Difference between revisions of "System Controller Firmware"

From PS3 Developer wiki
Jump to: navigation, search
(External commands)
(Internal commands)
Line 481: Line 481:
  
 
= Internal commands =
 
= Internal commands =
<pre>
+
{| class="wikitable sortable"
Command             Address     Permission 
+
|-
becount             0xC0E7      0xDD0C0000   
+
! Command !! Address !! Perms !! SubCommands !! Description
bestat               0xCDB7      0xFD0F0000   
+
|-
bringup             0xCF3B      0xFD0F0000
+
|becount || 0xCA7D || 0xDD0C0000|| - || Display bringup/shutdown count + Power-on time
bsn                 0xD231      0xF00F0000
+
|-
bstatus             0x20DC5      0xDD0C0000
+
|bepgoff || 0xA4E7 || 0xD00C0000|| - || BE power grid off
btnemua              0xCFD1      0xDD0F0000 
+
|-
btnemus              0xCFD1      0xDD0F0000 
+
|bepkt ||  0x2435D || 0xDC0C0000 || show/set/unset/mode/debug/help || Packet permissions
clear_err           0x21227      0xDD0C0000   
+
|-
clearerrlog         0xB0D9      0xDD0C0000   
+
|bestat ||  0xD413 || 0xFD0F0000|| - || Get status of BE
csum                 0xD0B5      0xFF0F0000
+
|-
devpm               0xC637      0xDD0C0000
+
|boardconfig ||    0x99C7 || 0xDC0C0000|| - || Displays board configuration (NOT WORKING?)
disp_err             0x211DD      0xDD0C0000
+
|-
duty                 0x99E5      0xDD0C0000   
+
|bootbeep || 0x1EA67 ||  0xF0000000 || stat/on/off || Boot beep
eepcsum             0xA2B1      0xDD0C0000
+
|-
ejectsw             0xCFC1      0xFD0F0000
+
|bringup || 0xD597 || 0xFD0F0000|| - || Turn PS3 on
errlog               0xAFF9      0xFF0C0000
+
|-
fancon               0xC865      0x0D000000
+
|bsn || 0xD805 || 0xF00F0000|| - || Get board serial number
fanconautotype       0xB839      0xDD0C0000
+
|-
fanconmode           0xB7A5      0xDD0C0000
+
|bstatus || 0x24269 ||  0xDD0C0000|| - || HDMI related status
fanconpolicy         0xB361      0xDD0C0000   
+
|-
faninictrl           0xCB27      0x0D000000
+
|buzz ||    0xA4FF || 0xDC0C0000 || [freq] || Activate buzzer
fanpol               0xC09B      0xDD0C0000
+
|-
fanservo             0xB693      0xDD0C0000
+
|buzzpattern ||    0xA8B7 || 0xDC0C0000 || [freq] [pattern] [count] || Buzzer pattern
fantbl               0xB84B      0xDD0C0000   
+
|-
firmud               0xD04F      0xFDFF0000
+
|clear_err || 0x2595B ||  0xDD0C0000 || last/eeprom/all || Clear errors
geterrlog           0xB05D      0xDD0C0000
+
|-
getrtc               0xA071      0xDD0C0000   
+
|clearerrlog ||    0xB8CB || 0xDD0C0000|| - || Clears error log
hdmi                 0x25241      0xDD0C0000   
+
|-
hdmiid               0x25025      0xDC0F0000
+
|comm ||    0x9919 || 0xDC0C0000|| - || Communication mode
hdmiid2             0x25089      0xDC0F0000
+
|-
hversion             0x20D8B      0xDD0C0000
+
|commt ||  0x24907 || 0xDC0C0000 || help/start/stop/send ||  Manual BE communication
hyst                 0xA751      0xDD0C0000
+
|-
lasterrlog           0xB00B      0xDD0C0000   
+
|cp || 0x1E077 ||  0xF0000000 || ready/busy/reset/beepremote/beep2kn1n3/beep2kn2n3 || CP control commands
ltstest             0xC1A5      0xDD0C0000
+
|-
LS                  0x20D77      0xDD0C0000  
+
|csum ||    0xD687 || 0xFF0F0000|| - || Firmware checksum
nonfatalerror        0xDCAD      0xDD0C0000
+
|-
patchcsum           0xD423      0xDD0C0000
+
|devpm ||  0xD053 || 0xDD0C0000 || ata/pci/pciex/rsx || Device power management
patchvereep         0xD3DD      0xDD0C0000
+
|-
patchverram         0xD391      0xDD0C0000
+
|diag ||    0x9AAD || 0xD00C0000 || ... || Diag (execute without param to show help) (NOT WORKING?)
poll                 0x20C3F      0xDD0C0000
+
|-
portscan             0xD439      0xDD0C0000
+
|disp_err ||0x25911 ||  0xDD0C0000|| - || Displays errors
powerstate           0xC45B      0xDD0C0000
+
|-
powersw             0xCFA1      0xFD0F0000
+
|duty ||    0x9B23 || 0xDD0C0000 || get/set/getmin/setmin/getmax/setmax/getinmin/setinmin/getinmax/setinmax || Fan policy
powupcause           0xAE31      0xDD0C0000
+
|-
printpatch           0xD37B      0xDC0C0000 
+
|dve || 0x2995D ||  0xDC0C0000 || help/set/save/show || DVE chip parameters
r                   0x8D59      0xDD0C0000   
+
|-
r16                 0x8F97      0xDD0C0000   
+
|eepcsum || 0xAA65 || 0xDD0C0000|| - || Does nothing
r32                 0x9255      0xDD0C0000   
+
|-
r64                 0x9427      0xDD0C0000
+
|eepromcheck ||    0x9A1D || 0x000C0000 || [id] || Check eeprom
r64d                 0x9559      0xDD0C0000   
+
|-
rbe                 0x97C5      0xDD0C0000   
+
|eeprominit || 0x9A65 || 0x000C0000 || [id] || Init eeprom
recv                 0x20C91      0xDD0C0000
+
|-
resetsw             0xCFB1      0xFC0F0000
+
|ejectsw || 0xD611 || 0xFD0F0000|| - || Eject switch
restartlogerrtoeep   0xB111      0xDD0C0000
+
|-
revision             0xD20D      0xFFFF0000
+
|errlog ||  0xB7ED || 0xFF0C0000|| - || Gets the error log
rrsxc               0xCA65      0xDD0C0000   
+
|-
scagv2               0xDC7B      0xFF000000
+
|fancon ||  0xD26D || 0x0D000000|| - || Does nothing
scasv2               0xDC33      0xDD000000
+
|-
scclose             0xDC1B      0xFF000000
+
|fanconautotype || 0xC075 || 0xDD0C0000|| - || Does nothing
scopen               0xDB4D      0xFF000000
+
|-
send                 0x20CCB      0xDD0C0000
+
|fanconmode || 0xBF35 || 0xDD0C0000 || get || Fan control mode
shutdown             0xCF6D      0xFD0F0000
+
|-
startlogerrtsk       0xB0F5      0xDD0C0000
+
|fanconpolicy ||  0xBBC9 || 0xDD0C0000 || get/set/getini/setini || Fan control policy
stoplogerrtoeep     0xB103      0xDD0C0000
+
|-
stoplogerrtsk       0xB0E7      0xDD0C0000
+
|fandiag || 0x1E91B || 0xF0000000|| - || Fan test
syspowdown           0xAE79      0xDD0C0000
+
|-
task                 0x14919      0xDD0C0000
+
|faninictrl || 0xD3D9 || 0x0D000000|| - || Does nothing
thalttest           0xD23F      0x000F0000
+
|-
thermfatalmode       0xC0A5      0xDD0C0000
+
