Southbridge
PS4 southbridge contains two processors named EMC and EAP on the same die that are mainly used on boot, during rest mode and for servicing.
Components[edit | edit source]
Southbridge processors[edit | edit source]
The two processors are on the same die. It is a SoC (System on Chip).
EMC[edit | edit source]
EMC could stand for External Micro Controller. EMC was named MediaCon by some people when its name was still unknown.
The role of EMC is to load EMC Initial Program Loader, to be an interface for icc for the main APU kernel and Syscon and to offer a debug interface via UART that does not rely on Syscon or main APU. EMC runs its own FreeBSD kernel. It is a Marvell Armada, an ARM-based SoC. Sony stuck a PCIe bridge on it. It exposes ARM peripherals to the x86 side. There is some extra stuff (e.g. HPET, ACPI stuff).
EMC cpuid = 412FC231 (ARM Cortex-M3 r2p1). CPU clock: maybe about 100MHz.
EMC Initial Program Loader[edit | edit source]
EMC Initial Program Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. Its role is to launch both EAP Kernel Boot Loader and AMD bootROM.
EAP[edit | edit source]
EAP could stand for External Application Processor.
The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and HDD/SSD) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, activated to handle tasks such as downloading games updates while the PS4 is in standby.
It handles several tasks to offload the APU:
- Network connections: Wireless and GbLAN, including background downloading and PlayGo
- File handling (Bluray Drive, Harddrive and USB 3.0), including background caching
- Main serial flash handling
EAP consists of Marvell PJ4C B0 rev 1 cores, ARMv7 CORTEX-A8 running FreeBSD 9 kernel. CPU clock: 500MHz. DDR clock: 800MHz.
As EAP Core software is unsigned, unencrypted and easily replaceable on PS4 HDD with a PS4 kernel exploit, it is possible to run homebrew code on EAP processor. See eapdev by Bigboss (psxdev).
EAP Kernel Boot Loader[edit | edit source]
EAP Kernel Boot Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. The role of EAP Kernel Boot Loader is to decrypt then uncompress the EAP Kernel. The encrypted EAP Kernel is stored at virtual address 0xC1000000 and the decrypted and uncompressed EAP Kernel is located at virtual address 0xC3000000.
EAP Kernel[edit | edit source]
EAP Kernel is located at virtual address 0xC3000000. Encrypted EAP Kernel is mounted on device da0x2 along with minila file.
minila[edit | edit source]
minila is an ELF file stored in /minila/ folder in EAP virtual filesystem (packed along with EAP Kernel). Minila is "AMD SceSysCore mini" equivalent for EAP.
EAP Core[edit | edit source]
EAP Core is the only usermode executable running on EAP. It is stored unencrypted as SceEapCore.elf in PS4 HDD.
EAP Filesystem from EAP Kernel binary[edit | edit source]
/dev/ /eap_tmp/ /eap_user/ /eap_vsh/ /minila/ /minila/minila /rescue/ /update/ /user/
EAP files on HDD[edit | edit source]
- da0x2 HDD partition is mounted to /eap_kern/ but is encrypted. Only EMC Kernel Boot Loader reads and decrypts this partition then loads it in EAP DDR3 memory and launches EMC Kernel.
- da0x3 HDD partition is mounted to /eap_vsh/.
/eap_vsh/common/ /eap_vsh/common/cert/ /eap_vsh/common/cert/CA_list.cer /eap_vsh/etc/ /eap_vsh/etc/bgdc/ /eap_vsh/etc/bgdc/config.xml /eap_vsh/etc/timezone.dat /eap_vsh/SceEapCore.elf
EAP files on Serial Flash[edit | edit source]
sflash0s0x33: SLB2 container sflash0s0x33/C0010001: EMC Kernel Boot Loader sflash0s0x33/C0018001: EMC Kernel Boot Loader Information
Southbridge RAM[edit | edit source]
Southbridge chip is connected to its own DDR3 SDRAM. It is named "sbram" as abbreviation for SouthBridge RAM.
