Following the PS4 Syscon Decapping, PS4 Aux Hax research and his recent PS4 HEN version 1.8 Live Demo (GIT - added to PS4 Exploit Host v0.4.6 Alpha1), today PlayStation 4 developer @zecoxao shared via Twitter his latest Github commit dubbed Siscon which is a PS4 Syscon System Controller firmware decrypter allowing further comparison and examination by scene devs.
Download: siscon-master.zip / GIT / PS4 Syscon Research & Development Repository
As mentioned in the Tweets embedded below, he reminds those planning to use it "decrypts syscon fw updates from PS4 devkit consoles (you need to provide the keys yourself, but they're not hard to find)"
PS4 HEN 1.8 via mohammadfadel
Download: ps3_syscon_decrypt_tool.py (828 Bytes - script by SocraticBliss, atm it only decrypts the dia-002/deb-001 patch)
PS3 TMU Syscon command list, including addresses and needed permissions: Pastebin.com:
Download: patched105_for_DECR.bin (384.06 KB - patched DECR-1000 SC FW that allows you to run any packet as if it did not have restrictions)
Download: ps3_syscon_decrypt_tool.py (3.49 KB - PS3 syscon patch and full script for patch and full firmware decryption. made by SocraticBliss, improved by Anonymous and myself
Updated version, including more details: Pastebin.com:
DECR syscon boot log, including lv0ldr output: Pastebin.com
Download: v1.0.5c1_TMU510_u_patched2_extra_diag_porn.bin (384.06 KB)
list of eid1 key offsets and their functions:
+ 0x150 : authenticated regions (fun stuff) (0x400)
+ 0x160: 0x2710 (0x40)
+ 0x170: 0x2760 (0x20)
+ 0x180: 0x2790 (0x20)
+ 0x190: 0x26B0, 0x26E0, 0x26F0 (0x10)
+ 0x1A0 : 0x26C0 (0x10)
+ 0x1B0 : 0x26D0 (0x10)
0x140: patch key generation (0x10*2)
needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else
Only glimmer of hope, is that a flaw in the ARM fw leads us to the ability to dump 78K0R version sc fw. Other than that, 78K0R(predecessor to RL78) is locked up tight, debugger via flash sequencer(not code) vs vulnerable ocd rom(on ps4 RL78) which made glitching possible.
Knowledge of sc interfaces on ARM can lead to possible glitching attacks, or code injection on a 78k0r maybe.
fyi, SCA like DPA/CPA on the 78K0R is not possible due to the elimination of external EEPROM I/O on its packaging. No control over crypto input means no effect on power signal for crypto and thus nothing to correlate with.
Here's a script that derivates the keys for sc patches on the wiki backwards:
Download: patch.py (2.74 KB)
As you can see from the output it produces. the keys are generated from xoring a sentence of 16 bytes containing the soft id in decimal form (ranging from 0000 to 3899) with two keys, to finally encrypt it and generate the final key.
Download: encrypt.py (1.16 KB - signing script for PS3 SC full firmware)
Download: keyvault_dumper.rar (390.72 KB - keyvault dumper SC fw and usage)
From Pastebin.com: PowerOn Reset DECR
Download: encrypt.py (1.75 KB - previous script was actually the decrypting script, this is the encrypt script)
PS3 CELL BE JTAG connector (RISCWatch) documentation: PS3 CELL BE RISCWatch Connection:
Download: EID1.py (1.16 KB - EID1 decrypt script. it'll decrypt the second layer of eid1 that you can obtain using ps3_decrypt_tools or libeid)
Just added second layer decryption to PS3 decrypt tools. You can use it now as a C program if you fancy that more.
Download: snvs_decrypt (snvs_decrypt.exe) by Sorvigolova (tool that decrypts SNVS from an EEPROM full dump taken with hardware flasher)
Download: TIME.py (2.77 KB)
Download: GARBAGE.py (1000 Bytes - script that generates the garbage that is not used in syscon eeprom.)
