Southbridge
PS4 southbridge contains two processors named EMC and EAP on the same die that are mainly used on boot, during rest mode and for servicing.
Components
Southbridge processors
The two processors are on the same die. It is a SoC (System on Chip).
EMC
EMC could stand for External Micro Controller. EMC was named MediaCon by some people when its name was still unknown.
The role of EMC is to load EMC Initial Program Loader, to be an interface for icc for the main APU kernel and Syscon and to offer a debug interface via UART that does not rely on Syscon or main APU. EMC runs its own FreeBSD kernel. It is a Marvell Armada, an ARM-based SoC. Sony stuck a PCIe bridge on it. It exposes ARM peripherals to the x86 side. There is some extra stuff (e.g. HPET, ACPI stuff).
EMC cpuid = 412FC231 (ARM Cortex-M3 r2p1). CPU clock: maybe about 100MHz.
EMC Initial Program Loader
EMC Initial Program Loader is stored encrypted in a SLB2 container in PS4 Serial Flash.
EAP
EAP could stand for External Application Processor.
The role of EAP is to handle media (online Wireless/GbLAN, Bluray Drive and Harddrive) even when the PS4 is in standby mode. EAP runs its own FreeBSD kernel in standby mode, activated to handle tasks such as downloading games updates while the PS4 is in standby.
It handles several tasks to offload the APU:
- Network connections: Wireless and GbLAN, including background downloading and PlayGo
- File handling (Bluray Drive, Harddrive and USB 3.0), including background caching
- Main serial flash handling
EAP consists of Marvell PJ4C B0 rev 1 cores, ARMv7 CORTEX-A8 running FreeBSD 9 kernel. CPU clock: 500MHz. DDR clock: 800MHz.
As EAP Core software is unsigned, unencrypted and easily replaceable on PS4 HDD with a PS4 kernel exploit, it is possible to run homebrew code on EAP processor. See eapdev by Bigboss (psxdev).
EAP Kernel Boot Loader
EAP Kernel Boot Loader is stored encrypted in a SLB2 container in PS4 Serial Flash. The role of EAP Kernel Boot Loader is to decrypt then uncompress the EAP Kernel. The encrypted EAP Kernel is stored at virtual address 0xC1000000 and the decrypted and uncompressed EAP Kernel is located at virtual address 0xC3000000.
EAP Kernel
EAP Kernel is located at virtual address 0xC3000000. Encrypted EAP Kernel is mounted on device da0x2.
EAP Core
EAP Core is the usermode executable running on EAP. It is stored unencrypted in the EAP filesystem in SceEapCore.elf.
Southbridge RAM
Southbridge chip is connected to its own DDR3 SDRAM. It is named "sbram" as in SouthBridge RAM.
PS4 Fat and Slim
PS4 Fat and Slim Southbridge has one Samsung K4B2G1646E-BCK0, K4B2G1646F-BCMA or K4B2G1646Q-BCMA, giving a total of 256MB of memory.
PS4 Pro
PS4 Pro Southbridge has two Samsung K4B4G0846E-BYMA or H5TQ4G83CFR-RDC (K4B4G1646E-BYK0 on PS4 Pro DevKit), giving a total of 1GB of memory.
Serial Flash
Southbridge contains a 256MB Serial flash.
Aeolia has Macronix MX25L25635FMI-10G.
Auxiliary components
Southbridge is connected to the main APU by PCI-Express x4 and to Syscon by SPI.
Aeolia has SATA bridge MB86C311B, GbLAN controller 88EC060-NN82.
Southbridge revisions
There are three major hardware revisions, named Aeolia, Belize and Baikal.
See also Aeolia.