|fanpol ||  0xCA31 || 0xDD0C0000|| - || Does nothing
therrclr             0xCD85      0xDD0C0000
+
|-
thrm                 0xB5C7      0xDD0C0000
+
|fanservo || 0xBF29 || 0xDD0C0000|| - || Does nothing
tmp                 0xA2C7      0xDD0C0000   
+
|-
trace               0xB11F      0xDD0C0000
+
|fantbl ||  0xC087 || 0xDD0C0000 || get/set/getini/setini/gettable/settable || Fan table
trp                 0xA38D      0xDD0C0000   
+
|-
tsensor             0x9EB9      0xDD0C0000   
+
|firmud ||  0xD61D || 0xFDFF0000|| - || Firmware update
tshutdown           0xAA97      0xDD0C0000   
+
|-
tshutdowntime       0xBFC1      0xDD0C0000   
+
|geterrlog || 0xB84F || 0xDD0C0000 || [id] || Gets error log
tzone               0xADF1      0xDD0C0000
+
|-
version             0xD091      0xFFFF0000
+
|getrtc ||  0xA6F3 || 0xDD0C0000|| - || Gets rtc
w                   0x8CAD      0xDD0C0000   
+
|-
w16                 0x8EED      0xDD0C0000   
+
|halt ||    0x1E107 || 0xF0000000|| - || Halts syscon
w32                 0x90AF      0xDD0C0000   
+
|-
w64                 0x936D      0xDD0C0000
+
|hdmi ||    0x29F39 ||  0xDD0C0000 || ... || HDMI (various commands, use help)
wbe                 0x9731      0xDD0C0000   
+
|-
wrsxc               0xC9CB      0xDD0C0000
+
|hdmiid ||  0x29D1D ||  0xDC0F0000|| - || Get HDMI id's
</pre>
+
|-
 +
|hdmiid2 || 0x29D81 ||  0xDC0F0000|| - || Get HDMI id's
 +
|-
 +
|hversion || 0x2422F ||  0xDD0C0000|| - || Platform ID
 +
|-
 +
|hyst ||    0xAEF5 || 0xDD0C0000 || get/set/getini/setini || Temperature zones
 +
|-
 +
|lasterrlog || 0xB7FF || 0xDD0C0000|| - || Last error from log
 +
|-
 +
|ledmode || 0xA80B || 0xDC0C0000 || [id] [id] ||  Get led mode
 +
|-
 +
|LS || 0x2421B || 0xDD0C0000|| - || LabStation Mode
 +
|-
 +
|ltstest || 0xCB97 || 0xDD0C0000 || get/set be/rsx ||  ?Temp related? values
 +
|-
 +
|osbo ||    0x1EA3F || 0xF0000000|| - || Sets 0x2000F60
 +
|-
 +
|patchcsum ||  0xD9F7 || 0xDD0C0000|| - || Patch checksum
 +
|-
 +
|patchvereep ||    0xD9B1 || 0xDD0C0000|| - || Patch version eeprom
 +
|-
 +
|patchverram ||    0xD965 || 0xDD0C0000|| - || Patch version ram
 +
|-
 +
|poll ||    0x240E3 ||  0xDD0C0000|| - || Poll log
 +
|-
 +
|portscan || 0xDA0D || 0xDD0C0000 || [port] || Scan port (NOT WORKING?)
 +
|-
 +
|powbtnmode || 0xB911 || 0xDC0C0000 || [mode (0/1)] || Power button mode
 +
|-
 +
|powerstate || 0xCE6F || 0xDD0C0000|| - || Get power state
 +
|-
 +
|powersw || 0xD5F9 || 0xFD0F0000|| - || Power switch
 +
|-
 +
|powupcause || 0xB621 || 0xDD0C0000|| - || Power up cause
 +
|-
 +
|printmode || 0x99D9 || 0xDC0C0000 || [mode (0/1/2/3)] || Set printmode
 +
|-
 +
|printpatch || 0xD94F || 0xDD0C0000|| - || Prints patch
 +
|-
 +
|r || 0x8CA5 || 0xDD0C0000 || [offset] [length] || Read byte from SC
 +
|-
 +
|r16 || 0x8ED5 || 0xDD0C0000 || [offset] [length] || Read word from SC
 +
|-
 +
|r32 || 0x9191 || 0xDD0C0000 || [offset] [length] || Read dword from SC
 +
|-
 +
|r64 || 0x935D || 0xDD0C0000 || [offset] [length] || Read qword from SC
 +
|-
 +
|r64d ||    0x948F || 0xDD0C0000 || [offset] [length] || Read ?qword data? from SC
 +
|-
 +
|rbe || 0x96F9 || 0xDD0C0000 || [offset] || Read from BE
 +
|-
 +
|recv ||    0x24135 ||  0xDD0C0000|| - || Receive something
 +
|-
 +
|resetsw || 0xD605 || 0xFC0F0000|| - || Reset switch
 +
|-
 +
|restartlogerrtoeep ||  0xB903 || 0xDD0C0000|| - || Reenable error logging to eeprom
 +
|-
 +
|revision || 0xD7E1 || 0xFFFF0000|| - || Get softid
 +
|-
 +
|rrsxc ||  0xD313 || 0xDD0C0000 || [offset] [length] || Read from RSX
 +
|-
 +
|rtcreset || 0xA7BB || 0x000C0000|| - || Reset RTC
 +
|-
 +
|scagv2 ||  0xE24F || 0xFF000000|| - || Auth related?
 +
|-
 +
|scasv2 ||  0xE207 || 0xDD000000|| - || Auth related?
 +
|-
 +
|scclose || 0xE1EF || 0xFF000000|| - || Auth related?
 +
|-
 +
|scopen ||  0xE121 || 0xFF000000|| - || Auth related?
 +
|-
 +
|send ||    0x2416F ||  0xDD0C0000 || [variable] || Send something
 +
|-
 +
|shutdown ||0xD5C5 || 0xFD0F0000|| - || PS3 shutdown
 +
|-
 +
|startlogerrtsk || 0xB8E7 || 0xDD0C0000|| - || Start error log task
 +
|-
 +
|stoplogerrtoeep ||  0xB8F5 || 0xDD0C0000|| - || Stop error logging to eeprom
 +
|-
 +
|stoplogerrtsk ||  0xB8D9 || 0xDD0C0000|| - || Stop error log task
 +
|-
 +
|syspowdown ||0xB6E9 || 0xDD0C0000 || 3 params || System power down
 +
|-
 +
|task ||    0x15005 ||  0xDD0C0000|| - || Print tasks
 +
|-
 +
|thalttest || 0xD813 || 0x000F0000|| - || Does nothing
 +
|-
 +
|thermfatalmode || 0xCA3B || 0xDD0C0000 || canboot/cannotboot || Set thermal boot mode
 +
|-
 +
|therrclr || 0xD3E5 || 0xDD0C0000|| - || Thermal register clear
 +
|-
 +
|thrm ||    0xBF1D || 0xDD0C0000|| - || Does nothing
 +
|-
 +
|tmp ||0xAA69 || 0xDD0C0000 || [zone] || Get temperature
 +
|-
 +
|trace ||  0xB951 || 0xDD0C0000 || ... ||  Trace tasks (use help)
 +
|-
 +
|trp ||0xAB2F || 0xDD0C0000 || get/set/getini/setini || Temperature zones
 +
|-
 +
|tsensor || 0xA279 || 0xDD0C0000 || [sensor] || Get raw temperature
 +
|-
 +
|tshutdown || 0xB2A1 || 0xDD0C0000 || get/set/getini/setini || Thermal shutdown
 +
|-
 +
|tshutdowntime ||  0xC95D || 0xDD0C0000 || [time] || Thermal shutdown time
 +
|-
 +
|tzone ||  0xB5E1 || 0xDD0C0000|| - || Show thermal zones
 +
|-
 +
|version || 0xD65F || 0xFFFF0000|| - || SC firmware version
 +
|-
 +
|w ||0x8BF9 || 0xDD0C0000 || [offset] [value] || Write byte to SC
 +
|-
 +
|w16 ||0x8E2D || 0xDD0C0000 || [offset] [value] || Write word to SC
 +
|-
 +
|w32 ||0x8FED || 0xDD0C0000 || [offset] [value] || Write dword to SC
 +
|-
 +
|w64 ||0x92A9 || 0xDD0C0000 || [offset] [value] ||  Write qword to SC
 +
|-
 +
|wbe ||0x9665 || 0xDD0C0000 || [offset] [value] || Write to BE
 +
|-
 +
|wmmto ||  0xCB3B || 0xDC0C0000 || get ||  Get watch dog timeout
 +
|-
 +
|wrsxc ||  0xD279 || 0xDD0C0000 || [offset] [value] ||  Write to RSX
 +
|-
 +
|xdrdiag || 0x1E711 ||  0xF0000000 || start/info/result ||  XDR diag
 +
|-
 +
|xiodiag || 0x1E875 ||  0xF0000000|| - || XIO diag
 +
|-
 +
|xrcv ||    0x25313 ||  0xDC0C0000|| - || Xmodem receive
 +
|-
 +
|}
 