Download: INIT.py (4.16 KB - init script that decrypts the initialization (personalization) sections from eeprom and verifies their cmac (from 0x2A0 to 0x360))
Download: ram_dumps.7z (16.58 KB - PS3 syscon ram dumps for help with RE)
How to dump the complete CXR Syscon flash:
Download: COK-001_SC_dump.bin (384 KB)
Download: cok-001_firmware.bin (384 KB)
Download: 0xF9F00 - 0xFFEE0_with_zeroes.bin (1023.72 KB)
Download: DEB-001_rom.bin (384 KB)
These patches allow you to read/write the whole PS3 CXR Syscon EEPROM from the CELL (via the Device Access Service) or using the UART interface and the r8/w8 commands: From Pastebin.com: PS3 Syscon (Mullion Sherwood) script
Download: siscon-master.zip / GIT / PS4 Syscon Research & Development Repository
As mentioned in the Tweets embedded below, he reminds those planning to use it "decrypts syscon fw updates from PS4 devkit consoles (you need to provide the keys yourself, but they're not hard to find)"
PS4 HEN 1.8 via mohammadfadel
Download: ps3_syscon_decrypt_tool.py (828 Bytes - script by SocraticBliss, atm it only decrypts the dia-002/deb-001 patch)
PS3 TMU Syscon command list, including addresses and needed permissions: Pastebin.com:
Code:
Command Address Permission
w 0xf98b0000L 0xDD0C0000
r 0xa58c0000L 0xDD0C0000
w16 0x2d8e0000 0xDD0C0000
r16 0xd58e0000L 0xDD0C0000
w32 0xed8f0000L 0xDD0C0000
r32 0x91910000L 0xDD0C0000
w64 0xa9920000L 0xDD0C0000
r64 0x5d930000 0xDD0C0000
r64d 0x8f940000L 0xDD0C0000
wbe 0x65960000 0xDD0C0000
rbe 0xf9960000L 0xDD0C0000
boardconfig 0xc7990000L 0xDC0C0000
comm 0x19990000 0xDC0C0000
commt 0x7490200 0xDC0C0000
printmode 0xd9990000L 0xDC0C0000
eepromcheck 0x1d9a0000 0x000C0000
eeprominit 0x659a0000 0x000C0000
hdmi 0x399f0200 0xDD0C0000
xrcv 0x13530200 0xDC0C0000
bepkt 0x5d430200 0xDC0C0000
task 0x5500100 0xDD0C0000
duty 0x239b0000 0xDD0C0000
tsensor 0x79a20000 0xDD0C0000
bepgoff 0xe7a40000L 0xD00C0000
getrtc 0xf3a60000L 0xDD0C0000
rtcreset 0xbba70000L 0x000C0000
ledmode 0xba80000 0xDC0C0000
buzzpattern 0xb7a80000L 0xDC0C0000
eepcsum 0x65aa0000 0xDD0C0000
tmp 0x69aa0000 0xDD0C0000
trp 0x2fab0000 0xDD0C0000
hyst 0xf5ae0000L 0xDD0C0000
tshutdown 0xa1b20000L 0xDD0C0000
tzone 0xe1b50000L 0xDD0C0000
errlog 0xedb70000L 0xFF0C0000
lasterrlog 0xffb70000L 0xDD0C0000
geterrlog 0x4fb80000 0xDD0C0000
clearerrlog 0xcbb80000L 0xDD0C0000
stoplogerrtsk 0xd9b80000L 0xDD0C0000
startlogerrtsk 0xe7b80000L 0xDD0C0000
stoplogerrtoeep 0xf5b80000L 0xDD0C0000
restartlogerrtoeep 0x3b90000 0xDD0C0000
trace 0x51b90000 0xDD0C0000
disp_err 0x11590200 0xDD0C0000
clear_err 0x5b590200 0xDD0C0000
printpatch 0x4fd90000 0xDD0C0000
patchverram 0x65d90000 0xDD0C0000
patchcsum 0xf7d90000L 0xDD0C0000
patchvereep 0xb1d90000L 0xDD0C0000
portscan 0xdda0000 0xDD0C0000
powupcause 0x21b60000 0xDD0C0000
syspowdown 0xe9b60000L 0xDD0C0000
powbtnmode 0x11b90000 0xDC0C0000
dve 0x5d990200 0xDC0C0000
fanconpolicy 0xc9bb0000L 0xDD0C0000
