Proceeding the PS4 EEPROM Dumper, PlayStation 4 Glitch Pinout, PS4 Serial / Flash Pinouts, PS4 UART to DCSD Project, PS4 Aux Hax Parts 1-3, PS4 Aux Hax Part 4, PS4 Syscon System Controller Firmware Decrypter, recent PS4 Renesas RL78 Debug Protocol Implementation and his Flexible Kernel Dumper PS4 Payload / PS4 Homebrew App Demo releases comes a PS4 SysGlitch Tool and SysCon Glitching Pinout and TEENSY 2.0++ / TEENSY 4.0 Hexcodes by VVildCard777 on Github. 
Download: SYSGLITCH_TEENSY4.0.hex / SYSGLITCH_TEENSY2.0++.hex / SYSGLITCH-master.zip / GIT / SYSGLITCH_DOWNGRADE.pdf (1.3 MB) via MaxLab81 / SYSGLITCH_DOWNGRADE.pdf (Mirror) / sysglitch_nano.zip (15.5 MB) / sysglitch_nano 2-2.zip (21.4 MB)
According to his Tweets below, SYSGLITCH is a simplified System Controller glitching tool that will dump the PS4 / PS Vita SysCon flash continuously and is more user-friendly than an FPGA setup (although die hard FPGA lovers like @Chaos Kid may not agree
).
Also of note following the recent OrbisSWU PS4 Update Tool Developer Research in regards to the possibility of PS4 downgrading from his Tweets below, he states the following to quote:
"As for downgrade, I don't know about the process, but f0f hinted at it in their blog, seems to be completely per console-based tho. Someone should try it!
"
In the Related Guides, Tweets & Videos below is more on the PS4 Firmware Downgrading / PS4 Reverters / PS4 Firmware Reverting / PS4 Firmware Regression Method, however heavy soldering is required and to summarize from VVildCard777's Tweets for the majority of end-users:
"Its kinda pointless for eta wen kidz because theyd need hw skills to dump it. and theyd need the foresight to copy everything. But imagine if you are on latest fw now. You know there will be a sploit eventually so you could just revert when its released. which is pretty cool!"
And from the README.md: SYSGLITCH
A tool for glitching the on-chip debugger rom located in RL78 devices in order to dump full flash contents
Only compatible with version 3.03 of the OCD rom.
Based on the attack outlined by Fail0verflow
Setup
Teensy 4.0 Glitching Pinout
Teensy 2.0++ Glitching Pinout
PS Vita RL78 Pinout
Credits:
Download: SYSGLITCH_TEENSY4.0.hex / SYSGLITCH_TEENSY2.0++.hex / SYSGLITCH-master.zip / GIT / SYSGLITCH_DOWNGRADE.pdf (1.3 MB) via MaxLab81 / SYSGLITCH_DOWNGRADE.pdf (Mirror) / sysglitch_nano.zip (15.5 MB) / sysglitch_nano 2-2.zip (21.4 MB)
According to his Tweets below, SYSGLITCH is a simplified System Controller glitching tool that will dump the PS4 / PS Vita SysCon flash continuously and is more user-friendly than an FPGA setup (although die hard FPGA lovers like @Chaos Kid may not agree
). Also of note following the recent OrbisSWU PS4 Update Tool Developer Research in regards to the possibility of PS4 downgrading from his Tweets below, he states the following to quote:"As for downgrade, I don't know about the process, but f0f hinted at it in their blog, seems to be completely per console-based tho. Someone should try it!
" In the Related Guides, Tweets & Videos below is more on the PS4 Firmware Downgrading / PS4 Reverters / PS4 Firmware Reverting / PS4 Firmware Regression Method, however heavy soldering is required and to summarize from VVildCard777's Tweets for the majority of end-users:"Its kinda pointless for eta wen kidz because theyd need hw skills to dump it. and theyd need the foresight to copy everything. But imagine if you are on latest fw now. You know there will be a sploit eventually so you could just revert when its released.
which is pretty cool!"And from the README.md: SYSGLITCH
A tool for glitching the on-chip debugger rom located in RL78 devices in order to dump full flash contents
Only compatible with version 3.03 of the OCD rom.