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>
 
{{Custom Firmware}}<noinclude>[[Category:Main]]</noinclude>

Revision as of 18:26, 21 December 2019

Syscon Firmware is the firmware stored on the System Controller EEPROM (see Syscon Hardware). Updates are stored in update packages within the Update_files.tar of a Playstation Update Package (PUP). Syscon Packages appear to always be 5KB (5376 bytes) in size.


Syscon update packages

d/l: syscon_fw1.00-4.00.rar (51.74 KB)

Package structure

Sys_con_firmware Packages can be unpacked with unpkg

Overview

Address Length Value Description
0x00 0x4 ASCI:"SCE" SCE magic header
0x04 0x4 0x2 Flags
0x08 0x4 0x3 Type (0x3 = PKG)
0x0C 0x4 0x0 Blank/Unknown
0x10 0x4 0x0 Blank/Unknown
0x10 0x8 0x280 Start Data Offset ('hdr_len')
0x18 0x8 0x1080 Data Size ('dec_size')
0x20 0x260 - Header
0x280 0x40 - 'info0' section (see below)
0x2C0 0x40 - 'info1' section (see below)
0x300 0x1000 - 'content'

'info0'

Address Length Value Description
0x00 0x4 0x3
0x04 0x4 0x8
0x08 0x8 - SC firmware revision (the high word of it is the SC type)
0x0C 0x4 0x0B8E(1.30-4.84)
0x0C16(1.81-4.84)
0x0D52(3.40-4.84)
0x0DBF(3.40-4.84)
0x0E69(3.40-4.84)
0x0F29(3.40-4.84)
0x0F38(3.41-4.84)
0x065D
0x0832(3.00-4.84)
0x08A0
0x08C2
0x0918
'SoftID'
0x10 0x8 0x0001000000000004
0x0001000000000005
0x0001000000000006
0x0001000100030002
0x0001000100030003
0x0001000200030002
0x0001000300030002
0x0001000400040002
0x0001000500000002
0x0001000500010001
0x00010002083E0832
'PatchID'
0x18 0x8 0x1000 'Content' Data Size
0x20 0x8 0x1000 'Content' Compressed Data Size
0x28 0x8 0x0
0x30 0x10 0x0

Note: PS3 firmwares cannot deal with compressed syscon firmwares, so they will abort the update process in that case.