PS4 Fat and Slim[edit | edit source]
PS4 Fat and Slim Southbridge has one Samsung K4B2G1646E-BCK0, K4B2G1646F-BCMA or K4B2G1646Q-BCMA, giving a total of 256MB of memory.
PS4 Pro[edit | edit source]
PS4 Pro Southbridge has two Samsung K4B4G0846E-BYMA, H5TQ4G83CFR-RDC or H5TQ4G83EFR-RDC (K4B4G1646E-BYK0 on PS4 Pro DevKit), giving a total of 1GB of memory.
Serial Flash[edit | edit source]
Southbridge contains a 256MB Serial flash.
Aeolia has Macronix MX25L25635FMI-10G.
Auxiliary components[edit | edit source]
Southbridge is connected to the main APU by PCI-Express x4 and to Syscon by SPI.
Aeolia has SATA bridge MB86C311B, GbLAN controller 88EC060-NN82.
Southbridge revisions[edit | edit source]
There are three major hardware revisions, named Aeolia, Belize and Baikal.
See also Aeolia.
Motherboards per Southbridge revisions[edit | edit source]
| Southbridge Codename | Southbridge Labeling | Motherboards |
|---|---|---|
| Aeolia | CXD90025G | |
| Belize | CXD90036G | |
| Belize 2 | CXD90046GG |
NVB-003 |
| Baikal | CXD90042GG |
Southbridge revisions per chassis[edit | edit source]
| Model (chassis) | Motherboards | Southbridge Codename | Manufacturing Date |
|---|---|---|---|
| D1000 | All CVN | Aeolia | |
| 1000 | All SAA | Aeolia | |
| 1100 | All SAB | Aeolia | |
| 1200 | All SAC | Belize | 2015 week 43 |
| 2000 | SAD-001 | Belize | 2016 week 17 |
| 2000 | SAD-002 | Baikal | 2016 week 34, 35 |
| 2000 | SAD-003 (1-981-769-11) | Belize | |
| 2000 | SAD-003 (1-981-769-21, 1-981-769-31) | ?Belize or Belize 2? | |
| D7000 | HAC-001 | Belize | |
| 7000 | NVA-001 | Belize | 2017 week 19 |
| 2100 | ?SAE-001? | Belize | |
| 2100 | SAE-003 | Belize 2 | |
| 2100 | ?SAE-002?, SAE-004 | Baikal | 2016 week 39 |
| 2200 | SAF-003, SAF-005 | Belize 2 | |
| 2200 | SAF-004, SAF-006 | Baikal | 2018 week 26, 2019 week 23, 31 |
| 7100 | NVB-003 | Belize 2 | |
| 7100 | NVB-004 | Baikal | 2016 week 46 |
| 7200 | NVG-003 | Belize 2 | |
| 7200 | NVG-004 | Baikal | 2019 week 26 |
EMC IPL/EAP KBL Structure[edit | edit source]
magic: 0x%08x version: 0x%04x type: 0x%04x headerSize: 0x%08x bodySize: 0x%08x entryPoint: 0x%08x baseAddr: 0x%08x
EMC UART Debug Communication[edit | edit source]
Aeolia[edit | edit source]
| Command/Action | Description | Notes |
|---|---|---|
| _hdmi | ||
| boot | boots the console | |
| bootadr | cmd>bootadr OK 00000000 FFEF 42D4 CCBE 29B9:A2 bootadr:EB # [PSQ] boot address 00:49 OK 00000000:3A | |
| bootenable | ||
| bootmode | cmd>bootmode bootmode:59 # BootMode:AUTO:CF OK 00000000:3A cmd>bootmode 1 bootmode 1:AA # BootMode:MANUAL:54 OK 00000000:3A | |
| buzzer | beep stuff, 7 modes (?) available | |
| cb | ||
