Editing Syscon Hardware

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
Syscon is, together with [[Southbridge]], one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
Syscon is, together with Aeolia, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.
 
It is actually internally codenamed '''Colwick''' on the ps4 and the chip's structure is the same as one of a Renesas RL78.
PS4 Syscon is codenamed '''Colwick'''. It is a custom Renesas RL78/G13.
 
= Hardware revisions =
 
{| class="wikitable"
! Production Start Date (<=) || PS2 Mechacon !! PSP Syscon !! PS3 Syscon !! PS Vita Syscon !! PS4 Syscon !! Used IC/CPU Core
|-
| <abbr title="CVN-001, SAA-001, SAB-001">07/2013</abbr> || - || - ||- || - || COL || Renesas R5F100PL (RL78/G13, 100 pin)
|-
| <abbr title="SAC-001, SAD-001, SAD-002, SAD-003, SAE-001, SAE-002, SAE-003, SAE-004, HAC-001, NVA-001, NVB-003, NVB-004, NVG-001, NVG-002">04/2015</abbr> || - || - ||- || - || COL2 || Renesas R5F101LL (RL78/G13, 64 pin)
|}
 
= Pictures =
 
* [http://www.gigapan.com/gigapans/198672]


= Memory Layout =
= Memory Layout =
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Offset !! Size !! Description !! Notes
! Offset !! Size !! Description !! Notes
|-
|-
| 0x00000 || 0x20000 || Code Flash Area ||
| 0x00000 || 0x20000 || Code Area ||
|-
| 0x20000 || 0xD0000 || Reserved ||  
|-
|-
| 0x20000 || 0xD0000 || Reserved || OCDROM is here
| 0xF0000 || 0x800 || SFR Area ||
|-
|-
| 0xF0000 || 0x800 || Special Function Registers 2 ||
| 0xF0800 || 0x800 || Reserved ||
|-
|-
| 0xF0800 || 0x800 || Reserved (bootloader RAM) ||
| 0xF1000 || 0x1000 || Data Area ||
|-
|-
| 0xF1000 || 0x1000 || Data Flash Area ||
| 0xF2000 || 0xCF00 || Mirror || Mirror of a portion of code area
|-
|-
| 0xF2000 || 0xCF00 || Mirror || Mirror of a portion of Code Flash Area
| 0xFEF00 || 0xFE0 || RAM ||  
|-
|-
| 0xFEF00 || 0xFE0 || RAM || Stack is usually at 0xFFE00.
| 0xFFEE0 || 0x20 || GPR ||
|-
|-
| 0xFFEE0 || 0x20 || General-Purpose Registers ||
| 0xFFF00 || 0x100 || SFR 2nd Area ||
|-
|-
| 0xFFF00 || 0x100 || Special Function Registers ||
|}
|}


= Commands =
= Commands =
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
Line 56: Line 40:
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
|-
|-
| 0x40 || Programming || Writes data to a specified area in the flash memory. ||
| 0x40 || Programming || Writes data to a specified area in the flash memory.||
|-
|-
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer. ||
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer.||
|-
|-
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory. ||
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory.||
|-
|-
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). ||
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).||
|-
|-
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware. ||
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware.||
|-
|-
| 0xB0 || Checksum || Acquires checksum data of a specified area. ||
| 0xB0 || Checksum || Acquires checksum data of a specified area.||
|-
| 0xA0 || Security Set || Sets security information.||
|-
|-
| 0xA0 || Security Set || Sets security information. ||
|}
|}


