learn reading ;)) | works. (I should learn reading ;)) | ||
Line 38: | Line 33: | ||
---- | ---- | ||
I would like to add that it's much easier to interact with the System Controller from the Communication Processor shell considering that Syscon on Reference tool does not require any authentication or encryption of the packets sent to it and you do get real time replies, Syscon on those units also allow many more commands than on consumer systems (even after using AUTH1/AUTH2), this can be rather useful should you want syscon to jump to your code (Syscon is powered by an | == Extra Information == | ||
I would like to add that it's much easier to interact with the System Controller from the Communication Processor shell considering that Syscon on Reference tool does not require any authentication or encryption of the packets sent to it and you do get real time replies, Syscon on those units also allow many more commands than on consumer systems (even after using AUTH1/AUTH2), this can be rather useful should you want syscon to jump to your code (Syscon is powered by an ARM7TDMI (ARMv4) CPU) by performing a packet overflow. | |||
* Because Syscon's firmware is fully overwritten on a DECR-1000, it is trivial to downgrade its firmware if you are connected to the CP's Shell. (There is actually a script on the CP rom that does just this, all you have to do is to comment the version check) (patched update_syscon.pl: [[http://pastebin.com/ZMxvTxwL]]) | |||
* [http://www.sony.net/Products/Linux/Others/DECR-1000.html partial Source Code] | |||
::Package: | |||
:: DECR-1000-linux-2.4.tar.gz | |||
:: hhl-target-anacron-2.3-mvl3.0.0.2.src.rpm | |||
:: hhl-target-bash-2.05a-mvl3.0.0.1.src.rpm | |||
:: hhl-target-binutils-2.12.1-mvl3.0.0.14.3.src.rpm | |||
:: hhl-target-dhcpcd-1.3.22pl2-devtool.1.src.rpm | |||
:: hhl-target-diff-2.7-mvl3.0.0.3.src.rpm | |||
:: hhl-target-e2fsprogs-1.22-mvl3.0.0.2.src.rpm | |||
:: hhl-target-fileutils-4.1-mvl3.0.0.2.src.rpm | |||
:: hhl-target-findutils-4.1.7-mvl3.0.0.2.src.rpm | |||
:: hhl-target-gawk-3.1.0-mvl3.0.0.2.src.rpm | |||
:: hhl-target-gcc-3.2.1-mvl3.0.0.5.20.src.rpm | |||
:: hhl-target-glib-1.2.10-mvl3.0.0.7.src.rpm | |||
:: hhl-target-glibc-2.2.5-mvl3.0.0.15.14.src.rpm | |||
:: hhl-target-grep-2.4.2-mvl3.0.0.1.src.rpm | |||
:: hhl-target-gzip-1.2.4-mvl3.0.0.2.src.rpm | |||
:: hhl-target-hardhatutils-1.14-mvl3.0.0.10.src.rpm | |||
:: hhl-target-hostname-2.09-mvl3.0.0.1.src.rpm | |||
:: hhl-target-ifupdown-0.6.4-mvl3.0.0.2.src.rpm | |||
:: hhl-target-iptables-1.2.2-mvl3.0.0.1.src.rpm | |||
:: hhl-target-iputils-20020124-mvl3.0.0.1.1.src.rpm | |||
:: hhl-target-less-358-mvl3.0.0.1.src.rpm | |||
:: hhl-target-logrotate-3.5.7-mvl3.0.0.1.src.rpm | |||
:: hhl-target-memstat-0.2-mvl3.0.0.2.src.rpm | |||
:: hhl-target-minicom-1.83.0-mvl3.0.0.1.src.rpm | |||
:: hhl-target-modutils-2.4.16-mvl3.0.0.4.src.rpm | |||
:: hhl-target-nano-1.0.3-mvl3.0.0.1.src.rpm | |||
:: hhl-target-net-tools-1.60-mvl3.0.0.2.src.rpm | |||
:: hhl-target-netbase-4.06-mvl3.0.0.1.src.rpm | |||
:: hhl-target-pam-0.72-mvl3.0.0.4.src.rpm | |||
:: hhl-target-perl-5.6.1-mvl3.0.0.5.src.rpm | |||
:: hhl-target-procps-2.0.7-mvl3.0.0.3.src.rpm | |||
:: hhl-target-psmisc-20.1-mvl3.0.0.2.src.rpm | |||