fanconmode 0x35bf0000 0xDD0C0000
fanconautotype 0x75c00000 0xDD0C0000
fantbl 0x87c00000L 0xDD0C0000
tshutdowntime 0x5dc90000 0xDD0C0000
fanservo 0x29bf0000 0xDD0C0000
thrm 0x1dbf0000 0xDD0C0000
fanpol 0x31ca0000 0xDD0C0000
thermfatalmode 0x3bca0000 0xDD0C0000
becount 0x7dca0000 0xDD0C0000
wmmto 0x3bcb0000 0xDC0C0000
ltstest 0x97cb0000L 0xDD0C0000
fancon 0x6dd20000 0x0D000000
powerstate 0x6fce0000 0xDD0C0000
devpm 0x53d00000 0xDD0C0000
wrsxc 0x79d20000 0xDD0C0000
rrsxc 0x13d30000 0xDD0C0000
faninictrl 0xd9d30000L 0x0D000000
therrclr 0xe5d30000L 0xDD0C0000
poll 0xe3400200L 0xDD0C0000
recv 0x35410200 0xDD0C0000
send 0x6f410200 0xDD0C0000
LS 0x1b420200 0xDD0C0000
hversion 0x2f420200 0xDD0C0000
bstatus 0x69420200 0xDD0C0000
buzz 0xffa40000L 0xDC0C0000
diag 0xad9a0000L 0xD00C0000
xdrdiag 0x11e70100 0xF0000000
xiodiag 0x75e80100 0xF0000000
fandiag 0x1be90100 0xF0000000
osbo 0x3fea0100 0xF0000000
bestat 0x13d40000 0xFD0F0000
bringup 0x97d50000L 0xFD0F0000
shutdown 0xc5d50000L 0xFD0F0000
powersw 0xf9d50000L 0xFD0F0000
resetsw 0x5d60000 0xFC0F0000
ejectsw 0x11d60000 0xFD0F0000
thalttest 0x13d80000 0x000F0000
bsn 0x5d80000 0xF00F0000
firmud 0x1dd60000 0xFDFF0000
hdmiid 0x1d9d0200 0xDC0F0000
hdmiid2 0x819d0200L 0xDC0F0000
version 0x5fd60000 0xFFFF0000
csum 0x87d60000L 0xFF0F0000
revision 0xe1d70000L 0xFFFF0000
cp 0x77e00100 0xF0000000
halt 0x7e10100 0xF0000000
bootbeep 0x67ea0100 0xF0000000
scopen 0x21e10000 0xFF000000
scclose 0xefe10000L 0xFF000000
scasv2 0x7e20000 0xDD000000
scagv2 0x4fe20000 0xFF000000
Download: ps3_syscon_decrypt_tool.py (3.49 KB - PS3 syscon patch and full script for patch and full firmware decryption. made by SocraticBliss, improved by Anonymous and myself
Updated version, including more details: Pastebin.com:
Code:
Command Address Permission Sub-Commands/Params Function
becount 0xCA7D 0xDD0C0000 - Display bringup/shutdown count + Power-on time
bepgoff 0xA4E7 0xD00C0000 - BE power grid off
bepkt 0x2435D 0xDC0C0000 show Packet permissions
set
unset
mode
debug
help
bestat 0xD413 0xFD0F0000 - Get status of BE
boardconfig 0x99C7 0xDC0C0000 - Displays board configuration (NOT WORKING?)
bootbeep 0x1EA67 0xF0000000 stat Boot beep
on
off
bringup 0xD597 0xFD0F0000 - Turn PS3 on
bsn 0xD805 0xF00F0000 - Get board serial number
bstatus 0x24269 0xDD0C0000 - HDMI related status
buzz 0xA4FF 0xDC0C0000 [freq] Activate buzzer
buzzpattern 0xA8B7 0xDC0C0000 [freq] [pattern] [count] Buzzer pattern
clear_err 0x2595B 0xDD0C0000 last Clear errors
eeprom
all
clearerrlog 0xB8CB 0xDD0C0000 - Clears error log
comm 0x9919 0xDC0C0000 - Communication mode
commt 0x24907 0xDC0C0000 help Manual BE communication
start
stop
send
cp 0x1E077 0xF0000000 ready CP control commands
busy
reset
beepremote
beep2kn1n3
beep2kn2n3
csum 0xD687 0xFF0F0000 - Firmware checksum
devpm 0xD053 0xDD0C0000 ata/pci/pciex/rsx Device power management
diag 0x9AAD 0xD00C0000 ... Diag (execute without param to show help) (NOT WORKING?)
