Editing Syscon Hardware

Syscon is, together with [[Southbridge]], one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.

PS4 Syscon is codenamed '''Colwick'''. It is a custom Renesas RL78/G13.

= Hardware revisions =

{| class="wikitable"
! Production Start Date (<=) || PS2 Mechacon !! PSP Syscon !! PS3 Syscon !! Vita Syscon !! PS4 Syscon !! Used IC/CPU Core
|-
| <abbr title="CVN-001, SAA-001, SAB-001">07/2013</abbr> || - || - ||- || - || C0L || Renesas R5F100PL (RL78/G13, 100 pin)
|-
| <abbr title="SAC-001, SAD-001, SAD-002, SAD-003, SAE-001, SAE-002, SAE-003, SAE-004, HAC-001, NVA-001, NVB-003, NVB-004, NVG-001, NVG-002">04/2015</abbr> || - || - ||- || - || C0L2 || Renesas R5F101LL (RL78/G13, 64 pin)
|}

= Pictures =

* [http://www.gigapan.com/gigapans/198672]

= Memory Layout =

{| class="wikitable sortable"
|-
! Offset !! Size !! Description !! Notes
|-
| 0x00000 || 0x20000 || Code Area ||
|-
| 0x20000 || 0xD0000 || Reserved || OCDROM is here
|-
| 0xF0000 || 0x800 || SFR Area 1 ||
|-
| 0xF0800 || 0x800 || Reserved ||
|-
| 0xF1000 || 0x1000 || Data Area ||
|-
| 0xF2000 || 0xCF00 || Mirror || Mirror of a portion of code area
|-
| 0xFEF00 || 0xFE0 || RAM || 
|-
| 0xFFEE0 || 0x20 || GPR ||
|-
| 0xFFF00 || 0x100 || SFR Area 2 ||
|}

= Commands =

{| class="wikitable sortable"
|-
! Command ID !! Name !! Description !! Notes
|-
| 0x00 || Reset  || Detects synchronization in communication ||
|-
| 0x9A || Baud Rate Set || Sets the baud rate for single-wire UART. ||
|-
| 0x20 || Chip Erase || Erases the entire flash memory area. ||
|-
| 0x22 || Block Erase || Erases a specified area in the flash memory. ||
|-
| 0x40 || Programming || Writes data to a specified area in the flash memory. ||
|-
| 0x13 || Verify || Compares the contents in a specified area in the flash memory with data transmitted from the programmer. ||
|-
| 0x32 || Block Blank Check || Checks the erase status of a specified block in the flash memory. ||
|-
| 0xC0 || Silicon Signature || Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.). ||
|-
| 0xC5 || Version Get || Acquires version information of the 78K0R/Kx3 and firmware. ||
|-
| 0xB0 || Checksum || Acquires checksum data of a specified area. ||
|-
| 0xA0 || Security Set || Sets security information. ||
|}

= Statuses =

{| class="wikitable sortable"
|-
! Command ID !! Name !! Description !! Notes
|-
| 0x04 || Command number error || Error returned if a command not supported is received ||
|-
| 0x05 || Parameter error || Error returned if command information (parameter) is invalid ||
|-
| 0x06 || Normal acknowledgment (ACK) || Normal acknowledgment ||
|-
| 0x07 || Checksum error || Error returned if data in a frame transmitted from the programmer is abnormal ||
|-
| 0x0F || Verify error || Error returned if a verify error has occurred upon verifying data transmitted from the programmer ||
|-
| 0x10 || Protect error || Error returned if an attempt is made to execute processing that is prohibited by the Security Set command ||
|-
| 0x15 || Negative acknowledgment (NACK) || Negative acknowledgment
|-
| 0x1A || MRG10 error || Erase verify error ||
|-
| 0x1B || MRG11 error || Internal verify error or blank check error during data write ||
|-
| 0x1C || Write error || Write error ||
|-
| 0xFF || Processing in progress (BUSY) || Busy response ||
|}

= Command Frame Format =

* SOH | LEN | COM | INFO | SUM | ETX

= Data Frame Format =

* STX | LEN | DAT | SUM | ETX/ETB

= Description of each symbol =

{| class="wikitable sortable"
|-
! Name !! Description !! Notes
|-
| SOH || Start of OH - Command Frame Header || 0x01 Always
|-
| STX || Start of TX -  Data Frame Header || 0x02 Always
|-
| LEN || LENgth - Length of info || In Command frame: length of COM + command info length / In Data frame: Data info length
|-
| COM || COMmand - Command number ||
|-
| SUM || checkSUM - Checksum || checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
|- 
| ETB || End of TB - Data frame footer || 0x17 Always 
|-
| ETX || End of TX - Command frame footer || 0x03 Always
|-
|}

