Talk:Syscon Firmware: Difference between revisions

Revision as of 22:01, 2 September 2011

LV1 - System Controller (SC) manager

sc_mgr_get_srh (0x9001)
sc_mgr_set_srh (0x9002)
sc_mgr_encrypt (0x9003)
sc_mgr_decrypt (0x9004)
Init For VTRM (0x9005)
sc_mgr_get_region_data (0x9006)
sc_mgr_set_region_data (0x9007)
Set RTC (0x9008)
Get Time (0x9009)
Set Time (0x900A)
sc_mgr_read_eprom (0x900B)
sc_mgr_write_eprom (0x900C)
Init For Updater (0x900D)
sc_mgr_get_sc_status (0x900E)
sc_iso_header (sc_iso_sc_binary_patch - 0x9011)
SC RTC Factory (0x9012)
Correct RTC Factory (0x9013)
Set SC Status (0x9014)
Backup Root Info (0x9015)
Restore Root Info (0x9016)
Read System Data From SC EEPROM - Indi Info Manager 0x17007)

SC - sc_iso.self

sc_iso_sc_binary_patch
sc_iso_get_sc_status
sc_iso_get_property
sb_iso_get_rnd
sb_iso_encdec_key
sc_iso_module::calculate_drift_time
sc_iso_module::generate_key
sc_iso_module::generate_all_key
sc_iso_module::authenticate
sc_iso_module::change_to_old_key
sc_iso_module::do_process
sc_iso_module::get_system_info
sc_iso_module::get_system_version
sc_iso_module::do_set_rtc_status
sc_iso_module::do_get_rtc_status
sc_iso_module::do_set_rtc2
sc_iso_module::set_rtc
sc_iso_module::do_set_drift_time
sc_iso_module::do_get_time
sc_iso_module::set_time
sc_iso_module::get_time
sc_iso_module::read_data2
sc_iso_module::write_data2
sc_iso_module::write_binary_patch
sc_iso_module::read_data
sc_iso_module::write_data
sc_iso_module::write_region_data
sc_iso_module::set_region_data
sc_iso_module::write_srh
sc_iso_module::set_srh
sc_iso_module::write_key
sc_iso_module::write_mngblk
sc_iso_module::initialize_updater_block
sc_iso_module::read_region_data
sc_iso_module::get_region_data
sc_iso_module::get_srh
sc_iso_module::read_key
sc_iso_module::do_crypt
sc_iso_module::decrypt
sc_iso_module::encrypt
sc_iso_module::read_mngblk
sc_iso_module::set_sc_status
sc_iso_module::get_sc_status
sc_iso_module::init_for_updater
sc_iso_module::init_for_vtrm
sc_iso_module::start

This should be a good starting point but leaves enough to explore yourself though: http://pastebin.com/NxVkGCdp (for version 1.02)

See Graf's PSGroove Payload and HV page #0x9000 - SC_Manager / HVpage #System Controller

SYS_CON_FIRMWARE-PKGs.rar (51.92 KB)

SYS_CON_FIRMWARE_01000004.pkg (5376 bytes) Firmware 1.30 up to 1.80 (not 1.81 and higher) 
SYS_CON_FIRMWARE_01000005.pkg (5376 bytes) Firmware 1.81 up to 3.30 (not 3.40 and higher) 
SYS_CON_FIRMWARE_01000006.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_01010302.pkg (5376 bytes) Firmware 1.81 up to 3.30 (not 3.40 and higher) 
SYS_CON_FIRMWARE_01010303.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01020302.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01030302.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01040402.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01050002.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_S1_00010002083E0832.pkg (5376 bytes) Firmware 3.00/3.01/3.10/3.15/3.20/3.21/3.30/3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_01050101.pkg (5376 bytes) Firmware 3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65

Updater log lines related to Syscon just after BD firmware, Multi-Card controller, BlueTooth firmware (in this case CEX 3.55) just before post processing and cleanup update status :

Update System controller firmware
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
Update System controller firmware done(0x8002f000)

PS3 Retail == PS3 TEST != PS3 TOOL I try to get PS3 TOOL SC Firmwares.