Note2: The PatchID is also present in the first 8 bytes of decrypted content but 16bit swapped for ARM BGAs

'info1'

Address Length Value Description
0x00 0x4 0x0
0x04 0x4 0x3
0x08 0x8 0x40 Offset/size?
0x10 0x4 0x0
0x14 0x4 0x0
0x18 0x8 0x1000 'Content' Data Size?
0x20 0x8 0x1
0x28 0x8 0x1
0x30 0x10 0x0

'content' overview

Address Length Value Description
0x0 0x1000 - 'content'

Known Retail syscon update packages

These are in full Retail/CEX and Debug/DEX firmwares:

Board Syscon Hardware sys_con_firmware package 1.00-1.30 1.30-1.80 1.81-2.80 3.00-3.30 3.40 3.41-4.75 SoftID or Syscon Revision Notes
COK-001 CXR713120-201GB SYS_CON_FIRMWARE_01000004.pkg No Yes No No No No 0B8E Superseded by SYS_CON_FIRMWARE_01000005.pkg
SYS_CON_FIRMWARE_01000005.pkg No No Yes Yes No No 0B8E Superseded by SYS_CON_FIRMWARE_01000006.pkg
SYS_CON_FIRMWARE_01000006.pkg No No No No Yes Yes 0B8E
COK-002 CXR713120-201GB
CXR713120-202GB
SYS_CON_FIRMWARE_01010302.pkg No No Yes Yes No No 0C16 Superseded by SYS_CON_FIRMWARE_01010303.pkg
SYS_CON_FIRMWARE_01010303.pkg No No No No Yes Yes 0C16
SEM-001 CXR713120-201GB
CXR713120-202GB
CXR713120-203GB
SYS_CON_FIRMWARE_01020302.pkg No No No No Yes Yes 0D52
DIA-001 CXR714120-301GB SYS_CON_FIRMWARE_01030302.pkg No No No No Yes Yes 0DBF
DIA-002 / DEB-001 CXR714120-301GB
CXR714120-302GB
SYS_CON_FIRMWARE_01040402.pkg No No No No Yes Yes 0E69
??? ??? SYS_CON_FIRMWARE_01050002.pkg No No No No Yes Yes 0F29 CXR714120-X0XGB / SW-30x Prototype
??? ??? SYS_CON_FIRMWARE_01050101.pkg No No No No No Yes 0F38
VER-001 SW-30x No No No No No No 065D
DYN-001 SW2-30x SYS_CON_FIRMWARE_S1_00010002083E0832.pkg No No No Yes Yes Yes 0832 ps3 2k series
SUR-001 No No No No No No 08A0
JTP-001
JSD-001
No No No No No No 08C2 ps3 2k5 series
KTE-001 No No No No No No 0918 ps3 3k series
MSX-001
MPX-001
SW3-30x No No No No No No 098F ps3 4k series

This means from syscon perspective notible firmware changes where made at 1.30, 1.81, 3.00, 3.40 and 3.41 that affected retail and debug PS3 models

  • Firmware 1.30 (December 6, 2006) added Backup/Restore
  • Firmware 1.81 (June 15, 2007) ?
  • Firmware 3.00 (September 1, 2009) resulted in Class action suit for BluRay reading problems
  • Firmware 3.40 (June 29, 2010) ?
  • Firmware 3.41 (July 26, 2010) ?

NonRetail syscon

Remember, Debug/DEX consoles are normal retail consoles with different TargetID, so only those that have a nonretail board have deviating patches (like the CXR713F120A found on the DECR-1000A TOOL/DECR).

Tool/DECR don't have patches, they flash entire firmwares.

Factory cp comes with 0.8.8 (corresponds to syscon fw size 0x60000)
it is VERY likely that it is not possible to go below this point, so any smaller size would likely cause a brick (see Talk:Communication_Processor for more info on how to downgrade)