= Pinout =

== 100-pin ==

{| class="wikitable sortable"
|-
! Name !! Description !! Notes
|-
|  1     || P142        ||
|-
|  2     || P141        || VR-VRDY1
|-
|  3     || P140        || VR-VRDY2
|-
|  4     || P120        || power switch (USBHUB)
|-
|  5     || P47        || VR-VRHOT_ICRIT
|-
|  6     || P46        || power switch (BUZZER)
|-
|  7     || P45        || NC
|-
|  8     || P44        || VR-PWROK + APU-PWROK
|-
|  9     || P43        || APU-RESET#
|-
| 10     || P42        || (HDR-A SPI-CS)
|-
| 11     || P41        || power switch (PSU-7)
|-
| 12     || P40        || TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
|-
| 13     || RESET#     || -> HDR-A pin 24
|-
| 14     || P124        || pulldown?
|-
| 15     || P123        || power switch (PSU-5)
|-
| 16     || P137        || testpoint?
|-
| 17     || P122        || -> HDR-A pin 28 (4bit input-only, port 12)
|-
| 18     || P121        || -> HDR-A pin 29 (4bit input-only, port 12)
|-
| 19     || REGC        || cap to GND
|-
| 20     || Vss        || GND
|-
| 21     || EVss0      || GND
|-
| 22     || Vdd        || Vcc
|-
| 23     || EVdd0      || == pin 22
|-
| 24     || P60        || APU i2c dev 0xba
|-
| 25     || P61        || APU i2c dev 0xba
|-
| 26     || P62        || APU i2c dev 0x78/0x98
|-
| 27     || P63        || APU i2c dev 0x78/0x98
|-
| 28     || P31        || FAN-CTL
|-
| 29     || P64        || power switch (HDMI-0 + APU-4)
|-
| 30     || P65        || LED
|-
| 31     || P66        || LED
|-
| 32     || P67        || LED
|-
| 33     || P77        || pulldown
|-
| 34     || P76        || 
|-
| 35     || P75        || APU?
|-
| 36     || P74        || 
|-
| 37     || P73        || power switch (USBBRIDGE + HDD)
|-
| 38     || P72        || -> HDR-A pin 12 (HDR-A SPI-SO)
|-
| 39     || P71        || (HDR-A SPI-SI)
|-
| 40     || P70        || -> HDR-A pin 10 (HDR-A SPI-CLK)
|-
| 41     || P06        || power switch (PSU-1)
|-
| 42     || P05        || 
|-
| 43     || EVss1      || GND
|-
| 44     || P80        || STM8-PWR pin 7 (NRST)
|-
| 45     || P81        || NC testpoint
|-
| 46     || P82        || LED
|-
| 47     || P83        || power switch(PSU-4)
|-
| 48     || P84        || pulldown?
|-
| 49     || P85        || power switch (PSU-2)
|-
| 50     || P86        || power switch (APU-0) + PSW-APU-3 pin 3
|-
| 51     || P87        || VR-EN + power switch (APU-1)
|-
| 52     || P30        || NC testpoint
|-
| 53     || EVdd1      || Vcc
|-
| 54     || P50        || power switch (SB-1 + SB-2 + DDR3)
|-
| 55     || P51        || power switch (SB-0) (6pin near Wifi + 8pin between SC/SB)
|-
| 56     || P52        || testpoint?
|-
| 57     || P53        || VR-SM_CLK
|-
| 58     || P54        || VR-SM_DIO
|-
| 59     || P55        || power switch (APU-2)
|-
| 60     || P56        || 
|-
| 61     || P57        || 
|-
| 62     || P17        || 
|-
| 63     || P16        || SB-TP0 looks like SB -> SC interrupt line (INTP5)
|-
| 64     || P15        || SB-TP1 (SPI-CLK)
|-
| 65     || P14        || SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
|-
| 66     || P13        || SB-TP3 (SPI-SO)
|-
| 67     || P12        || -> HDR-A pin 15 (SC ucmd UART)
|-
| 68     || P11        || -> HDR-A pin 16 (SC ucmd UART)
|-
| 69     || P10        || SB-TP4 (SPI-CS)
|-
| 70     || P101        || power switch (VR)
|-
| 71     || P110        ||
|-
| 72     || P111        ||
|-
| 73     || P146        || NC
|-
| 74     || P147        || power switch (HDMI-1)
|-
| 75     || P100        || power switch (PSU-0)
|-
| 76     || P156        || pulldown?
|-
| 77     || P155        || pulldown?
|-
| 78     || P154        || PSW-APU-2 pin 1 + PSW-APU-3 pin 1
|-
| 79     || P153        || -> HDR-G pin 11
|-
| 80     || P152        || -> HDR-G pin 15
|-
| 81     || P151        || power switch (PSU-3)
|-
| 82     || P150        || WIFI reset?
|-
| 83     || P27        || NC testpoint
|-
| 84     || P26        || STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
|-
| 85     || P25        || STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
|-
| 86     || P24        || pulldown?
|-
| 87     || P23        || pulldown?
|-
| 88     || P22        || 
|-
| 89     || P21        || NC testpoint
|-
| 90     || P20        || 
|-
| 91     || P130        || power switch (PSU-6) (P130 is tied to sc-internal RESET)
|-
| 92     || P102        ||
|-
| 93     || P04        || i2c ([[PCIe]] clockgen smbus?)
|-
| 94     || P03        || -> HDR-F pin 1 (i2c ([[PCIe]] clockgen smbus?))
|-
| 95     || P02        || -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
|-
| 96     || P01        || 
|-
| 97     || P00        || 
|-
| 98     || P145        ||
|-
| 99     || P144        ||
|-
| 100    || P143        ||
|-
|}

= Dump and Restore =

We are able to make a 1:1 copy of a PS4 Syscon and put it on another chip. This allows to install a dump of a PS4 Syscon to a brand new chip then swap it.

This is often used in firmware revert [[Downgrade]] method to avoid having to flash the same chip each time one wants to revert firmware but instead only have to swap the chips.

= Syscon glitching =

By glitching Syscon, it is possible to dump its EEPROM, including NVS.

To be documented.

* [https://www.sendspace.com/file/377yhw glitch setup (dead link)]