= Statuses =
= Statuses =
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
! Command ID !! Name !! Description !! Notes
! Command ID !! Name !! Description !! Notes
|-
|-
| 0x04 || Command number error || Error returned if a command not supported is received ||
| 04|| Command number error|| Error returned if a command not supported is received ||
|-
|-
| 0x05 || Parameter error || Error returned if command information (parameter) is invalid ||
| 05|| Parameter error|| Error returned if command information (parameter) is invalid ||
|-
|-
| 0x06 || Normal acknowledgment (ACK) || Normal acknowledgment ||
| 06|| Normal acknowledgment (ACK) || Normal acknowledgment ||
|-
|-
| 0x07 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal ||
| 07|| Checksum error|| Error returned if data in a frame transmitted from the programmer is abnormal ||
|-
|-
| 0x0F || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
| 0F|| Verify error|| Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
|-
|-
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
| 10|| Protect error|| Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
|-
|-
| 0x15 || Negative acknowledgment (NACK) || Negative acknowledgment
| 15|| Negative acknowledgment (NACK) || Negative acknowledgment
|-
|-
| 0x1A || MRG10 error || Erase verify error ||
| 1A|| MRG10 error || Erase verify error ||
|-
|-
| 0x1B || MRG11 error || Internal verify error or blank check error during data write ||
| 1B|| MRG11 error || Internal verify error or blank check error during data write ||
|-
|-
| 0x1C || Write error || Write error ||
| 1C|| Write error || Write error ||
|-
| FF||  Processing in progress (BUSY) || Busy response ||
|-
|-
| 0xFF || Processing in progress (BUSY) || Busy response ||
|}
|}


Line 114: Line 99:
! Name !! Description !! Notes
! Name !! Description !! Notes
|-
|-
| SOH || Start of OH - Command Frame Header || 0x01 Always
| SOH || Command Frame Header || 0x01 Always
|-
| STX || Start of TX -  Data Frame Header || 0x02 Always
|-
|-
| LEN || LENgth - Length of info || In Command frame: length of COM + command info length / In Data frame: Data info length
| STX || Data Frame Header || 0x02 Always
|-
|-
| COM || COMmand - Command number ||
| LEN || Length of info || In Command Frame: length of COM + command info length/ In Data frame: Data info length
|-
|-
| SUM || checkSUM - Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
| COM || Command number ||
|-
| ETB || End of TB - Data frame footer || 0x17 Always
|-
|-
| ETX || End of TX - Command frame footer || 0x03 Always
| SUM || Checksum || checksum of command (initial byte (0x00)  - LEN - COM )
|-
|-
|}
| ETB || Footer of data frame || 0x17 Always
 