disp_err 0x25911 0xDD0C0000 - Displays errors
duty 0x9B23 0xDD0C0000 get/set Fan policy
get/setmin
get/setmax
get/setinimin
get/setinimax
dve 0x2995D 0xDC0C0000 help DVE chip parameters
set
save
show
eepcsum 0xAA65 0xDD0C0000 - Does nothing
eepromcheck 0x9A1D 0x000C0000 [id] Check eeprom
eeprominit 0x9A65 0x000C0000 [id] Init eeprom
ejectsw 0xD611 0xFD0F0000 - Eject switch
errlog 0xB7ED 0xFF0C0000 - Gets the error log
fancon 0xD26D 0x0D000000 - Does nothing
fanconautotype 0xC075 0xDD0C0000 - Does nothing
fanconmode 0xBF35 0xDD0C0000 get Fan control mode
fanconpolicy 0xBBC9 0xDD0C0000 get/set Fan control policy
getini/setini
fandiag 0x1E91B 0xF0000000 - Fan test
faninictrl 0xD3D9 0x0D000000 - Does nothing
fanpol 0xCA31 0xDD0C0000 - Does nothing
fanservo 0xBF29 0xDD0C0000 - Does nothing
fantbl 0xC087 0xDD0C0000 get/set Fan table
getini/setini
getselect/setselect
firmud 0xD61D 0xFDFF0000 - Firmware update
geterrlog 0xB84F 0xDD0C0000 [id] Gets error log
getrtc 0xA6F3 0xDD0C0000 - Gets rtc
halt 0x1E107 0xF0000000 - Halts syscon
hdmi 0x29F39 0xDD0C0000 ... HDMI (various commands, use help)
hdmiid 0x29D1D 0xDC0F0000 - Get HDMI id's
hdmiid2 0x29D81 0xDC0F0000 - Get HDMI id's
hversion 0x2422F 0xDD0C0000 - Platform ID
hyst 0xAEF5 0xDD0C0000 get/set Temperature zones
getini/setini
lasterrlog 0xB7FF 0xDD0C0000 - Last error from log
ledmode 0xA80B 0xDC0C0000 [id] [id] Get led mode
LS 0x2421B 0xDD0C0000 - LabStation Mode
ltstest 0xCB97 0xDD0C0000 get/set be/rsx ?Temp related? values
osbo 0x1EA3F 0xF0000000 - Sets 0x2000F60
patchcsum 0xD9F7 0xDD0C0000 - Patch checksum
patchvereep 0xD9B1 0xDD0C0000 - Patch version eeprom
patchverram 0xD965 0xDD0C0000 - Patch version ram
poll 0x240E3 0xDD0C0000 - Poll log
portscan 0xDA0D 0xDD0C0000 [port] Scan port (NOT WORKING?)
powbtnmode 0xB911 0xDC0C0000 [mode (0/1)] Power button mode
powerstate 0xCE6F 0xDD0C0000 - Get power state
powersw 0xD5F9 0xFD0F0000 - Power switch
powupcause 0xB621 0xDD0C0000 - Power up cause
printmode 0x99D9 0xDC0C0000 [mode (0/1/2/3)] Set printmode
printpatch 0xD94F 0xDD0C0000 - Prints patch
r 0x8CA5 0xDD0C0000 [offset] [length] Read byte from SC
r16 0x8ED5 0xDD0C0000 [offset] [length] Read word from SC
r32 0x9191 0xDD0C0000 [offset] [length] Read dword from SC
r64 0x935D 0xDD0C0000 [offset] [length] Read qword from SC
r64d 0x948F 0xDD0C0000 [offset] [length] Read ?qword data? from SC
rbe 0x96F9 0xDD0C0000 [offset] Read from BE
recv 0x24135 0xDD0C0000 - Receive something
resetsw 0xD605 0xFC0F0000 - Reset switch
restartlogerrtoeep 0xB903 0xDD0C0000 - Reenable error logging to eeprom
revision 0xD7E1 0xFFFF0000 - Get softid
rrsxc 0xD313 0xDD0C0000 [offset] [length] Read from RSX
rtcreset 0xA7BB 0x000C0000 - Reset RTC
scagv2 0xE24F 0xFF000000 - Auth related?
