Syscon Hardware: Difference between revisions

From PS4 Developer wiki
Jump to navigation Jump to search
Line 608: Line 608:
Based on the attack outlined by Fail0verflow ''fail0verflow.com/blog/2018/ps4-syscon/'' VV1LD had designed the following: ''github.com/VV1LD/SYSGLITCH''
Based on the attack outlined by Fail0verflow ''fail0verflow.com/blog/2018/ps4-syscon/'' VV1LD had designed the following: ''github.com/VV1LD/SYSGLITCH''


Using VV1LD's shellcode you can copy the original Syscon and dump it to a new Renesas chip with relative ease. '''Guide available on BwE's GitHub.'''
Using VV1LD's shellcode but using a different methodology on his GitHub you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. '''Guide available on BwE's GitHub.'''


You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE.
You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE.

Revision as of 06:15, 10 December 2022

Syscon is, together with Southbridge, one of the main chips responsible for taking care of the functioning of APU, peripherals, etc.

PS4 Syscon is codenamed Colwick. It is a custom Renesas RL78/G13.

Hardware revisions

Production Start Date (<=) PS2 Mechacon PSP Syscon PS3 Syscon PS Vita Syscon PS4 Syscon Used IC/CPU Core
07/2013 - - - - COL Renesas R5F100PL (RL78/G13, 100 pin)
04/2015 - - - - COL2 Renesas R5F101LL (RL78/G13, 64 pin)

Pictures

Memory Layout

Offset Size Description Notes
0x00000 0x20000 Code Flash Area
0x20000 0xD0000 Reserved OCDROM is here
0xF0000 0x800 Special Function Registers 2
0xF0800 0x800 Reserved (bootloader RAM)
0xF1000 0x1000 Data Flash Area
0xF2000 0xCF00 Mirror Mirror of a portion of Code Flash Area
0xFEF00 0xFE0 RAM Stack is usually at 0xFFE00.
0xFFEE0 0x20 General-Purpose Registers
0xFFF00 0x100 Special Function Registers

Commands

Command ID Name Description Notes
0x00 Reset Detects synchronization in communication
0x9A Baud Rate Set Sets the baud rate for single-wire UART.
0x20 Chip Erase Erases the entire flash memory area.
0x22 Block Erase Erases a specified area in the flash memory.
0x40 Programming Writes data to a specified area in the flash memory.
0x13 Verify Compares the contents in a specified area in the flash memory with data transmitted from the programmer.
0x32 Block Blank Check Checks the erase status of a specified block in the flash memory.
0xC0 Silicon Signature Acquires 78K0R/Kx3 information (part number, flash memory configuration, etc.).
0xC5 Version Get Acquires version information of the 78K0R/Kx3 and firmware.
0xB0 Checksum Acquires checksum data of a specified area.
0xA0 Security Set Sets security information.

Statuses

Command ID Name Description Notes
0x04 Command number error Error returned if a command not supported is received
0x05 Parameter error Error returned if command information (parameter) is invalid
0x06 Normal acknowledgment (ACK) Normal acknowledgment
0x07 Checksum error Error returned if data in a frame transmitted from the programmer is abnormal
0x0F Verify error Error returned if a verify error has occurred upon verifying data transmitted from the programmer
0x10 Protect error Error returned if an attempt is made to execute processing that is prohibited by the Security Set command
0x15 Negative acknowledgment (NACK) Negative acknowledgment
0x1A MRG10 error Erase verify error
0x1B MRG11 error Internal verify error or blank check error during data write
0x1C Write error Write error
0xFF Processing in progress (BUSY) Busy response

Command Frame Format

  • SOH | LEN | COM | INFO | SUM | ETX

Data Frame Format

  • STX | LEN | DAT | SUM | ETX/ETB

Description of each symbol

Name Description Notes
SOH Start of OH - Command Frame Header 0x01 Always
STX Start of TX - Data Frame Header 0x02 Always
LEN LENgth - Length of info In Command frame: length of COM + command info length / In Data frame: Data info length
COM COMmand - Command number
SUM checkSUM - Checksum checksum of command (initial byte (0x00) - LEN - COM - INFO ) / (initial byte (0x00) - LEN - DAT)
ETB End of TB - Data frame footer 0x17 Always
ETX End of TX - Command frame footer 0x03 Always