Southbridge revisions per chassis
| Model (chassis) | Motherboards | Southbridge Codename | Southbridge Labeling |
|---|---|---|---|
| D1000 | All CVN | Aeolia | CXD90025G |
| 1000 | All SAA | Aeolia | CXD90025G |
| 1100 | All SAB | Aeolia | CXD90025G |
| 1200 | All SAC | Belize | CXD90036G |
| 2000 | All SAD | Belize | CXD90036G |
| D7000 | All HAC | Belize | CXD90036G |
| 7000 | All NVA | Belize / ?Belize 2? | CXD90036G / ?CXD90046GG? |
| 2100 | All SAE | Belize 2 / Baikal | CXD90046GG |
| 2200 | All SAF | Baikal | CXD90042GG |
| 7100 | All NVB | Baikal | CXD90042GG |
| 7200 | All NVG | Baikal | CXD90042GG |
Motherboards per southbridge revisions
| Southbridge Codename | Southbridge Labeling | Motherboards |
|---|---|---|
| Aeolia | CXD90025G | |
| Belize | CXD90036G | |
| Belize 2 | CXD90046GG | |
| Baikal | CXD90042GG |
EMC IPL/EAP KBL Structure
magic: 0x%08x version: 0x%04x type: 0x%04x headerSize: 0x%08x bodySize: 0x%08x entryPoint: 0x%08x baseAddr: 0x%08x
EMC UART Debug Communication
Aeolia
| Command/Action | Description | Notes |
|---|---|---|
| _hdmi | ||
| boot | boots the console | |
| bootadr | cmd>bootadr OK 00000000 FFEF 42D4 CCBE 29B9:A2 bootadr:EB # [PSQ] boot address 00:49 OK 00000000:3A | |
| bootenable | ||
| bootmode | cmd>bootmode bootmode:59 # BootMode:AUTO:CF OK 00000000:3A cmd>bootmode 1 bootmode 1:AA # BootMode:MANUAL:54 OK 00000000:3A | |
| buzzer | beep stuff, 7 modes (?) available | |
| cb | ||
| cclog | cmd>cclog cclog:08 # ChipComm Log:OFF:AA OK 00000000:3A cclog 1 cclog 1:59 # ChipComm Normal Log:ON:F5 OK 00000000:3A cclog 2 cclog 2:5A # ChipComm Error Log:ON:B6 OK 00000000:3A cmd>cclog 3 cclog 3:5B # ChipComm Normal Log:ON:F5 # ChipComm Error Log:ON:B6 OK 00000000:3A | |
| ccom | chip communications | |
| ccul | ||
| cec | ||
| cktemprid | ||
| csarea | ||
| ddr | ||
| ddrr | ||
| ddrw | ||
| devpm | cmd>devpm devpm:1C # wlan on:F2 # hdd on:70 # usb on:8A # bd on:06 # acdc on:CB # pg3 on:4A # hdmi on:E2 # gbe off:CC # sdio off:4D OK 00000000:3A | |
| dled | ||
| dsarea | ||
| ejectsw | ps3, toggles eject switch | |
| errlog | ps3, gets error log, 32 possibilities (0-1F) errlog 0:DB # No Code Rtc PowState UpCause SeqNo DevPm T(SoC) T(Exhaust):C4 # 00 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:17 OK 00000000 C0010201 12F50C61 00FF0001 00000000 006F 0001 FFFF 2100:2E | |
| etempr | cmd>etempr get etempr get:ED # Main Soc ::E7 # Alert Limits = 0x6000:F8 # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x6100:34 # Intake ::B9 # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 # Exhaust ::1F # Alert Limits = 0x4700:FD # Alert Hysteresis = 0x0200:35 # CriticalTempr Limits = 0x4800:39 OK 00000000:3A | |
| fdownmode | fdownmode fdownmode:C3 # FataldownMode:RUN:97 OK 00000000:3A fdownmode 1 fdownmode 1:14 # FataldownMode:STOP:E8 OK 00000000:3A | |
| fduty | fduty get fduty get:8C # duty=0x0100(25):67 OK 00000000:3A | |
| flimit | flimit get flimit get:E5 # MainSoc : max_duty=0x0400 min_duty=0x0100 :4A # Environment : max_duty=0x0400 min_duty=0x00CD :DB OK 00000000:3A | |
| fmode | mode fmode:0B # Fan Mode List:B9 # no:00 mode:AutoServo:61 # no:01 mode:Maximun:99 # no:02 mode:Minimun:98 # no:03 mode:Manual:1A # no:04 mode:end:F4 OK 00000000:3A | |