It is suggested that the Syscon EEPROM is 512KB and the full (encrypted) firmware is <400KB (on Ref.Tool the Syscon is updated by overwiting the whole Syscon firmware : e.g. v1.0.5c1_TMU510_u.bin 384KB)

Syscon commands:

ver
errlog
auth1
auth2
fandiag
xdrdiag
xiodiag
bestat
sysdiag
syslog

bringup (PowerOn State)
shutdown (PowerOff State)
powersw
resetsw
bootbeep
stat
bootbeep on BOOT BEEP ON: DONE
bootbeep off BOOT BEEP OFF: DONE
xdrdiag
start
errlog tmpforcp
cp beepremote
cp beep2kn1n3
cp beep2kn2n3 /usr/bin/sx
halt HALT: OK
version
firmud Done.
cp ready CP READY: OK
cp busy CP BUSY: OK
cp reset CP RESET: OK
bestat
xdrdiag info
xdrdiag result
xiodiag
fandiag 
diagnose

The diag commands are usually for the backup bank, the main only supports firmud

CP root pass on Ref.Tool: Cytology

http://www.pastie.org/2146658 :

sc auth keys old:
auth_1_0x00: 13163A92B50513542C18ABAD31B85FB7
auth_2_0x00: 2BC8BB73F4B59AC658A737A5DD535DFE
auth_1_0x01: D6C374FCDFF8C3CF44018C78733BF5B2
auth_2_0x01: 648B9FF94EF321C69A4AE596F2F08D22
auth_1_0x06: 626C7124FC5BA1AF7436389BA37C6654
auth_2_0x06: 9D94BE461CAF083C9D9FA185C93AEE7B
sc auth key seeds:
auth_1_0x00: 63DCA7D3FEE47F749A408363F1104E8F
auth_2_0x00: 4D10094324009CC8E6B69C70328E34C5
auth_1_0x01: D97949BAD8DA69D0E01BF31523732832
auth_2_0x01: C9D1DD3CE27E356697E26C12A7B316A8
auth_1_0x06: 4420ED722FEA35021955AB40C78EE6DF
auth_2_0x06: 3E67C2D9432E15D09BEF0E6C6492455D
the new auth keys are generated involving 256bit aes encryption (iv is all zeroes)

dump_sysrom.pkg of dump-flash+syscon.rar (280.51 KB) (http://git.gitbrew.org/ps3/?p=otheros-utils/dump_sysrom.git) seems to output wrong on MFW315:

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00000000  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 00000010  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 ...   ...   ...   
 0003FFE0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 0003FFF0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...

Updating Syscon on Tool/DECR

Q: How is syscon updated on Reference Tool / DECR models?
There are no syscon PKG's in the DECR PUPs and CP .bin file contains one large binary encrypted gibberish. it is suggested it uses full syscon updates, but how are files like "v1.0.5c1_TMU510_u.bin" send to syscon for updating? With/via Communication Processor?

A: In DEC1000A the syscon is located ON the Communication Processor Board
List of main IC's on the board:

SCEI CXR713F120A (Syscon Hardware)
1x Samsung K9F2G08U0M (Flash 2Gbit)
SCEI CXD4302GB (Starship2)
SCEI CXD9790GG (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."

archaic source

@@ Line 187: / Line 187: @@
 '''A: In DEC1000A the syscon is located ON the Communication Processor Board'''  <br />
 List of main IC's on the board:
-* SCEI CXR713F120A ([Syscon Hardware])
+* SCEI CXR713F120A ([[Syscon Hardware]])
 * 1x Samsung K9F2G08U0M (Flash 2Gbit)
-* SCEI CXD4302GB ([Starship2])
+* SCEI CXD4302GB ([[Starship2]])
 * SCEI CXD9790GG (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."
 [http://www.ps3news.com/ps3-hacks-jailbreak/ps3-tool-decr-1000a-system-controller-flash-chips-detailed/ archaic source]

Talk:Syscon Firmware: Difference between revisions

Revision as of 22:01, 2 September 2011

Updating Syscon on Tool/DECR

Navigation menu

Search