Pinout

64-pin

Pin Description Notes
1 P120/ANI19 power switch (USBHUB)
2 P43 APU-RESET#
3 P42/TI04/TO04 (HDR-A SPI-CS)
4 P41/TI07/TO07 power switch (PSU-7)
5 P40/TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
6 RESET -> HDR-A pin 24
7 P124/XT2/EXCLKS pulldown?
8 P123/XT1 power switch (PSU-5)
9 P137/INTP0 testpoint?
10 P122/X2/EXCLK -> HDR-A pin 28 (4bit input-only, port 12)
11 P121/X1 -> HDR-A pin 29 (4bit input-only, port 12)
12 REGC cap to GND
13 V SS GND
14 EVSS0 GND
15 VDD Vcc
16 EVDD0 Vcc
17 P60/SCLA0 APU i2c dev 0xba
18 P61/SDAA0 APU i2c dev 0xba
19 P62 APU i2c dev 0x78/0x98
20 P63 APU i2c dev 0x78/0x98
21 P31/TI03/TO03/INTP4/(PCLBUZ0) FAN-CTL
22 P77/KR7/INTP11/(TxD2) pulldown
23 P76/KR6/INTP10/(RxD2) N/A
24 P75/KR5/INTP9/SCK01/SCL01 APU?
25 P74/KR4/INTP8/SI01/SDA01 N/A
26 P73/KR3/SO01 power switch (USBBRIDGE + HDD)
27 P72/KR2/SO21 -> HDR-A pin 12 (HDR-A SPI-SO)
28 P71/KR1/SI21/SDA21 (HDR-A SPI-SI)
29 P70/KR0/SCK21/SCL21 -> HDR-A pin 10 (HDR-A SPI-CLK)
30 P06/TI06/TO06 power switch (PSU-1)
31 P05/TI05/TO05 N/A
32 P30/INTP3/RTC1HZ/SCK11/SCL11 NC testpoint
33 P50/INTP1/SI11/SDA11 power switch (SB-1 + SB-2 + DDR3)
34 P51/INTP2/SO11 power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
35 P52/(INTP10) testpoint?
36 P53/(INTP11) VR-SM_CLK
37 P54 N/A
38 P55/(PCLBUZ1)/(SCK00) power switch (APU-2)
39 P17/TI02/TO02/(SO00)/(TxD0) N/A
40 P16/TI01/TO01/INTP5/(SI00)/(RxD0) SB-TP0 looks like SB -> SC interrupt line (INTP5)
41 P15/SCK20/SCL20/(TI02)/(TO02) SB-TP1 (SPI-CLK)
42 P14/RxD2/SI20/SDA20/(SCLA0)/(TI03)/(TO03) SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
43 P13/TxD2/SO20/(SDAA0)/(TI04)/(TO04) SB-TP3 (SPI-SO)
44 P12/SO00/TxD0/TOOLTxD/(INTP5)/(TI05)/(TO05) -> HDR-A pin 15 (SC ucmd UART)
45 P11/SI00/RxD0/TOOLRxD/SDA00/(TI06)/(TO06) -> HDR-A pin 16 (SC ucmd UART)
46 P10/SCK00/SCL00/(TI07)/(TO07) SB-TP4 (SPI-CS)
47 P146 NC
48 P147/ANI18 power switch (HDMI-1)
49 P27/ANI7 NC testpoint
50 P26/ANI6 STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
51 P25/ANI5 STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
52 P24/ANI4 pulldown?
53 P23/ANI3 pulldown?
54 P22/ANI2 N/A
55 P21/ANI1/AVREFM NC testpoint
56 P20/ANI0/AVREFP N/A
57 P130 power switch (PSU-6) (P130 is tied to sc-internal RESET)
58 P04/SCK10/SCL10 i2c (PCIe clockgen smbus?)
59 P03/ANI16/SI10/RxD1/SDA10 -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
60 P02/ANI17/SO10/TxD1 -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
61 P01/TO00 N/A
62 P00/TI00 N/A
63 P141/PCLBUZ1/INTP7 VR-VRDY1
64 P140/PCLBUZ0/INTP6 VR-VRDY2