DECR samples: [1] mirror:
v0.6.1c8_TMU510_u.bin  | CRC16:FAE0 | CRC32:590D9A21 | SHA1:DC8AEA0DDC6C5B813FE9861C972AAE111DA6FCAB | MD5:50794942BD9FAB7CC04A81BD8D220BA1 | 7379733103B15C07EC051E9B44D90BDF 07AD575D86B3937CFA8B3D331BE958DDB40EDFBE
v0.6.10c4_TMU510_u.bin | CRC16:B58A | CRC32:DB8A00BF | SHA1:5D52289960151E2543EBEAA805963B7B88C35DD8 | MD5:14C288A576690C587E95C8542EDC2A70 | 7379733160AF70F9CF5DF54F30D5C77C 5F360CD146EEC3A7B5026151C396C4A5F7F1EC91
v0.6.11c4_TMU510_u.bin | CRC16:8A51 | CRC32:289B15F3 | SHA1:D45214E907A104BCC6BC91D78B7B471263AB0699 | MD5:B7CFA6536329F0DFF1AAD7905627F15F | 73797331F283602B666562012850612E 3FABA6E4FE1D70724164A23886199F36A02EDB0D
v0.6.12c5_TMU510_u.bin | CRC16:31B2 | CRC32:1A1F141B | SHA1:403BF55314C4E785ED90D03A8F2E90B67CC235EA | MD5:1B19B55924445E4BBB2D970410AD6366 | 737973316E5C037615E4727464B2D929 2D2EB7DADEF6B24C4E959235E5B11917D352F9D5
v0.6.14c4_TMU510_u.bin | CRC16:FB1B | CRC32:079EF389 | SHA1:6EF7067FAD939D0B0DFC0B9418A6F4C7509104E5 | MD5:11E9F6270A5D79D0B76614B1C6FE622B | 73797331DCEAC9FA0F1B2449F332C4A9 1CBFF6FE43BDCA3B0A5AAFCE9A98D7176D951A49
v0.8.4c8_TMU510_u.bin  | CRC16:2949 | CRC32:81EFA508 | SHA1:5963B333361123782848E3639D9FA585A728691A | MD5:564D5479F5B98E244C1EA7B56BACC873 | 73797331E8A9ADD15036B33AB8E8AB17 FDCC981DA58B9F44E9331C9708C01D924D78DB3E
v0.9.9c1_TMU510_u.bin  | CRC16:172A | CRC32:EBB2D78A | SHA1:D5E693D2E22FD99CF3E330AC442CD9B07D01DB66 | MD5:216B258115F25B13C9969AF35BFCAC20 | 7379733116E6DD5F054442FACFA15A5C 5E62E8FC8059F864A91CAD142BC30BDAE77D9464
v0.9.14c1_TMU510_u.bin | CRC16:2A2C | CRC32:330CB685 | SHA1:30B19BB8B78E60D81848E8FDF6C4A79537CFBE66 | MD5:7AA5BFE64D15F8BD61EB80B999FE4343 | 73797331807BAF3D6E1B6A3CA5FDF30D 7CCE3B0E739A19C9C431D4D8C59CF1513DAF25E9
v1.0.1c1_TMU510_u.bin  | CRC16:3FD1 | CRC32:A7C7E313 | SHA1:F0DCA7130074E023FFAF58EBD06A61EE73C94907 | MD5:C95C57DC20D9AC5473C1EC914744352F | 73797331F362AE579EA3D864E27334CC 3EAB05DEC5328E885EED3295954999BD518ABFDF
v1.0.3c1_TMU510_u.bin  | CRC16:636E | CRC32:32942DFD | SHA1:83BE56F92A93B911D2BBE12DD1F6AF9CCD1EC11B | MD5:642C0E6615AACBF180C367F7927D1E30 | 737973312D08051E9F5AA1AAF2647EC0 44EE5DF74D92DDB81B1099430B0B5A243FFDA44E
v1.0.4c1_TMU510_u.bin  | CRC16:528F | CRC32:A0FBA694 | SHA1:1A5E5F97D66A754C2C7436618DC911C1C57B9FEA | MD5:6641B03FC6193E35380D681152226275 | 73797331E40325B060CDE461D250058D 8AF478F0A1C1B4B9DECA01C8770F8A9010F0A513
v1.0.5c1_TMU510_u.bin  | CRC16:59F8 | CRC32:87316EBF | SHA1:8ED74829973F740C1B825FD976F7926A95ACBE8B | MD5:717DC4187A6E446C30DACAC129090656 | 737973316856FC96CA6FA4D4652D4985 F9E998439D4C23DA9C1BA8F5C44611D826DA1CFE

dev/hda

dev_hda.image from DECR-1000A CP: dev_hda.image dev_hda.image.7z

Partitions

device file size type
/dev/loop0p1 51 MB (50577408 bytes) 0x89
/dev/loop0p2 8,7 MB (8650752 bytes) Linux
/dev/loop0p3 32 MB (31981568 bytes) Linux
/dev/loop0p4 35 MB (35127296 bytes) Extended
/dev/loop0 4,9 MB (4883968 bytes) Unassigned

Deviating from Retail

Please note that without info about the SKU the listing of ID's is pretty useless

sys_con_firmware package 1.00-1.30 1.30-1.80 1.81-2.80 3.00-3.30 3.40 3.41-4.11 SoftID Notes
? No No No No No No 0B67 Debug/DEX

Usage

The firmware PUP's contains a collection of patches for all the different hardware revisions of syscon's chips used in different motherboard models.

The ps3swu.self (system updater) decides which applicable Syscon Hardware is present and installs the needed package update(s) accordingly (via updater manager ss service).

Which syscon version and which patches are installed can be seen in More_System_Information

Decryption

Packages can be decrypted with the unpkg tool. Decrypted content of the updates appears to always be 0x1000 bytes (4KB).

Patch/Firmware Body Decryption/Hashing

The following is all theoretical and is intended to discard possibilities about modes of operation used by aes when decrypting body of firmware/patch

We know that:

  • Two key expansions are used before applying crypto on body (one probably for hashing. the other for decrypting with cbc)
  • Encrypt is used when applying crypto on body TopHalf (forward ttables) and Decrypt is used when applying on body Bottomhalf (inverse ttables)
  • Authenticated regions uses a form of what seems to be some ECB with tweak xoring (as graf once said about XTS)
  • XTS was introduced in 2007 and SysCon from ps3 exists for far more time than that (2003)
  • XEX is a close relative of XTS that was introduced in 1984
  • PS4 uses XTS for Authenticated Regions or SNVS (with sector size of 0x20 being used. is this even considered safe?)
  • 4 regions can be controlled for DPA and they are: 0x2790 (size 0x20) (FFs), patch header (most notably at offset 0x4 of header size 0x10 and 0x30 size 0x10), patch body tophalf(+0x40) and patch body bottomhalf(+0x50)
  • here are the DPA bytes for each of the controlable sections:
  • 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DIA-001)
  • 21 06 23 DC A2 98 99 4D XX 87 F8 40 FC 48 1C BF (section 2/FF's from 0x2790 on DEB-001)
  • 16 32 47 79 C3 2C 47 D3 2B 39 CA B5 83 41 0E D5 (section 3/header from DIA-001 patch content)
  • 7B FC 27 CD D5 9A 05 09 3A DF E4 75 BF FD 03 1A (section 3/header AA from DEB-001 patch content)
  • 92 4A 87 88 20 59 6C 49 9F 0E 7D 77 2F 38 4C FC (section 3/header DD from DEB-001 patch content)
  • 7D C6 3B 3B 69 DF 67 4C 94 D7 D4 A8 E0 F8 5B B2 (section 4/body from DIA-001 patch content/tophalf/forward)
  • 73 XX F0 3D XX 9A F0 92 4D XX 62 DA XX 48 3C DB (section 4/body from DIA-001 patch content/bottomhalf/inverse)
  • 49 1F 7B 0A 48 BD 79 33 4E 16 89 F6 B0 25 86 48 (section 4/body from DEB-001 patch content/tophalf/forward)
  • 14 4D F1 D3 21 B6 17 46 60 81 42 E5 02 C9 07 66 (section 4/body from DEB-001 patch content/bottomhalf/inverse/PROPER)
  • some bytes are considered "weak" bytes and should be bruteforced in the eventuality these keys fail
  • another possibility is that both the header and the body are hashed and then decrypted, using for example, cmac and cbc
  • since key expansions take 10 "hills" in the analysis, it should be safe to assume that AES-128 is used(because it uses 10 rounds).
  • 6554cff202c3bfdd9740901070b705bf : correct md5 for patch content we are trying keys on (DIA-001)
  • 4875ad06a1499cc516a0d4d92e595794 : correct md5 for patch content we are trying keys on (DEB-001/DIA-002)
  • trying a different header/body patch content from another similar board will result into failure of decrypting body, which means that the header is checked for authenticity and that the header hash is NOT in the header
  • altering the patch header doesn't cause the patch header dpa bytes to change (a test was done with 4 bytes and the result was 16 32 47 79, which matches the other patch dpa recovered bytes)
  • there are in fact not 4 but 5 aes sections. the last one seems to be body related, as changing the body even one bit makes the last aes section disappear.
  • section 2 is divided into two sections, corresponding to TopHalf and BottomHalf of patch area.
  • TopHalf uses forward ttables/sbox. BottomHalf uses inverse ttables/sbox
  • TopHalf is ONLY the very first 0x10 bytes AFTER the header and into the body (corresponding to 0x40 in header size 0x10)
  • BottomHalf is the rest of the body itself.

