Talk:Syscon Firmware: Difference between revisions

LV1 - System Controller (SC) manager

• sc_mgr_get_srh (0x9001)
• sc_mgr_set_srh (0x9002)
• sc_mgr_encrypt (0x9003)
• sc_mgr_decrypt (0x9004)
• Init For VTRM (0x9005)
• sc_mgr_get_region_data (0x9006)
• sc_mgr_set_region_data (0x9007)
• Set RTC (0x9008)
• Get Time (0x9009)
• Set Time (0x900A)
• sc_mgr_read_eprom (0x900B)
• sc_mgr_write_eprom (0x900C)
• Init For Updater (0x900D)
• sc_mgr_get_sc_status (0x900E)
• sc_iso_header (sc_iso_sc_binary_patch - 0x9011)
• SC RTC Factory (0x9012)
• Correct RTC Factory (0x9013)
• Set SC Status (0x9014)
• Backup Root Info (0x9015)
• Restore Root Info (0x9016)
• Read System Data From SC EEPROM - Indi Info Manager 0x17007)

SC - sc_iso.self

• sc_iso_sc_binary_patch
• sc_iso_get_sc_status
• sc_iso_get_property
• sb_iso_get_rnd
• sb_iso_encdec_key
• sc_iso_module::calculate_drift_time
• sc_iso_module::generate_key
• sc_iso_module::generate_all_key
• sc_iso_module::authenticate
• sc_iso_module::change_to_old_key
• sc_iso_module::do_process
• sc_iso_module::get_system_info
• sc_iso_module::get_system_version
• sc_iso_module::do_set_rtc_status
• sc_iso_module::do_get_rtc_status
• sc_iso_module::do_set_rtc2
• sc_iso_module::set_rtc
• sc_iso_module::do_set_drift_time
• sc_iso_module::do_get_time
• sc_iso_module::set_time
• sc_iso_module::get_time
• sc_iso_module::read_data2
• sc_iso_module::write_data2
• sc_iso_module::write_binary_patch
• sc_iso_module::read_data
• sc_iso_module::write_data
• sc_iso_module::write_region_data
• sc_iso_module::set_region_data
• sc_iso_module::write_srh
• sc_iso_module::set_srh
• sc_iso_module::write_key
• sc_iso_module::write_mngblk
• sc_iso_module::initialize_updater_block
• sc_iso_module::read_region_data
• sc_iso_module::get_region_data
• sc_iso_module::get_srh
• sc_iso_module::read_key
• sc_iso_module::do_crypt
• sc_iso_module::decrypt
• sc_iso_module::encrypt
• sc_iso_module::read_mngblk
• sc_iso_module::set_sc_status
• sc_iso_module::get_sc_status
• sc_iso_module::init_for_updater
• sc_iso_module::init_for_vtrm
• sc_iso_module::start

This should be a good starting point but leaves enough to explore yourself though: http://pastebin.com/NxVkGCdp (for version 1.02)

See Graf's PSGroove Payload and HV page #0x9000 - SC_Manager / HVpage #System Controller

Syscon Firmware packages

SYS_CON_FIRMWARE-PKGs.rar (51.92 KB)

SYS_CON_FIRMWARE_01000004.pkg (5376 bytes) Firmware 1.30 up to 1.80 (not 1.81 and higher) 
SYS_CON_FIRMWARE_01000005.pkg (5376 bytes) Firmware 1.81 up to 3.30 (not 3.40 and higher) 
SYS_CON_FIRMWARE_01000006.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_01010302.pkg (5376 bytes) Firmware 1.81 up to 3.30 (not 3.40 and higher) 
SYS_CON_FIRMWARE_01010303.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01020302.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01030302.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01040402.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65
SYS_CON_FIRMWARE_01050002.pkg (5376 bytes) Firmware 3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_S1_00010002083E0832.pkg (5376 bytes) Firmware 3.00/3.01/3.10/3.15/3.20/3.21/3.30/3.40/3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65 
SYS_CON_FIRMWARE_01050101.pkg (5376 bytes) Firmware 3.41/3.42/3.50/3.55/3.56/3.60/3.61/3.65

Updater log lines related to syscon

Updater log lines related to Syscon just after BD firmware, Multi-Card controller, BlueTooth firmware (in this case CEX 3.55) just before post processing and cleanup update status :

Update System controller firmware
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
read SC patch package (4864 bytes) elapsed = 2 msec
read SC patch package (4864 bytes) elapsed = 3 msec
Update System controller firmware done(0x8002f000)

PS3 Retail == PS3 TEST != PS3 TOOL I try to get PS3 TOOL SC Firmwares.