= Pinout =
 
== 64-pin ==
{| class="wikitable"
|-
|-
! Pin
| ETX || Command frame footer || 0x03 Always
! Description
! Notes
|-
|-
| 1
| P120/ANI19
| power switch (USBHUB)
|-
| 2
| P43
| APU-RESET#
|-
| 3
| P42/TI04/TO04
| (HDR-A SPI-CS)
|-
| 4
| P41/TI07/TO07
| power switch (PSU-7)
|-
| 5
| P40/TOOL0
| -> HDR-A pin 22 (open circuit between pin and header)
|-
| 6
| RESET
| -> HDR-A pin 24
|-
| 7
| P124/XT2/EXCLKS
| pulldown?
|-
| 8
| P123/XT1
| power switch (PSU-5)
|-
| 9
| P137/INTP0
| testpoint?
|-
| 10
| P122/X2/EXCLK
| -> HDR-A pin 28 (4bit input-only, port 12)
|-
| 11
| P121/X1
| -> HDR-A pin 29 (4bit input-only, port 12)
|-
| 12
| REGC
| cap to GND
|-
| 13
| V SS
| GND
|-
| 14
| EVSS0
| GND
|-
| 15
| VDD
| Vcc
|-
| 16
| EVDD0
| Vcc
|-
| 17
| P60/SCLA0
| APU i2c dev 0xba
|-
| 18
| P61/SDAA0
| APU i2c dev 0xba
|-
| 19
| P62
| APU i2c dev 0x78/0x98
|-
| 20
| P63
| APU i2c dev 0x78/0x98
|-
| 21
| P31/TI03/TO03/INTP4/(PCLBUZ0)
| FAN-CTL
|-
| 22
| P77/KR7/INTP11/(TxD2)
| pulldown
|-
| 23
| P76/KR6/INTP10/(RxD2)
| N/A
|-
| 24
| P75/KR5/INTP9/SCK01/SCL01
| APU?
|-
| 25
| P74/KR4/INTP8/SI01/SDA01
| N/A
|-
| 26
| P73/KR3/SO01
| power switch (USBBRIDGE + HDD)
|-
| 27
| P72/KR2/SO21
| -> HDR-A pin 12 (HDR-A SPI-SO)
|-
| 28
| P71/KR1/SI21/SDA21
| (HDR-A SPI-SI)
|-
| 29
| P70/KR0/SCK21/SCL21
| -> HDR-A pin 10 (HDR-A SPI-CLK)
|-
| 30
| P06/TI06/TO06
| power switch (PSU-1)
|-
| 31
| P05/TI05/TO05
| N/A
|-
| 32
| P30/INTP3/RTC1HZ/SCK11/SCL11
| NC testpoint
|-
| 33
| P50/INTP1/SI11/SDA11
| power switch (SB-1 + SB-2 + DDR3)
|-
| 34
| P51/INTP2/SO11
| power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
|-
| 35
| P52/(INTP10)
| testpoint?
|-
| 36
| P53/(INTP11)
| VR-SM_CLK
|-
| 37
| P54
| N/A
|-
| 38
| P55/(PCLBUZ1)/(SCK00)
| power switch (APU-2)
|-
| 39
| P17/TI02/TO02/(SO00)/(TxD0)
| N/A
|-
| 40
| P16/TI01/TO01/INTP5/(SI00)/(RxD0)
| SB-TP0 looks like SB -> SC interrupt line (INTP5)
|-
| 41
| P15/SCK20/SCL20/(TI02)/(TO02)
| SB-TP1 (SPI-CLK)
|-
| 42
| P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03)
| SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|-
| 43
| P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04)
| SB-TP3 (SPI-SO)
|-
| 44
| P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05)
| -> HDR-A pin 15 (SC ucmd UART)
|-
| 45
| P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06)
| -> HDR-A pin 16 (SC ucmd UART)
|-
| 46
| P10/SCK00/SCL00/(TI07)/(TO07)
| SB-TP4 (SPI-CS)
|-
| 47
| P146
| NC
|-
| 48
| P147/ANI18
| power switch (HDMI-1)
|-
| 49
| P27/ANI7
| NC testpoint
|-
| 50
| P26/ANI6
| STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|-
| 51
| P25/ANI5
| STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|-
| 52
| P24/ANI4
| pulldown?
|-
| 53
| P23/ANI3
| pulldown?
|-
| 54
| P22/ANI2
| N/A
|-
| 55
| P21/ANI1/AVREFM
| NC testpoint
|-
| 56
| P20/ANI0/AVREFP
| N/A
|-
| 57
| P130
| power switch (PSU-6) (P130 is tied to sc-internal RESET)
|-
| 58
| P04/SCK10/SCL10
| i2c (PCIe clockgen smbus?)
|-
| 59
| P03/ANI16/SI10/RxD1/SDA10
| -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
|-
| 60
| P02/ANI17/SO10/TxD1
| -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|-
| 61
| P01/TO00
| N/A
|-
| 62
| P00/TI00
| N/A
|-
| 63
| P141/PCLBUZ1/INTP7
| VR-VRDY1
|-
| 64
| P140/PCLBUZ0/INTP6
| VR-VRDY2
|}
|}