| cclog | cmd>cclog cclog:08 # ChipComm Log:OFF:AA OK 00000000:3A cclog 1 cclog 1:59 # ChipComm Normal Log:ON:F5 OK 00000000:3A cclog 2 cclog 2:5A # ChipComm Error Log:ON:B6 OK 00000000:3A cmd>cclog 3 cclog 3:5B # ChipComm Normal Log:ON:F5 # ChipComm Error Log:ON:B6 OK 00000000:3A | |
| ccom | chip communications | |
| ccul | ||
| cec | ||
| cktemprid | ||
| csarea | ||
| ddr | ||
| ddrr | ||
| ddrw | ||
| devpm | cmd>devpm devpm:1C # wlan on:F2 # hdd on:70 # usb on:8A # bd on:06 # acdc on:CB # pg3 on:4A # hdmi on:E2 # gbe off:CC # sdio off:4D OK 00000000:3A | |
| dled | ||
| dsarea | ||
| ejectsw | ps3, toggles eject switch | |
| errlog | ps3, gets error log, 32 possibilities (0-1F) errlog 0:DB # No Code Rtc PowState UpCause SeqNo DevPm T(SoC) T(Exhaust):C4 # 00 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:17 OK 00000000 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:2E | |
| etempr | cmd>etempr get etempr get:ED # Main Soc ::E7 # Alert Limits = 0x6000:F8 # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x6100:34 # Intake ::B9 # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 # Exhaust ::1F # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 OK 00000000:3A | |
| fdownmode | fdownmode fdownmode:C3 # FataldownMode:RUN:97 OK 00000000:3A fdownmode 1 fdownmode 1:14 # FataldownMode:STOP:E8 OK 00000000:3A | |
| fduty | fduty get fduty get:8C # duty=0x0100(25):67 OK 00000000:3A | |
| flimit | flimit get flimit get:E5 # MainSoc : max_duty=0x0400 min_duty=0x0100 :4A # Environment : max_duty=0x0400 min_duty=0x00CD :DB OK 00000000:3A | |
| fmode | mode fmode:0B # Fan Mode List:B9 # no:00 mode:AutoServo:61 # no:01 mode:Maximun:99 # no:02 mode:Minimun:98 # no:03 mode:Manual:1A # no:04 mode:end:F4 OK 00000000:3A | |
| fservo | cmd>fservo get fservo get:F5 # MainSoc ::E7 # SetVal = 0x00005000:9C # PGain = 0x00000800:3F # IGain = 0x00000080:38 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00005000:DF # DifLimit = 0x00000900:43 # DifDLimit = 0x00450000:87 # MaxDduty = 0x00900000:61 # Environment ::52 # SetVal = 0x00003B00:AC # PGain = 0x00000500:3C # IGain = 0x00000005:35 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00000000:DA # DifLimit = 0x0FFFFFFF:D4 # DifDLimit = 0x0FFFFFFF:18 # MaxDduty = 0x0FFFFFFF:F2 OK 00000000:3A | |
| fsstate | cmd>fsstate get fsstate get:5A # 0: ctempr=29.50(0x1D80), err=0xFFFFCD80, ierr=0x00000000, duty=0x0100(25):BD # 1: ctempr=22.75(0x16C0), err=0xFFFFDBC0, ierr=0x00000000, duty=0x00CD(20):E6 OK 00000000:3A | |
| fstartup | ||
| ftable | ||
| halt | ps3, halts the console | |
| haltmode | ||
| hdmir | ||
| hdmis | ||
| hdmistate | cmd>hdmistate hdmistate:C3 # == DP Video Setting ==:20 # MVID : 0x0:C5 # NVID : 0x0:C6 # MISC 0 : 0:29 # MISC 1 : 0:2A # H Total : 0:F9 # V Total : 0:07 # H Start : 0:03 # V Start : 0:11 # Hsync Width : 0:32 # Hsync Porality : High Active:F2 # Vsync Height : 0:79 # Vsync Porality : High Active:00 # Video Width : 0:24 # Video Height : 0:5D # Wait Power On State.:31 OK 00000000:3A | |