It is suggested that the Syscon EEPROM is 512KB and the full (encrypted) firmware is <400KB (on Ref.Tool the Syscon is updated by overwiting the whole Syscon firmware : e.g. v1.0.5c1_TMU510_u.bin 384KB)

Syscon commands

Syscon commands:

ver
errlog
auth1
auth2
fandiag
xdrdiag
xiodiag
bestat
sysdiag
syslog

bringup (PowerOn State)
shutdown (PowerOff State)
powersw
resetsw
bootbeep
stat
bootbeep on BOOT BEEP ON: DONE
bootbeep off BOOT BEEP OFF: DONE
xdrdiag
start
errlog tmpforcp
cp beepremote
cp beep2kn1n3
cp beep2kn2n3 /usr/bin/sx
halt HALT: OK
version
firmud Done.
cp ready CP READY: OK
cp busy CP BUSY: OK
cp reset CP RESET: OK
bestat
xdrdiag info
xdrdiag result
xiodiag
fandiag 
diagnose

The diag commands are usually for the backup bank, the main only supports firmud

CP root pass on Ref.Tool: cytology

sc auth keys old

http://www.pastie.org/2146658 :

sc auth keys old:
auth_1_0x00: 13163A92B50513542C18ABAD31B85FB7
auth_2_0x00: 2BC8BB73F4B59AC658A737A5DD535DFE
auth_1_0x01: D6C374FCDFF8C3CF44018C78733BF5B2
auth_2_0x01: 648B9FF94EF321C69A4AE596F2F08D22
auth_1_0x06: 626C7124FC5BA1AF7436389BA37C6654
auth_2_0x06: 9D94BE461CAF083C9D9FA185C93AEE7B
sc auth key seeds:
auth_1_0x00: 63DCA7D3FEE47F749A408363F1104E8F
auth_2_0x00: 4D10094324009CC8E6B69C70328E34C5
auth_1_0x01: D97949BAD8DA69D0E01BF31523732832
auth_2_0x01: C9D1DD3CE27E356697E26C12A7B316A8
auth_1_0x06: 4420ED722FEA35021955AB40C78EE6DF
auth_2_0x06: 3E67C2D9432E15D09BEF0E6C6492455D
the new auth keys are generated involving 256bit aes encryption (iv is all zeroes)

dump syscom

dump_sysrom.pkg of dump-flash+syscon.rar (280.51 KB) (http://git.gitbrew.org/ps3/?p=otheros-utils/dump_sysrom.git) seems to output wrong on MFW315:

 Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
 00000000  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 00000010  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 ...   ...   ...   
 0003FFE0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...
 0003FFF0  FF FF FF FF 80 01 00 03 FF FF FF FF 80 01 00 03  ÿÿÿÿ€...ÿÿÿÿ€...

Updating Syscon on Tool/DECR

v1.0.4c2_TMU510_u.bin

Q: How is syscon updated on Reference Tool / DECR models?
There are no syscon PKG's in the DECR PUPs and CP .bin file contains one large binary encrypted gibberish. it is suggested it uses full syscon updates, but how are files like "v1.0.5c1_TMU510_u.bin" send to syscon for updating? With/via Communication Processor?

A: In DECR-1000A Syscon is located on the motherboard. The Communication Processor talks to it through UART and updates it with the firmud command.
List of main IC's on the board:

• SCEI CXR713F120A (Syscon Hardware)
• 1x Samsung K9F2G08U0M (Flash 2Gbit)
• SCEI CXD4302GB (Starship2)
• SCEI CXD9790GG (?) "helps handle communication between the Communication Processor, and the system controller, and southbridge. Using this path, the CP can talk to the System Controller, and bring the system up, down, and change its boot settings."

archaic source1 archaic source2