== 100-pin ==
= Pinout (100pin) =
 
{| class="wikitable sortable"
{| class="wikitable sortable"
|-
|-
Line 408: Line 126:
|  3    || P140        || VR-VRDY2
|  3    || P140        || VR-VRDY2
|-
|-
|  4    || P120        || power switch (USBHUB)
|  4    || P120        ||power switch(USBHUB)
|-
|-
|  5    || P47        || VR-VRHOT_ICRIT
|  5    || P47        || || VR-VRHOT_ICRIT
|-
|-
|  6    || P46        || power switch (BUZZER)
|  6    || P46        || power switch(BUZZER)
|-
|-
|  7    || P45        || NC
|  7    || P45        || NC
|-
|-
|  8    || P44        || VR-PWROK + APU-PWROK
|  8    || P44        || || VR-PWROK + APU-PWROK
|-
|-
|  9    || P43        || APU-RESET#
|  9    || P43        || APU-RESET#
Line 422: Line 140:
| 10    || P42        || (HDR-A SPI-CS)
| 10    || P42        || (HDR-A SPI-CS)
|-
|-
| 11    || P41        || power switch (PSU-7)
| 11    || P41        || power switch(PSU-7)
|-
|-
| 12    || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
| 12    || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
Line 428: Line 146:
| 13    || RESET#    || -> HDR-A pin 24
| 13    || RESET#    || -> HDR-A pin 24
|-
|-
| 14    || P124        || pulldown?
| 14    || P124        ||pulldown?
|-
|-
| 15    || P123        || power switch (PSU-5)
| 15    || P123        ||power switch(PSU-5)
|-
|-
| 16    || P137        || testpoint?
| 16    || P137        ||testpoint?
|-
|-
| 17    || P122        || -> HDR-A pin 28 (4bit input-only, port 12)
| 17    || P122        ||-> HDR-A pin 28 (4bit input-only, port 12)
|-
|-
| 18    || P121        || -> HDR-A pin 29 (4bit input-only, port 12)
| 18    || P121        ||-> HDR-A pin 29 (4bit input-only, port 12)
|-
|-
| 19    || REGC        || cap to GND
| 19    || REGC        ||cap to GND
|-
|-
| 20    || Vss        || GND
| 20    || Vss        || GND
Line 458: Line 176:
| 28    || P31        || FAN-CTL
| 28    || P31        || FAN-CTL
|-
|-
| 29    || P64        || power switch (HDMI-0 + APU-4)
| 29    || P64        || power switch(HDMI-0 + APU-4)
|-
|-
| 30    || P65        || LED
| 30    || P65        || LED
Line 474: Line 192:
| 36    || P74        ||  
| 36    || P74        ||  
|-
|-
| 37    || P73        || power switch (USBBRIDGE + HDD)
| 37    || P73        || power switch(USBBRIDGE + HDD)
|-
|-
| 38    || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
| 38    || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
Line 482: Line 200:
| 40    || P70        || -> HDR-A pin 10 (HDR-A SPI-CLK)
| 40    || P70        || -> HDR-A pin 10 (HDR-A SPI-CLK)
|-
|-
| 41    || P06        || power switch (PSU-1)
| 41    || P06        || power switch(PSU-1)
|-
|-
| 42    || P05        ||  
| 42    || P05        ||  
Line 498: Line 216:
| 48    || P84        || pulldown?
| 48    || P84        || pulldown?
|-
|-
| 49    || P85        || power switch (PSU-2)
| 49    || P85        || power switch(PSU-2)
|-
|-
| 50    || P86        || power switch (APU-0) + PSW-APU-3 pin 3
| 50    || P86        || power switch(APU-0) + PSW-APU-3 pin 3
|-
|-
| 51    || P87        || VR-EN + power switch (APU-1)
| 51    || P87        || || VR-EN + power switch(APU-1)
|-
|-
| 52    || P30        || NC testpoint
| 52    || P30        || NC testpoint
Line 508: Line 226:
| 53    || EVdd1      || Vcc
| 53    || EVdd1      || Vcc
|-
|-
| 54    || P50        || power switch (SB-1 + SB-2 + DDR3)
| 54    || P50        || power switch(SB-1 + SB-2 + DDR3)
|-
|-