scasv2 0xE207 0xDD000000 - Auth related?
scclose 0xE1EF 0xFF000000 - Auth related?
scopen 0xE121 0xFF000000 - Auth related?
send 0x2416F 0xDD0C0000 [variable] Send something
shutdown 0xD5C5 0xFD0F0000 - PS3 shutdown
startlogerrtsk 0xB8E7 0xDD0C0000 - Start error log task
stoplogerrtoeep 0xB8F5 0xDD0C0000 - Stop error logging to eeprom
stoplogerrtsk 0xB8D9 0xDD0C0000 - Stop error log task
syspowdown 0xB6E9 0xDD0C0000 3 params System power down
task 0x15005 0xDD0C0000 - Print tasks
thalttest 0xD813 0x000F0000 - Does nothing
thermfatalmode 0xCA3B 0xDD0C0000 canboot/cannotboot Set thermal boot mode
therrclr 0xD3E5 0xDD0C0000 - Thermal register clear
thrm 0xBF1D 0xDD0C0000 - Does nothing
tmp 0xAA69 0xDD0C0000 [zone] Get temperature
trace 0xB951 0xDD0C0000 ... Trace tasks (use help)
trp 0xAB2F 0xDD0C0000 get/set Temperature zones
getini/setini
tsensor 0xA279 0xDD0C0000 [sensor] Get raw temperature
tshutdown 0xB2A1 0xDD0C0000 get/set Thermal shutdown
getini/setini
tshutdowntime 0xC95D 0xDD0C0000 [time] Thermal shutdown time
tzone 0xB5E1 0xDD0C0000 - Show thermal zones
version 0xD65F 0xFFFF0000 - SC firmware version
w 0x8BF9 0xDD0C0000 [offset] [value] Write byte to SC
w16 0x8E2D 0xDD0C0000 [offset] [value] Write word to SC
w32 0x8FED 0xDD0C0000 [offset] [value] Write dword to SC
w64 0x92A9 0xDD0C0000 [offset] [value] Write qword to SC
wbe 0x9665 0xDD0C0000 [offset] [value] Write to BE
wmmto 0xCB3B 0xDC0C0000 get Get watch dog timeout
wrsxc 0xD279 0xDD0C0000 [offset] [value] Write to RSX
xdrdiag 0x1E711 0xF0000000 start XDR diag
info
result
xiodiag 0x1E875 0xF0000000 - XIO diag
xrcv 0x25313 0xDC0C0000 - Xmodem receive
Code:
!!! WARNING !!!
!!! SYSCON RESET DETECTED !!!
Syscon Service Manager started.
Bringup Mode #0 (0xFF)
[WMM0] Watch module manager started.
[WMM1] Watch module manager started.
BD is available.
BE-SC Communication Module started.
[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM]Fake Eject.