:: hhl-target-rsync-2.3.2-mvl3.0.0.4.src.rpm | |||
:: hhl-target-sed-3.02-mvl3.0.0.2.src.rpm | |||
:: hhl-target-shellutils-2.0.11-mvl3.0.0.3.src.rpm | |||
:: hhl-target-sysklogd-1.3.31-mvl3.0.0.3.src.rpm | |||
:: hhl-target-sysutils-1.3.8.1-mvl3.0.0.3.src.rpm | |||
:: hhl-target-sysvinit-2.78-mvl3.0.0.11.src.rpm | |||
:: hhl-target-tar-1.13.19-mvl3.0.0.3.src.rpm | |||
:: hhl-target-textutils-2.0-mvl3.0.0.2.src.rpm | |||
:: hhl-target-util-linux-2.11h-mvl3.0.0.4.src.rpm | |||
:: hhl-target-which-2.12-mvl3.0.0.2.src.rpm | |||
:: hhl-target-xfsprogs-2.2.2-mvl3.0.0.1.src.rpm | |||
:: mips_fp_le-lrzsz-0.12.20-devtool.1.src.rpm | |||
The Communication Processor can also talk to the southbridge. | The Communication Processor can also talk to the southbridge. | ||
== CP Revisions == | |||
<pre> | |||
/* | |||
TCP-510 Rev. 1: 0x10 | |||
TCP-510 Rev. 2: 0x11 | |||
TCP-520 Rev. 1: 0x20 | |||
TCP-520 Rev. 2: 0x21 | |||
TCP-520 Rev. 3: 0x22 | |||
*/ | |||
static int get_cp_revision(void) | |||
{ | |||
unsigned int rev = (unsigned int)(*((volatile unsigned long long *) 0xFF1FE000) >> 32); | |||
return (((rev >> 2) & 0x3f) | ((rev >> 4) & 0x40)); | |||
} | |||
</pre> | |||
== PS2/PSP/PS3/VITA/PS4 CP == | |||
<pre> | |||
PS2 | |||
DTL-T10000(H) / DTL-T15000 "MPU-401" | |||
x86 PCI SBC (PCI-586VE-S / PCI-815VE) | |||
PSP | |||
DTP-T1000 "MPU-220" | |||
Sony CXD9823 (Toshiba TX4937) | |||
PS3 | |||
DECR-1000 "MPU-230" | |||
Sony CXD9802 (Toshiba TX4937) | |||
PSVITA | |||
PDEL-1000 "?" | |||
Renesas µPD77630A (EMMA Mobile1-S) | |||
PS4 | |||
DUH-D7000 "?" | |||
Marvell 88R6B2D-AD (Armada SP?) | |||
</pre> | |||
=== VITA CP Documents === | |||
See --> [https://psdevwiki.com/vita/index.php?title=Communication_Processor Vita Dev Wiki#Communication Processor] |
Latest revision as of 06:28, 12 April 2023
Problem[edit source]
Using this file: [[1]] (v1.0.4c2_TMU510_u.bin) -> Source
IV: 737973317347595DFB853B7B4A28105D
Hash: 46EE8C013CB4F1821E184FB74A56FCC7
update.bin = v1.0.4c2_TMU510_u.bin - first 32 bytes (IV + Hash)
openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv 737973317347595DFB853B7B4A28105D -in update.bin -out update.tar.gz
Output:
2282524:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
This is a syscon firmware update, not a CP update.
CP updates are usually called reftool_cp_xxx.bin (replace xxx by version) you can find these in official sdks. Syscon firmware updates use other keys and another algorithm.
-Mathieulh
Thanks,
openssl enc -aes-256-cbc -d -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv FB306DA62E530EB13FB9D0EF8615060A -in reftool_cp_133.bin -out reftool_cp_133.tar.gz
works. (I should learn reading ;))
Extra Information[edit source]
I would like to add that it's much easier to interact with the System Controller from the Communication Processor shell considering that Syscon on Reference tool does not require any authentication or encryption of the packets sent to it and you do get real time replies, Syscon on those units also allow many more commands than on consumer systems (even after using AUTH1/AUTH2), this can be rather useful should you want syscon to jump to your code (Syscon is powered by an ARM7TDMI (ARMv4) CPU) by performing a packet overflow.