Based on the attack outlined by Fail0verflow
Setup
- A Teensy 4.0 or Teesny 2.0++ and the Arduino IDE
- If using the 2.0++ make sure it is fitted with a 3.3v regulator as instructed at 3volt.html
- A usb serial cable wired to a PC, capturing raw data on RX with Realterm
- An RL78 with version 3.03 of the OCD rom
- A small diode and ~4K ohm resistor for the RX line pulldown (needed to stabilise signal on syscon TOOL0)
Teensy 4.0 Glitching Pinout
Teensy 2.0++ Glitching Pinout
PS Vita RL78 Pinout
Credits:
- Fail0verflow for the initial Writeup on the attack.
- droogie for early syscon investigations.
- juansbeck for his findings on identifying the chip and pinout.
- Zecoxao, M4j0r, and SSL for their support in all syscon related work.
- PS4 Syscon (System Controller) Guide (syscon-guide-main.zip) by @BwE (BwE_Dev on Twitter) of BetterWayElectronics.com.au / Syscon.rar (BwE Syscon Collection / BwE_PS4_Syscon_Software.rar (BwE PS4 Syscon Software Reader & Writer) (includes BwE_HWID_Generator.exe, BwE_PS4_Syscon_Reader.exe and BwE_PS4_Syscon_Writer.exe)
Code:
__________ __ __ __ __ ___________.__ __ .__
\______ \ _____/ |__/ |_ ___________/ \ / \_____ ___.__.\_ _____/| | ____ _____/ |________ ____ ____ |__| ____ ______
| | _// __ \ __\ __\/ __ \_ __ \ \/\/ /\__ \< | | | __)_ | | _/ __ \_/ ___\ __\_ __ \/ _ \ / \| |/ ___\ / ___/
| | \ ___/| | | | \ ___/| | \/\ / / __ \\___ | | \| |_\ ___/\ \___| | | | \( <_> ) | \ \ \___ \___ \
|______ /\___ >__| |__| \___ >__| \__/\ / (____ / ____|/_______ /|____/\___ >\___ >__| |__| \____/|___| /__|\___ >____ >
\/ \/ \/ \/ \/\/ \/ \/ \/ \/ \/ \/
===============================================================================================================================================
Reminder/Notes:
If reading/writing on board lift Pin 15 & 16 on Pro/Slim OR Pin 22 & 23 on FAT and wire to the pins directly. The other connections are always on board.
Once OCD mode is written to the Syscon you never have to lift the above pins again, you simply need the console on standby and the 3 other points installed.
Reader & Writer is programmed to timeout after 120 seconds of inactivity. Unplug and replug your device and try again!
If Reader OR Writer is looping CONNECTING... just cancel and start again your dump will end up corrupted.
Use OCD Mode (-f -ocd) on your first write only, afterwards you only need -f or no argument at all.
I highly recommend using -c with every write!
===============================================================================================================================================
Syscon Reader:
Run the program in your terminal with your device's COM port at the end.
Example: BwE_PS4_Syscon_Reader.exe COM??
The program will dump your SCE Syscon twice as Syscon1.bin and Syscon2.bin and compare them against each other.
If they do not match, check your cabling/wiring/soldering.
If they still do not match, change resistors to a lower value and try again.
You are now good to go!
===============================================================================================================================================
Syscon Writer:
Run the program in your terminal with your device's COM port as well as the name of file you are writing.
I suggest keeping the written file in the same directory.
Example: BwE_PS4_Syscon_Writer.exe [-h] [-f] [-ocd] [-c] COM?? Syscon1.bin
Required Arguments:
port COM Port Arduno Is On (Eg: COM4)
file Syscon Dump To Write To Chip (524288 Byte .BIN File)
Optional Requirements:
-h Show This Page
-f Write Entire Chip EXCLUDING Block 1 (~120sec)
-ocd Write Entire Chip INCLUDING Block 1 & Enable OCD_FLAG=0x85 - Bricking Risk (~120sec+)
-c Dump Chip After Writing To Confirm Validity (Skips OCD Flag) (Extra ~50sec+)
If No Options Are Selected Flash Will Be Written From 0x60000+ - Very Quick (~15sec)
I highly recommend after dumping you immediately write back the dump using the -ocd and -c commands.
This will enable the ability to write the Syscon without lifting the pins anymore (if dumping/writing on board).
I DO NOT RECOMMEND OCD MODE MORE THAN ONCE! BRICK RISK.
===============================================================================================================================================
Reader:
Version 2.4
Writer:
Version 1.4
Archive Password: BwE
Credits: DARKNESMONK