[SSM] First Boot.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
**************************
*** PowerSeq Step = 00 ***
**************************
**************************
*** PowerSeq Step = 01 ***
**************************
**************************
*** PowerSeq Step = 02 ***
**************************
**************************
*** PowerSeq Step = 03 ***
**************************
**************************
*** PowerSeq Step = 04 ***
**************************
**************************
*** PowerSeq Step = 05 ***
**************************
**************************
*** PowerSeq Step = 06 ***
**************************
**************************
*** PowerSeq Step = 07 ***
**************************
**************************
*** PowerSeq Step = 08 ***
**************************
**************************
*** PowerSeq Step = 09 ***
**************************
**************************
*** PowerSeq Step = 10 ***
**************************
**************************
*** PowerSeq Step = 20 ***
**************************
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
**************************
*** PowerSeq Step = 21 ***
**************************
**************************
*** PowerSeq Step = 22 ***
**************************
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
**************************
*** PowerSeq Step = 23 ***
**************************
**************************
*** PowerSeq Step = 30 ***
**************************
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
BE_LIVELOCK_MODE:0xff
BE_LIVELOCK_ACTION:0x2
BE_LIVELOCK_QUIESCE:0xff
[SSM] state: 0203 -> 0104
**************************
*** PowerSeq Step = 31 ***
**************************
**************************
*** PowerSeq Step = 32 ***
**************************
**************************
*** PowerSeq Step = 40 ***
**************************
Psbd_SbTransMode_Full:0x20e2
**************************
*** PowerSeq Step = 50 ***
**************************
**************************
*** PowerSeq Step = 51 ***
**************************
**************************
*** PowerSeq Step = 52 ***
**************************
**************************
*** PowerSeq Step = 60 ***
**************************
[SSM] state: 0104 -> 0204
[SSM] state: 0204 -> 0105
**************************
*** PowerSeq Step = 61 ***
**************************
**************************
*** PowerSeq Step = 62 ***
**************************
**************************
*** PowerSeq Step = FF ***
**************************
[SSM] state: 0105 -> 0400
(PowerOn State)
[SERV NVS] READ CMD
[INFO]: trace level 3
[INFO]: timebase_clock 04c4b400(4f)
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
livelock_detection is enable.
be::setup_default(true)
sb::setup_default(true)
rs::setup_default(true)
exist RS
Boot Loader SE Version 0.8.5 (Build ID: 1257,12300, Build Data: 2006-07-06_02:22:23)
Copyright(C) 2006 Sony Computer Entertainment Inc.All Rights Reserved.
[INFO]: xdr::query_config (basic) returns 0x00000000
[INFO]: query_system_power_up_cause returns successfully.
[INFO]: requested_os_context: 0x00
[INFO]: current_os_context : 0x00
[INFO]: requested_gr_context: 0x00
[INFO]: current_gr_context : 0x00
[INFO]: last_shutdown_cause : 0x00
[INFO]: wake_source : 0x00000004
[INFO]: b_str: bool(0)
[INFO]: xio_ref_clk: 400 MHz
[INFO]: be_ref_clk: 400 MHz
[INFO]: be_pll_multiplier: 8
[INFO]: dump basic_config byte stream: size 128
04:02:10:20:08:00:00:01:80:00:ff:c0:32:00:06:11:
01:70:7c:fe:48:20:00:00:01:e0:62:84:05:5a:d6:b0:
5d:70:71:80:02:10:00:00:0a:96:3d:60:e1:c0:c8:00:
00:00:00:00:00:00:00:00:ed:d6:12:29:59:4b:a6:b4:
53:49:ac:b6:88:c4:62:20:00:00:00:00:00:40:00:00:
08:a0:0c:a0:14:79:18:79:00:58:00:80:00:01:fc:01:
00:06:00:0f:fc:0a:00:06:00:0f:37:00:00:3f:23:28:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
[INFO]: ------------------------------- dump end
[SERV SETCFG] XDR (CH0,CH1) ASSERT
[SERV SETCFG] XDR (CH0,CH1) DEASSERT
[WMM1] timeout.(1344)
[INFO]: XDR Link successfully initilized.
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
check_board_version: Cyt1 is false. Cyt3.2
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
[INFO]: flash format 1
[INFO] is_boot_memory_type_nand type 257
[INFO]: DX configuration start.