| 55    || P51        || power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
| 55    || P51        || power switch(SB-0) (6pin near wifi + 8pin between SC/SB)
|-
|-
| 56    || P52        || testpoint?
| 56    || P52        || testpoint?
|-
|-
| 57    || P53        || VR-SM_CLK
| 57    || P53        || || VR-SM_CLK
|-
|-
| 58    || P54        || VR-SM_DIO
| 58    || P54        || || VR-SM_DIO
|-
|-
| 59    || P55        || power switch (APU-2)
| 59    || P55        || power switch(APU-2)
|-
|-
| 60    || P56        ||  
| 60    || P56        ||  
Line 540: Line 258:
| 69    || P10        || SB-TP4 (SPI-CS)
| 69    || P10        || SB-TP4 (SPI-CS)
|-
|-
| 70    || P101        || power switch (VR)
| 70    || P101        ||power switch(VR)
|-
|-
| 71    || P110        ||
| 71    || P110        ||
Line 546: Line 264:
| 72    || P111        ||
| 72    || P111        ||
|-
|-
| 73    || P146        || NC
| 73    || P146        ||NC
|-
|-
| 74    || P147        || power switch (HDMI-1)
| 74    || P147        ||power switch(HDMI-1)
|-
|-
| 75    || P100        || power switch (PSU-0)
| 75    || P100        ||power switch(PSU-0)
|-
|-
| 76    || P156        || pulldown?
| 76    || P156        ||pulldown?
|-
|-
| 77    || P155        || pulldown?
| 77    || P155        ||pulldown?
|-
|-
| 78    || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
| 78    || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
|-
|-
| 79    || P153        || -> HDR-G pin 11
| 79    || P153        ||-> HDR-G pin 11
|-
|-
| 80    || P152        || -> HDR-G pin 15
| 80    || P152        ||-> HDR-G pin 15
|-
|-
| 81    || P151        || power switch (PSU-3)
| 81    || P151        ||power switch(PSU-3)
|-
|-
| 82    || P150        || Wi-Fi reset?
| 82    || P150        ||WIFI reset?
|-
|-
| 83    || P27        || NC testpoint
| 83    || P27        || NC testpoint
Line 582: Line 300:
| 90    || P20        ||  
| 90    || P20        ||  
|-
|-
| 91    || P130        || power switch (PSU-6) (P130 is tied to sc-internal RESET)
| 91    || P130        ||power switch(PSU-6) (P130 is tied to sc-internal RESET)
|-
|-
| 92    || P102        ||
| 92    || P102        ||
|-
|-
| 93    || P04        || i2c ([[PCIe]] clockgen smbus?)
| 93    || P04        || i2c (pcie clockgen smbus?)
|-
|-
| 94    || P03        || -> HDR-F pin 1 (i2c ([[PCIe]] clockgen smbus?))
| 94    || P03        || -> HDR-F pin 1 (i2c (pcie clockgen smbus?))
|-
|-
| 95    || P02        || -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
| 95    || P02        || -> HDR-F pin 2 (XXX did i fuckup the HDR-F mapping here?)
|-
|-
| 96    || P01        ||  
| 96    || P01        ||  
Line 600: Line 318:
| 99    || P144        ||
| 99    || P144        ||
|-
|-
| 100   || P143        ||
| 100     || P143        ||
|-
|-
|}
|}
= Glitching, Dumping & Flashing =
== Method 1 ==
Based on the attack outlined by Fail0verflow [https://fail0verflow.com/blog/2018/ps4-syscon] '''Wildcard''' designed the following glitch using a Teensy: [https://github.com/VV1LD/SYSGLITCH].
Using '''Wildcard''''s shellcode but using a different methodology on his GitHub, you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. '''Guide available on BwE's GitHub.'''
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by [[User:BwE]].
== Method 2 ==
See Abkarino's publications.
Please note that all contributions to PS4 Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PS4 Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/ps4/Syscon_Hardware"