Header

The header format is partially unknown at this stage. All the Firmwares patches are written in little endian.

Offset Length Notes Related DECR Error Notes
0x0 0x4 Magic FFFFFED2 (Magic Error)
0x4 0x10 Header CMAC1 FFFFFED1 (Header Check Error) CMAC of Partial Header (0x10,0x30 size) with header first 4 bytes instead of random 4 bytes and where Header CMAC2 is zeroed Concatenated with Encrypted Body
0x14 0x10 Header CMAC2 FFFFFED1 (Header Check Error) CMAC of Header (where this cmac has been zeroed)
0x24 0x4 Padding FFFFFED1 (Header Check Error)
0x28 0x4 Total size FFFFFED1 (Header Check Error)
0x2c 0x4 Size of binary FFFFFED1 (Header Check Error)
0x30 0x10 IV for AES-128 CBC FFFFFED1 (Header Check Error)
0x40 0xfc0 Encrypted binary FFFFFED0 (Data Check Error) / FFFFFECF (Data Size Check Error)
  • Note: For the weird bogus update ONLY: FFFFFF37 (Alignment Error?) (Trying any data size between 0x41 and 0x4C bytes)
  • Note2: v0.6.14c4 is the bogus update (only update with a weird header)
  • Note3: setting data between 0x40 to 0x4C to zero in bogus update yields error FFFFFED0

Samples

00000000  1B 2D 70 0F AB 5E B3 99 68 20 FE 3D E1 80 6A 1D  .-p.«^³™h þ=á€j.
00000010  B8 FD 37 CF CD 45 85 AB 51 F7 05 E3 EA 32 A5 EA  ¸ý7ÏÍE…«Q÷.ãê2¥ê
00000020  67 45 F9 48 00 00 00 00 00 10 00 00 C0 0F 00 00  gEùH........À...
00000030  8B 04 07 F9 9B A2 90 3A 75 89 F1 42 12 59 DA 0D  ‹..ù›¢.:u‰ñB.YÚ.
00000040  21 7C A2 C3 5A E4 78 00 10 8D 4B F7 A2 73 9C 63  !|¢ÃZäx...K÷¢sœc
00000050  5D 8D 5D 49 16 C7 6F 2C AD 33 FE 1F D3 6C A1 CA  ].]I.Ço,.3þ.Ól¡Ê
00000060  BA AD 2B FE 8F 33 71 D7 C5 E6 5C FF BF 77 6C 80  º.+þ.3q×Åæ\ÿ¿wl€
00000070  F2 BE 11 BB 3C 52 52 DC A9 68 E5 24 AD 4F F3 48  ò¾.»<RRÜ©hå$.OóH

-From v1.0.4c2_TMU510_u-

00000000   73 79 73 31 73 47 59 5D  FB 85 3B 7B 4A 28 10 5D   sys1sGY]û…;{J( ]
00000010   46 EE 8C 01 3C B4 F1 82  1E 18 4F B7 4A 56 FC C7   FîŒ <´ñ‚  O·JVüÇ
00000020   FF 83 0B E0 00 00 00 00  40 00 06 00 00 00 06 00   ÿƒ à    @       
00000030   69 B6 02 69 3A 97 8B 1C  4E 18 D4 E0 63 7D CA 94   i¶ i:—‹ N Ôàc}Ê”
00000040   4B A0 79 34 79 41 BD 09  BB 68 D4 0A A0 B7 05 78   K y4yA½ »hÔ  · x
00000050   D9 8F 8F 28 6C 9A 1B 61  CF A1 E7 49 7D CA C4 A3   Ù  (lš aÏ¡çI}ÊÄ£
00000060   A4 4D 4B E0 AE 48 86 03  B1 43 F2 47 C0 C4 1D 4F   ¤MKà®H† ±CòGÀÄ O
00000070   FA E8 43 A7 1E 6E 79 8C  E5 FF 04 20 E9 44 09 B5   úèC§ nyŒåÿ  éD µ

Observations

  • The first 4 bytes (0x1B2D700F) appear static in each package.
  • The next 0x20 bytes appear to change with each package
  • The following 12 bytes (0x0000000000100000C00F0000) also appear static, but it's the firmware size and fw size - header size; infact if correctly converted to little endian 00000000 00001000 00000fc0, where 00000000 is Unknown, 00001000 is 4096 in dec (file size) and 00000fc0 is 4032 in dec (update size).
  • On the DECH fw, the update works in the same way: 000000004000060000000600 converted will be: 00000000 00060040 00060000, where, 00000000 is probably padding, file size 00060040, 00060000 update size
  • the first 0x40 bytes probably are IV + HASH + update infos. probably the algorithm used is AES.
  • algorithm used is aes 128 cbc on the body (iv is at + 0x30)