- Because Syscon's firmware is fully overwritten on a DECR-1000, it is trivial to downgrade its firmware if you are connected to the CP's Shell. (There is actually a script on the CP rom that does just this, all you have to do is to comment the version check) (patched update_syscon.pl: [[2]])
- Package:
- DECR-1000-linux-2.4.tar.gz
- hhl-target-anacron-2.3-mvl3.0.0.2.src.rpm
- hhl-target-bash-2.05a-mvl3.0.0.1.src.rpm
- hhl-target-binutils-2.12.1-mvl3.0.0.14.3.src.rpm
- hhl-target-dhcpcd-1.3.22pl2-devtool.1.src.rpm
- hhl-target-diff-2.7-mvl3.0.0.3.src.rpm
- hhl-target-e2fsprogs-1.22-mvl3.0.0.2.src.rpm
- hhl-target-fileutils-4.1-mvl3.0.0.2.src.rpm
- hhl-target-findutils-4.1.7-mvl3.0.0.2.src.rpm
- hhl-target-gawk-3.1.0-mvl3.0.0.2.src.rpm
- hhl-target-gcc-3.2.1-mvl3.0.0.5.20.src.rpm
- hhl-target-glib-1.2.10-mvl3.0.0.7.src.rpm
- hhl-target-glibc-2.2.5-mvl3.0.0.15.14.src.rpm
- hhl-target-grep-2.4.2-mvl3.0.0.1.src.rpm
- hhl-target-gzip-1.2.4-mvl3.0.0.2.src.rpm
- hhl-target-hardhatutils-1.14-mvl3.0.0.10.src.rpm
- hhl-target-hostname-2.09-mvl3.0.0.1.src.rpm
- hhl-target-ifupdown-0.6.4-mvl3.0.0.2.src.rpm
- hhl-target-iptables-1.2.2-mvl3.0.0.1.src.rpm
- hhl-target-iputils-20020124-mvl3.0.0.1.1.src.rpm
- hhl-target-less-358-mvl3.0.0.1.src.rpm
- hhl-target-logrotate-3.5.7-mvl3.0.0.1.src.rpm
- hhl-target-memstat-0.2-mvl3.0.0.2.src.rpm
- hhl-target-minicom-1.83.0-mvl3.0.0.1.src.rpm
- hhl-target-modutils-2.4.16-mvl3.0.0.4.src.rpm
- hhl-target-nano-1.0.3-mvl3.0.0.1.src.rpm
- hhl-target-net-tools-1.60-mvl3.0.0.2.src.rpm
- hhl-target-netbase-4.06-mvl3.0.0.1.src.rpm
- hhl-target-pam-0.72-mvl3.0.0.4.src.rpm
- hhl-target-perl-5.6.1-mvl3.0.0.5.src.rpm
- hhl-target-procps-2.0.7-mvl3.0.0.3.src.rpm
- hhl-target-psmisc-20.1-mvl3.0.0.2.src.rpm
- hhl-target-rsync-2.3.2-mvl3.0.0.4.src.rpm
- hhl-target-sed-3.02-mvl3.0.0.2.src.rpm
- hhl-target-shellutils-2.0.11-mvl3.0.0.3.src.rpm
- hhl-target-sysklogd-1.3.31-mvl3.0.0.3.src.rpm
- hhl-target-sysutils-1.3.8.1-mvl3.0.0.3.src.rpm
- hhl-target-sysvinit-2.78-mvl3.0.0.11.src.rpm
- hhl-target-tar-1.13.19-mvl3.0.0.3.src.rpm
- hhl-target-textutils-2.0-mvl3.0.0.2.src.rpm
- hhl-target-util-linux-2.11h-mvl3.0.0.4.src.rpm
- hhl-target-which-2.12-mvl3.0.0.2.src.rpm
- hhl-target-xfsprogs-2.2.2-mvl3.0.0.1.src.rpm
- mips_fp_le-lrzsz-0.12.20-devtool.1.src.rpm
The Communication Processor can also talk to the southbridge.
CP Revisions[edit source]
/* TCP-510 Rev. 1: 0x10 TCP-510 Rev. 2: 0x11 TCP-520 Rev. 1: 0x20 TCP-520 Rev. 2: 0x21 TCP-520 Rev. 3: 0x22 */ static int get_cp_revision(void) { unsigned int rev = (unsigned int)(*((volatile unsigned long long *) 0xFF1FE000) >> 32); return (((rev >> 2) & 0x3f) | ((rev >> 4) & 0x40)); }
PS2/PSP/PS3/VITA/PS4 CP[edit source]
PS2 DTL-T10000(H) / DTL-T15000 "MPU-401" x86 PCI SBC (PCI-586VE-S / PCI-815VE) PSP DTP-T1000 "MPU-220" Sony CXD9823 (Toshiba TX4937) PS3 DECR-1000 "MPU-230" Sony CXD9802 (Toshiba TX4937) PSVITA PDEL-1000 "?" Renesas µPD77630A (EMMA Mobile1-S) PS4 DUH-D7000 "?" Marvell 88R6B2D-AD (Armada SP?)