100-pin

Name Description Notes
1 P142
2 P141 VR-VRDY1
3 P140 VR-VRDY2
4 P120 power switch (USBHUB)
5 P47 VR-VRHOT_ICRIT
6 P46 power switch (BUZZER)
7 P45 NC
8 P44 VR-PWROK + APU-PWROK
9 P43 APU-RESET#
10 P42 (HDR-A SPI-CS)
11 P41 power switch (PSU-7)
12 P40 TOOL0 -> HDR-A pin 22 (open circuit between pin and header)
13 RESET# -> HDR-A pin 24
14 P124 pulldown?
15 P123 power switch (PSU-5)
16 P137 testpoint?
17 P122 -> HDR-A pin 28 (4bit input-only, port 12)
18 P121 -> HDR-A pin 29 (4bit input-only, port 12)
19 REGC cap to GND
20 Vss GND
21 EVss0 GND
22 Vdd Vcc
23 EVdd0 == pin 22
24 P60 APU i2c dev 0xba
25 P61 APU i2c dev 0xba
26 P62 APU i2c dev 0x78/0x98
27 P63 APU i2c dev 0x78/0x98
28 P31 FAN-CTL
29 P64 power switch (HDMI-0 + APU-4)
30 P65 LED
31 P66 LED
32 P67 LED
33 P77 pulldown
34 P76
35 P75 APU?
36 P74
37 P73 power switch (USBBRIDGE + HDD)
38 P72 -> HDR-A pin 12 (HDR-A SPI-SO)
39 P71 (HDR-A SPI-SI)
40 P70 -> HDR-A pin 10 (HDR-A SPI-CLK)
41 P06 power switch (PSU-1)
42 P05
43 EVss1 GND
44 P80 STM8-PWR pin 7 (NRST)
45 P81 NC testpoint
46 P82 LED
47 P83 power switch(PSU-4)
48 P84 pulldown?
49 P85 power switch (PSU-2)
50 P86 power switch (APU-0) + PSW-APU-3 pin 3
51 P87 VR-EN + power switch (APU-1)
52 P30 NC testpoint
53 EVdd1 Vcc
54 P50 power switch (SB-1 + SB-2 + DDR3)
55 P51 power switch (SB-0) (6pin near Wi-Fi + 8pin between SC/SB)
56 P52 testpoint?
57 P53 VR-SM_CLK
58 P54 VR-SM_DIO
59 P55 power switch (APU-2)
60 P56
61 P57
62 P17
63 P16 SB-TP0 looks like SB -> SC interrupt line (INTP5)
64 P15 SB-TP1 (SPI-CLK)
65 P14 SB-TP2 (SPI-SI) + SC-P11 in a weird way? + elsewhere
66 P13 SB-TP3 (SPI-SO)
67 P12 -> HDR-A pin 15 (SC ucmd UART)
68 P11 -> HDR-A pin 16 (SC ucmd UART)
69 P10 SB-TP4 (SPI-CS)
70 P101 power switch (VR)
71 P110
72 P111
73 P146 NC
74 P147 power switch (HDMI-1)
75 P100 power switch (PSU-0)
76 P156 pulldown?
77 P155 pulldown?
78 P154 PSW-APU-2 pin 1 + PSW-APU-3 pin 1
79 P153 -> HDR-G pin 11
80 P152 -> HDR-G pin 15
81 P151 power switch (PSU-3)
82 P150 Wi-Fi reset?
83 P27 NC testpoint
84 P26 STM8-PWR pin 1 + HDR-C pin 8 (POWER#) (serial clock)
85 P25 STM8-EJECT pin 1 + HDR-C pin 7 (EJECT#)
86 P24 pulldown?
87 P23 pulldown?
88 P22
89 P21 NC testpoint
90 P20
91 P130 power switch (PSU-6) (P130 is tied to sc-internal RESET)
92 P102
93 P04 i2c (PCIe clockgen smbus?)
94 P03 -> HDR-F pin 1 (i2c (PCIe clockgen smbus?))
95 P02 -> HDR-F pin 2 (XXX did I fuckup the HDR-F mapping here?)
96 P01
97 P00
98 P145
99 P144
100 P143

Glitching, Dumping & Flashing

Based on the attack outlined by Fail0verflow fail0verflow.com/blog/2018/ps4-syscon/ VV1LD had designed the following: github.com/VV1LD/SYSGLITCH

Using VV1LD's shellcode but using a different methodology on his GitHub you can copy the original Syscon and dump it to a new Renesas chip with comparatively greater ease. Guide available on BwE's GitHub.

You can also flash to the original SCE syscon using a different shellcode but this is a commercial product sold by BwE.

Retrieved from "http://www.psdevwiki.com/ps4/index.php?title=Syscon_Hardware&oldid=287429"