| fservo | cmd>fservo get fservo get:F5 # MainSoc ::E7 # SetVal = 0x00005000:9C # PGain = 0x00000800:3F # IGain = 0x00000080:38 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00005000:DF # DifLimit = 0x00000900:43 # DifDLimit = 0x00450000:87 # MaxDduty = 0x00900000:61 # Environment ::52 # SetVal = 0x00003B00:AC # PGain = 0x00000500:3C # IGain = 0x00000005:35 # ILimit = 0x0FFFFFFF:2A # ULimit = 0x0FFFFFFF:36 # DLimit = 0x0FFFFFFF:25 # UPLimit = 0x0FFFFFFF:86 # DPLimit = 0x0FFFFFFF:75 # UILimit = 0x0FFFFFFF:7F # DILimit = 0x0FFFFFFF:6E # DifGain = 0x00000000:DA # DifLimit = 0x0FFFFFFF:D4 # DifDLimit = 0x0FFFFFFF:18 # MaxDduty = 0x0FFFFFFF:F2 OK 00000000:3A | |
| fsstate | cmd>fsstate get fsstate get:5A # 0: ctempr=29.50(0x1D80), err=0xFFFFCD80, ierr=0x00000000, duty=0x0100(25):BD # 1: ctempr=22.75(0x16C0), err=0xFFFFDBC0, ierr=0x00000000, duty=0x00CD(20):E6 OK 00000000:3A | |
| fstartup | ||
| ftable | ||
| halt | ps3, halts the console | |
| haltmode | ||
| hdmir | ||
| hdmis | ||
| hdmistate | cmd>hdmistate hdmistate:C3 # == DP Video Setting ==:20 # MVID : 0x0:C5 # NVID : 0x0:C6 # MISC 0 : 0:29 # MISC 1 : 0:2A # H Total : 0:F9 # V Total : 0:07 # H Start : 0:03 # V Start : 0:11 # Hsync Width : 0:32 # Hsync Porality : High Active:F2 # Vsync Height : 0:79 # Vsync Porality : High Active:00 # Video Width : 0:24 # Video Height : 0:5D # Wait Power On State.:31 OK 00000000:3A | |
| hdmiw | ||
| help | help:A9 # ANY "R16":A8 # ANY "R32":A6 # ANY "R8":79 # ANY "W16":AD # ANY "W32":AB # ANY "W8":7E # ANY "_hdmi":F0 # ANY "boot":A3 # ANY "bootadr":DA # ANY "bootenable":0A # ANY "bootmode":48 # ANY "buzzer":91 # ANY "cb":B4 # ANY "cclog":F7 # ANY "ccul":96 # ANY "cec":1A # ANY "cktemprid":B2 # ANY "combuf":6B # ANY "comlog":70 # ANY "csarea":5E # ANY "ddr":29 # ANY "ddrc":8C # ANY "ddrr":9B # ANY "ddrw":A0 # ANY "devpm":0B # ANY "dled":88 # ANY "dsarea":5F # ANY "ejectsw":E4 # ANY "errlog":7A # ANY "etempr":7C # ANY "fdownmode":B2 # ANY "fduty":1B # ANY "flimit":74 # ANY "fmode":FA # ANY "fservo":84 # ANY "fsstate":E9 # ANY "fstartup":68 # ANY "getmacadr":97 # ANY "halt":98 # ANY "haltmode":3D # ANY "hdmir":03 # ANY "hdmis":04 # ANY "hdmistate":B2 # ANY "hdmiw":08 # ANY "help":98 # ANY "mbu":33 # ANY "mduty":22 # ANY "nvscsum":FE # ANY "nvsinit":FA # ANY "nvsl2sw":CE # ANY "osarea":6A # ANY "osbootparam":96 # ANY "osdebuginfo":84 # ANY "osstate":F2 # ANY "pcie":90 # ANY "pdarea":5C # ANY "powcount":6E # ANY "powersw":06 # ANY "powupcause":3B # ANY "qafinfo":D3 # ANY "r16":C8 # ANY "r32":C6 # ANY "r8":99 # ANY "resetsw":FC # ANY "rtc":38 # ANY "runseq":8D # ANY "s3state":B6 # ANY "sb":C4 # ANY "sbnvs":1B # ANY "scfupdbegin":79 # ANY "scfupddl":44 # ANY "scfupdend":AB # ANY "scnvsinit":D0 # ANY "scpdis":75 # ANY "screset":E8 # ANY "scversion":CB # ANY "sdkversion":37 # ANY "sdnvs":1D # ANY "smlog":11 # ANY "socdmode":3D # ANY "socuid":76 # ANY "spoff":0D # ANY "spon":AF # ANY "sqlog":15 # ANY "ssbdis":77 # ANY "startwd":F8 # ANY "state":10 # ANY "stinfo":82 # ANY "stopwd":90 # ANY "stwb":AF # ANY "subsysid":65 # ANY "subsysinfo":44 # ANY "syspowdown":5C # ANY "task":A2 # ANY "tempr":17 # ANY "temprlog":59 # ANY "testpcie":50 # ANY "thrm":AA # ANY "uareq1":3E # ANY "uareq2":3F # ANY "version":F5 # ANY "vshinfo":EC # ANY "w16":CD # ANY "w32":CB # ANY "w8":9E # ANY "wsc":3C OK 00000000:3A | |
| mbu | ||