Access to Syscon from Linux

Access SysCon ROM without needing ps3dm-utils: http://wiki.gitbrew.org/wikibrew/PS3:HvReverseEngineering#SYSCON

List of Soft IDs in Decimal Form

2958
3094
3410
3519
3689
3881
3896

Placeholder for bga patch key generation

34 3A 00 00 00 00 5F 5F 53 43 45 49 53 59 53 31
4:....__SCEISYS1
  • replace 4 dots with soft id in decimal form, xor with 0x140 key and with cipher patcher key and encrypt with master patcher key to obtain cipher master key for that soft id
  • replace 4 dots with soft id in decimal form, xor with 0x140 key and with hasher patcher key and encrypt with master patcher key to obtain hasher master key for that soft id

PTCH Firmware TOC

Offset Size Notes Number
0x00 0x2 Major Version 1
0x02 0x2 Minor Version 1
0x04 0x2 Major Revision 1
0x06 0x2 Minor Revision 1
0x08 0x10 PTCH Addresses 4*4
0x18 0x4 PTCH #1 Instruction / Data 1
0x1C 0x4 PTCH #2 Instruction / Data 1
0x20 0x4 PTCH #3 Instruction / Data 1
0x24 0x4 PTCH #4 Instruction / Data 1
0x28 0x10 Additional PTCH Instruction Addresses 4*4
0x38 0x388 Additional PTCH Instructions 1
0x3C0 0xC00 HDMI Related PTCH Instructions 1

External commands

Offset Command Subcommand Permissions
0x333C5 BOOT MODE 0x000080D6
0x33441 BOOT CONT 0x000080D5
0x34EA9 SHUTDOWN 0x0000C0D5
0x334BD HALT 0x0000C0D5
0x334F1 BOOTENABLE 0x0000809A
0x33F5F AUTH1 0x0000C0EF
0x33FF5 AUTH2 0x0000C0EF
0x340EB AUTHVER SET 0x0000C0DF
0x34091 AUTHVER GET 0x0000C0FF
0x3352F EEP INIT 0x000080DA
0x336BD EEP SET 0x0000C0DF
0x337DF EEP GET 0x0000C0DF
0x33A71 PDAREA SET 0x0000C0DF
0x338F7 PDAREA GET 0x0000C0DF
0x33B85 CSAREA SET 0x0000C0DF
0x33B19 CSAREA GET 0x0000C0DF
0x33C29 VID GET 0x0000C0D5
0x33C97 CID GET 0x0000C0D5
0x33CDD ECID GET 0x0000C0D5
0x33D1D REV SB 0x0000C0D5
0x33D4D SPU INFO 0x0000C0D5
0x33DA1 KSV 0x0000C0D5
0x34157 FAN SETPOLICY 0x0000C0D7
0x341E5 FAN GETPOLICY 0x0000C0D7
0x3424F FAN START 0x0000C0D7
0x3424F FAN STOP 0x0000C0D7
0x34425 FAN SETDUTY 0x0000C0D7
0x34493 FAN GETDUTY 0x0000C0D7
0x344F5 R8 0x0000C0DF
0x3459F W8 0x0000C0DF
0x3463F R16 0x0000C0DF
0x346E7 W16 0x0000C0DF
0x34789 R32 0x0000C0DF
0x3492F W32 0x0000C0DF
0x349CF RBE 0x0000C0D5
0x34A77 WBE 0x0000C0D5
0x34B2F PORTSTAT 0x0000C0DF
0x33D7F VER 0x0000C0FF
0x34CAD BUZ 0x00008096
0x34CE1 BTNEMU SYNC 0x0000C0D7
0x34CE1 BTNEMU ASYNC 0x0000C0D7
0x34EA9 SERVFAN 0x0000C0D7
0x34D6F ERRLOG START 0x0000C0DF
0x34D93 ERRLOG STOP 0x0000C0DF
0x34DB7 ERRLOG GET 0x0000C0FF
0x34E1D ERRLOG CLEAR 0x0000C0DF
0x34E41 NONFATALERR 0x0000C0DF