| hdmiw | ||
| help | help:A9 # ANY "R16":A8 # ANY "R32":A6 # ANY "R8":79 # ANY "W16":AD # ANY "W32":AB # ANY "W8":7E # ANY "_hdmi":F0 # ANY "boot":A3 # ANY "bootadr":DA # ANY "bootenable":0A # ANY "bootmode":48 # ANY "buzzer":91 # ANY "cb":B4 # ANY "cclog":F7 # ANY "ccul":96 # ANY "cec":1A # ANY "cktemprid":B2 # ANY "combuf":6B # ANY "comlog":70 # ANY "csarea":5E # ANY "ddr":29 # ANY "ddrc":8C # ANY "ddrr":9B # ANY "ddrw":A0 # ANY "devpm":0B # ANY "dled":88 # ANY "dsarea":5F # ANY "ejectsw":E4 # ANY "errlog":7A # ANY "etempr":7C # ANY "fdownmode":B2 # ANY "fduty":1B # ANY "flimit":74 # ANY "fmode":FA # ANY "fservo":84 # ANY "fsstate":E9 # ANY "fstartup":68 # ANY "getmacadr":97 # ANY "halt":98 # ANY "haltmode":3D # ANY "hdmir":03 # ANY "hdmis":04 # ANY "hdmistate":B2 # ANY "hdmiw":08 # ANY "help":98 # ANY "mbu":33 # ANY "mduty":22 # ANY "nvscsum":FE # ANY "nvsinit":FA # ANY "nvsl2sw":CE # ANY "osarea":6A # ANY "osbootparam":96 # ANY "osdebuginfo":84 # ANY "osstate":F2 # ANY "pcie":90 # ANY "pdarea":5C # ANY "powcount":6E # ANY "powersw":06 # ANY "powupcause":3B # ANY "qafinfo":D3 # ANY "r16":C8 # ANY "r32":C6 # ANY "r8":99 # ANY "resetsw":FC # ANY "rtc":38 # ANY "runseq":8D # ANY "s3state":B6 # ANY "sb":C4 # ANY "sbnvs":1B # ANY "scfupdbegin":79 # ANY "scfupddl":44 # ANY "scfupdend":AB # ANY "scnvsinit":D0 # ANY "scpdis":75 # ANY "screset":E8 # ANY "scversion":CB # ANY "sdkversion":37 # ANY "sdnvs":1D # ANY "smlog":11 # ANY "socdmode":3D # ANY "socuid":76 # ANY "spoff":0D # ANY "spon":AF # ANY "sqlog":15 # ANY "ssbdis":77 # ANY "startwd":F8 # ANY "state":10 # ANY "stinfo":82 # ANY "stopwd":90 # ANY "stwb":AF # ANY "subsysid":65 # ANY "subsysinfo":44 # ANY "syspowdown":5C # ANY "task":A2 # ANY "tempr":17 # ANY "temprlog":59 # ANY "testpcie":50 # ANY "thrm":AA # ANY "uareq1":3E # ANY "uareq2":3F # ANY "version":F5 # ANY "vshinfo":EC # ANY "w16":CD # ANY "w32":CB # ANY "w8":9E # ANY "wsc":3C OK 00000000:3A | |
| mbu | ||
| mduty | cmd>mduty get mduty get:93 # MainSoc : duty=0x0000(0):F3 # Environment : duty=0x0000(0):5E OK 00000000:3A | |
| nvscsum | cmd>nvscsum OK 00000000 FFEF 42D4 CCBE 29B9:A2 nvscsum:0F | |
| nvsinit | ||
| osarea | ||
| osstate | ||
| pcie | cmd>pcie pcie:A1 # <PCIe Debug>:05 # PHY Link : Up:A1 # Data Link : Up:0A # :43 # <PCIe Link Control and Status>:A4 # Active State Link PM : Disabled:BD # Read Completion Boundary(RCB) : 64byte:FD # Retrain Link : 1:71 # Enable Clock Power Management : Disable:EE # Hardware Autonomous Width : Enable:0C # Link Bandwidth Management Interrupt: Disable:DE # Link Autonomous Bandwidth Interrupt: Disable:1B # Link Speed : Gen1:E7 # Link Width : x4:57 # Link Traing : Done:76 # :43 # <Calib Value>:B5 # LANE 0 : 0x60:FB # LANE 1 : 0x5E:10 # LANE 2 : 0x5D:10 # LANE 3 : 0x5C:10 # :43 # <PCIe Device Status>:12 # Correctable Error : Yes:DE # Non-Fatal Error : No:84 # Fatal Error : No:AC # Unsupported Request Detected : Yes:E2 OK 00000000:3A | |