| mduty | cmd>mduty get mduty get:93 # MainSoc : duty=0x0000(0):F3 # Environment : duty=0x0000(0):5E OK 00000000:3A | |
| nvscsum | cmd>nvscsum OK 00000000 FFEF 42D4 CCBE 29B9:A2 nvscsum:0F | |
| nvsinit | ||
| osarea | ||
| osstate | ||
| pcie | cmd>pcie pcie:A1 # <PCIe Debug>:05 # PHY Link : Up:A1 # Data Link : Up:0A # :43 # <PCIe Link Control and Status>:A4 # Active State Link PM : Disabled:BD # Read Completion Boundary(RCB) : 64byte:FD # Retrain Link : 1:71 # Enable Clock Power Management : Disable:EE # Hardware Autonomous Width : Enable:0C # Link Bandwidth Management Interrupt: Disable:DE # Link Autonomous Bandwidth Interrupt: Disable:1B # Link Speed : Gen1:E7 # Link Width : x4:57 # Link Traing : Done:76 # :43 # <Calib Value>:B5 # LANE 0 : 0x60:FB # LANE 1 : 0x5E:10 # LANE 2 : 0x5D:10 # LANE 3 : 0x5C:10 # :43 # <PCIe Device Status>:12 # Correctable Error : Yes:DE # Non-Fatal Error : No:84 # Fatal Error : No:AC # Unsupported Request Detected : Yes:E2 OK 00000000:3A | |
| pdarea | ||
| powersw | ps3, toggles power switch | |
| powupcause | cmd>powupcause powupcause:4C # 04000000 02 00 02 00 00:4B OK 00000000:3A | |
| r16 | ||
| R16 | ||
| R32 | ||
| r32 | ||
| R8 | ||
| r8 | ||
| resetsw | ps3, toggles reset switch | |
| rtc | cmd>rtc rtc:49 # RTC Counter : 318078913:DE # RTC Status(0x000001FC) : OK:87 OK 00000000 12F57FC1 000001FC:F3 | |
| sb | sb sb:D5 # [Active bank] : Second:E9 OK 00000000:3A | |
| sbnvs | cmd>sbnvs sbnvs:2C # sbnvs : [partitin number]:B5 # [UCMD] Arguments err.:91 NG F0000001:4C | |
| scfupdbegin | ||
| scfupddl | ||
| scfupdend | ||
| scnvsinit | ||
| scpdis | ||
| screset | ps3, resets syscon | |
| scversion | gets syscon version cmd>scversion scversion:DC # 1.0.0 ET r1808 p1:2D OK 00000000 C1ET 0001 0000 0000 0710 0001:D1 | |
| sdnvs | cmd>sdnvs sdnvs:2E # sdnvs : [partitin number] [bank number] :F4 # [UCMD] Arguments err.:91 NG F0000001:4C | |
| smlog | cmd>smlog smlog:22 # Packet Log:OFF:F2 OK 00000000:3A cmd>smlog 1 smlog 1:73 # Packet Log:ON:B4 OK 00000000:3A | |
| socdmode | cmd>socdmode socdmode:4E # [PSQ] Soc download mode : 0:1B OK 00000000:3A | |
| socuid | gets socuid, also found in NVS | |
| ssbdis | cmd>ssbdis ssbdis:88 # [PSQ] boot disable 00:37 OK 00000000:3A | |
| startwd | ||
| state | cmd>state state:21 # system:SSC_SYSTEMSTATE_SOC_UP_IDLE:95 OK 00000000 0005 FF:CB | |
| stinfo | cmd>stinfo stinfo:93 # Updated Sector Adr = 0x1C5000 (table = 0x02 i=0,j=1):29 OK 00000000:3A | |
| stopwd | ||
| stwb | ||
| syspowdown | shutsdown system | |
| tempr | cmd>tempr get tempr get:88 # get all:DC # MainSoc : t=30.25(0x1E40):83 # Intake : Disable:8D # Exhaust : t=24.00(0x1800):A6 OK 00000000 1E40 FFFF 1800:55 | |
| testpcie | ||
| thrm | ||
| uareq1 | command to gain more privileges, rsa | |
| uareq2 | command to gain more privileges, rsa | |
| version | ps3, gets emc version cmd>version version:06 # 1.19.0 E r4336 :51 OK 00000000 E1E 0001 0013 0000 10F0:B1 | |
| W16 | ||
| w16 | ||
| W32 | ||
| w32 | ||
| w8 | ||
| w8 | ||
| W8 | ||
| wsc |
See also:
Southbridge Patches
God Mode (All Commands Unlocked)
- Change ALL instances of 03 00 FD 00 to 0F 00 FD 00
- Change ALL instances of 07 00 FD 00 to 0F 00 FD 00
- Be extremely careful as this might brick your console if you try weird commands!
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