Internal commands

Command Address Perms SubCommands Description
becount 0xCA7D 0xDD0C0000 - Display bringup/shutdown count + Power-on time
bepgoff 0xA4E7 0xD00C0000 - BE power grid off
bepkt 0x2435D 0xDC0C0000 show/set/unset/mode/debug/help Packet permissions
bestat 0xD413 0xFD0F0000 - Get status of BE
boardconfig 0x99C7 0xDC0C0000 - Displays board configuration (NOT WORKING?)
bootbeep 0x1EA67 0xF0000000 stat/on/off Boot beep
bringup 0xD597 0xFD0F0000 - Turn PS3 on
bsn 0xD805 0xF00F0000 - Get board serial number
bstatus 0x24269 0xDD0C0000 - HDMI related status
buzz 0xA4FF 0xDC0C0000 [freq] Activate buzzer
buzzpattern 0xA8B7 0xDC0C0000 [freq] [pattern] [count] Buzzer pattern
clear_err 0x2595B 0xDD0C0000 last/eeprom/all Clear errors
clearerrlog 0xB8CB 0xDD0C0000 - Clears error log
comm 0x9919 0xDC0C0000 - Communication mode
commt 0x24907 0xDC0C0000 help/start/stop/send Manual BE communication
cp 0x1E077 0xF0000000 ready/busy/reset/beepremote/beep2kn1n3/beep2kn2n3 CP control commands
csum 0xD687 0xFF0F0000 - Firmware checksum
devpm 0xD053 0xDD0C0000 ata/pci/pciex/rsx Device power management
diag 0x9AAD 0xD00C0000 ... Diag (execute without param to show help) (NOT WORKING?)
disp_err 0x25911 0xDD0C0000 - Displays errors
duty 0x9B23 0xDD0C0000 get/set/getmin/setmin/getmax/setmax/getinmin/setinmin/getinmax/setinmax Fan policy
dve 0x2995D 0xDC0C0000 help/set/save/show DVE chip parameters
eepcsum 0xAA65 0xDD0C0000 - Does nothing
eepromcheck 0x9A1D 0x000C0000 [id] Check eeprom
eeprominit 0x9A65 0x000C0000 [id] Init eeprom
ejectsw 0xD611 0xFD0F0000 - Eject switch
errlog 0xB7ED 0xFF0C0000 - Gets the error log
fancon 0xD26D 0x0D000000 - Does nothing
fanconautotype 0xC075 0xDD0C0000 - Does nothing
fanconmode 0xBF35 0xDD0C0000 get Fan control mode
fanconpolicy 0xBBC9 0xDD0C0000 get/set/getini/setini Fan control policy
fandiag 0x1E91B 0xF0000000 - Fan test
faninictrl 0xD3D9 0x0D000000 - Does nothing
fanpol 0xCA31 0xDD0C0000 - Does nothing
fanservo 0xBF29 0xDD0C0000 - Does nothing
fantbl 0xC087 0xDD0C0000 get/set/getini/setini/gettable/settable Fan table
firmud 0xD61D 0xFDFF0000 - Firmware update
geterrlog 0xB84F 0xDD0C0000 [id] Gets error log
getrtc 0xA6F3 0xDD0C0000 - Gets rtc
halt 0x1E107 0xF0000000 - Halts syscon
hdmi 0x29F39 0xDD0C0000 ... HDMI (various commands, use help)
hdmiid 0x29D1D 0xDC0F0000 - Get HDMI id's
hdmiid2 0x29D81 0xDC0F0000 - Get HDMI id's
hversion 0x2422F 0xDD0C0000 - Platform ID
hyst 0xAEF5 0xDD0C0000 get/set/getini/setini Temperature zones
lasterrlog 0xB7FF 0xDD0C0000 - Last error from log
ledmode 0xA80B 0xDC0C0000 [id] [id] Get led mode
LS 0x2421B 0xDD0C0000 - LabStation Mode
ltstest 0xCB97 0xDD0C0000 get/set be/rsx ?Temp related? values
osbo 0x1EA3F 0xF0000000 - Sets 0x2000F60
patchcsum 0xD9F7 0xDD0C0000 - Patch checksum
patchvereep 0xD9B1 0xDD0C0000 - Patch version eeprom
patchverram 0xD965 0xDD0C0000 - Patch version ram
poll 0x240E3 0xDD0C0000 - Poll log
portscan 0xDA0D 0xDD0C0000 [port] Scan port (NOT WORKING?)
powbtnmode 0xB911 0xDC0C0000 [mode (0/1)] Power button mode
powerstate 0xCE6F 0xDD0C0000 - Get power state
powersw 0xD5F9 0xFD0F0000 - Power switch
powupcause 0xB621 0xDD0C0000 - Power up cause
printmode 0x99D9 0xDC0C0000 [mode (0/1/2/3)] Set printmode
printpatch 0xD94F 0xDD0C0000 - Prints patch
r 0x8CA5 0xDD0C0000 [offset] [length] Read byte from SC
r16 0x8ED5 0xDD0C0000 [offset] [length] Read word from SC
r32 0x9191 0xDD0C0000 [offset] [length] Read dword from SC
r64 0x935D 0xDD0C0000 [offset] [length] Read qword from SC
r64d 0x948F 0xDD0C0000 [offset] [length] Read ?qword data? from SC
rbe 0x96F9 0xDD0C0000 [offset] Read from BE
recv 0x24135 0xDD0C0000 - Receive something
resetsw 0xD605 0xFC0F0000 - Reset switch
restartlogerrtoeep 0xB903 0xDD0C0000 - Reenable error logging to eeprom
revision 0xD7E1 0xFFFF0000 - Get softid
rrsxc 0xD313 0xDD0C0000 [offset] [length] Read from RSX
rtcreset 0xA7BB 0x000C0000 - Reset RTC
scagv2 0xE24F 0xFF000000 - Auth related?
scasv2 0xE207 0xDD000000 - Auth related?
scclose 0xE1EF 0xFF000000 - Auth related?
scopen 0xE121 0xFF000000 - Auth related?
send 0x2416F 0xDD0C0000 [variable] Send something
shutdown 0xD5C5 0xFD0F0000 - PS3 shutdown
startlogerrtsk 0xB8E7 0xDD0C0000 - Start error log task
stoplogerrtoeep 0xB8F5 0xDD0C0000 - Stop error logging to eeprom
stoplogerrtsk 0xB8D9 0xDD0C0000 - Stop error log task
syspowdown 0xB6E9 0xDD0C0000 3 params System power down
task 0x15005 0xDD0C0000 - Print tasks
thalttest 0xD813 0x000F0000 - Does nothing
thermfatalmode 0xCA3B 0xDD0C0000 canboot/cannotboot Set thermal boot mode
therrclr 0xD3E5 0xDD0C0000 - Thermal register clear
thrm 0xBF1D 0xDD0C0000 - Does nothing
tmp 0xAA69 0xDD0C0000 [zone] Get temperature
trace 0xB951 0xDD0C0000 ... Trace tasks (use help)
trp 0xAB2F 0xDD0C0000 get/set/getini/setini Temperature zones
tsensor 0xA279 0xDD0C0000 [sensor] Get raw temperature
tshutdown 0xB2A1 0xDD0C0000 get/set/getini/setini Thermal shutdown
tshutdowntime 0xC95D 0xDD0C0000 [time] Thermal shutdown time
tzone 0xB5E1 0xDD0C0000 - Show thermal zones
version 0xD65F 0xFFFF0000 - SC firmware version
w 0x8BF9 0xDD0C0000 [offset] [value] Write byte to SC
w16 0x8E2D 0xDD0C0000 [offset] [value] Write word to SC
w32 0x8FED 0xDD0C0000 [offset] [value] Write dword to SC
w64 0x92A9 0xDD0C0000 [offset] [value] Write qword to SC
wbe 0x9665 0xDD0C0000 [offset] [value] Write to BE
wmmto 0xCB3B 0xDC0C0000 get Get watch dog timeout
wrsxc 0xD279 0xDD0C0000 [offset] [value] Write to RSX
xdrdiag 0x1E711 0xF0000000 start/info/result XDR diag
xiodiag 0x1E875 0xF0000000 - XIO diag
xrcv 0x25313 0xDC0C0000 - Xmodem receive