| pdarea | ||
| powersw | ps3, toggles power switch | |
| powupcause | cmd>powupcause powupcause:4C # 04000000 02 00 02 00 00:4B OK 00000000:3A | |
| r16 | ||
| R16 | ||
| R32 | ||
| r32 | ||
| R8 | ||
| r8 | ||
| resetsw | ps3, toggles reset switch | |
| rtc | cmd>rtc rtc:49 # RTC Counter : 318078913:DE # RTC Status(0x000001FC) : OK:87 OK 00000000 12F57FC1 000001FC:F3 | |
| sb | sb sb:D5 # [Active bank] : Second:E9 OK 00000000:3A | |
| sbnvs | cmd>sbnvs sbnvs:2C # sbnvs : [partitin number]:B5 # [UCMD] Arguments err.:91 NG F0000001:4C | |
| scfupdbegin | ||
| scfupddl | ||
| scfupdend | ||
| scnvsinit | ||
| scpdis | ||
| screset | ps3, resets syscon | |
| scversion | gets syscon version cmd>scversion scversion:DC # 1.0.0 ET r1808 p1:2D OK 00000000 C1ET 0001 0000 0000 0710 0001:D1 | |
| sdnvs | cmd>sdnvs sdnvs:2E # sdnvs : [partitin number] [bank number] :F4 # [UCMD] Arguments err.:91 NG F0000001:4C | |
| smlog | cmd>smlog smlog:22 # Packet Log:OFF:F2 OK 00000000:3A cmd>smlog 1 smlog 1:73 # Packet Log:ON:B4 OK 00000000:3A | |
| socdmode | cmd>socdmode socdmode:4E # [PSQ] Soc download mode : 0:1B OK 00000000:3A | |
| socuid | gets socuid, also found in NVS | |
| ssbdis | cmd>ssbdis ssbdis:88 # [PSQ] boot disable 00:37 OK 00000000:3A | |
| startwd | ||
| state | cmd>state state:21 # system:SSC_SYSTEMSTATE_SOC_UP_IDLE:95 OK 00000000 0005 FF:CB | |
| stinfo | cmd>stinfo stinfo:93 # Updated Sector Adr = 0x1C5000 (table = 0x02 i=0,j=1):29 OK 00000000:3A | |
| stopwd | ||
| stwb | ||
| syspowdown | shutsdown system | |
| tempr | cmd>tempr get tempr get:88 # get all:DC # MainSoc : t=30.25(0x1E40):83 # Intake : Disable:8D # Exhaust : t=24.00(0x1800):A6 OK 00000000 1E40 FFFF 1800:55 | |
| testpcie | ||
| thrm | ||
| uareq1 | command to gain more privileges, rsa | |
| uareq2 | command to gain more privileges, rsa | |
| version | ps3, gets emc version cmd>version version:06 # 1.19.0 E r4336 :51 OK 00000000 E1E 0001 0013 0000 10F0:B1 | |
| W16 | ||
| w16 | ||
| W32 | ||
| w32 | ||
| w8 | ||
| w8 | ||
| W8 | ||
| wsc |
See also:
Southbridge Patches[edit | edit source]
God Mode (All Commands Unlocked)[edit | edit source]
- Change ALL instances of 03 00 FD 00 to 0F 00 FD 00
- Change ALL instances of 07 00 FD 00 to 0F 00 FD 00
- Be extremely careful as this might brick your console if you try weird commands!
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