copy_to_main_memory: src 2401fc40200, size 000003e0
copy_to_main_memory: start_sector 00000201, sector_count 00000002
copy_to_main_memory: copied_addr 01010080, offset 00000480
copy_to_main_memory: src 2401fcc0000, size 00000020
copy_to_main_memory: start_sector 00000600, sector_count 00000001
copy_to_main_memory: copied_addr 01010480, offset 00000680
copy_to_main_memory: src 240203c0010, size 000003e0
copy_to_main_memory: start_sector 00003e00, sector_count 00000002
copy_to_main_memory: copied_addr 01010690, offset 00000a80
copy_to_main_memory: src 24020476ea0, size 0004b550
copy_to_main_memory: start_sector 000043b7, sector_count 0000025b
copy_to_main_memory: copied_addr 01010b20, offset 0004c080
[INFO]: Connecting to Debug Device (CP)
[SERV NVS] READ CMD
[INFO]: trace level 3
[INFO]: timebase_clock 04c4b400(4f)
memory_budget::initialize: addr = 0x56000, size = 0x6c000
memory_budget::initialize: addr = 0x1c000000, size = 0x4000000
allocate (0x400, 0x1000)
allocate (0x3000, 0x1000)
allocate (0x110000, 0x10000)
ea_addr_ss2 0x000000001c010000, m_io_addr_ss2 0x0000000000000000, size_ss2 00100080, allocate_size 00110000
allocate (0x8000, 0x80)
allocate (0x8000, 0x80)
devpm_version 0101
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
get_power_status<pci_bus> status 0
set_power_status<pci_bus> on
[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD
[WMM1] timeout.(432)
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
set_power_status<pci_bus> success
allocate (0x100000, 0x1000)
get pif5 parameter. cp_version(00000000_00000808), param(02010000_00000000)
[INFO]: force standalone mode
allocate (0x12000, 0x1000)
allocate (0x12000, 0x1000)
allocate (0x12000, 0x1000)
output: debugI/F was selected
[SERV NVS] WRITE CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
---- Cytology-Genri2 BOARD CONFIGURATION ----
BE VRM:FF
RS VRM:FF
BE VRM 2ND:FF
XCG BE:FF RS:FF RRAC:20 XDR:FF
USE_XCG2:TRUE (00)
XCG2 BE 5:84 6:16
XCG2 RS 5:FF 6:FF
XCG2 XDR 5:84 6:16
SB_TRANS_MODE:FULL (01)
USE_RS:TRUE (00)
USE_SB_CHECKSTOP:TRUE (00)
SB IOIF RESET:TRUE (FF)
BE_CHIP_VER:DD3.1
SB_CHIP_VER:#3.2
RS_CHIP_VER:RSX B01
SECU_OVER:NONE
BE_PLL_ENABLE:DISABLE
BE_PLL:FF FF FF FF FF FF FF FF
MASTER SPU:00
-----------------------------------
list of eid1 key offsets and their functions:
+ 0x150 : authenticated regions (fun stuff) (0x400)
+ 0x160: 0x2710 (0x40)
+ 0x170: 0x2760 (0x20)
+ 0x180: 0x2790 (0x20)
+ 0x190: 0x26B0, 0x26E0, 0x26F0 (0x10)
+ 0x1A0 : 0x26C0 (0x10)
+ 0x1B0 : 0x26D0 (0x10)
0x140: patch key generation (0x10*2)
needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else
Only glimmer of hope, is that a flaw in the ARM fw leads us to the ability to dump 78K0R version sc fw. Other than that, 78K0R(predecessor to RL78) is locked up tight, debugger via flash sequencer(not code) vs vulnerable ocd rom(on ps4 RL78) which made glitching possible.
Knowledge of sc interfaces on ARM can lead to possible glitching attacks, or code injection on a 78k0r maybe.
fyi, SCA like DPA/CPA on the 78K0R is not possible due to the elimination of external EEPROM I/O on its packaging. No control over crypto input means no effect on power signal for crypto and thus nothing to correlate with.
Here's a script that derivates the keys for sc patches on the wiki backwards:
Download: patch.py (2.74 KB)
As you can see from the output it produces. the keys are generated from xoring a sentence of 16 bytes containing the soft id in decimal form (ranging from 0000 to 3899) with two keys, to finally encrypt it and generate the final key.
Download: encrypt.py (1.16 KB - signing script for PS3 SC full firmware)
Download: keyvault_dumper.rar (390.72 KB - keyvault dumper SC fw and usage)
From Pastebin.com: PowerOn Reset DECR
Code:
[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
**************************
*** PowerSeq Step = 00 ***
**************************
**************************
*** PowerSeq Step = 01 ***
**************************
**************************
*** PowerSeq Step = 02 ***
**************************
**************************
*** PowerSeq Step = 03 ***
**************************
**************************
*** PowerSeq Step = 04 ***
**************************
**************************
*** PowerSeq Step = 05 ***
**************************
**************************
*** PowerSeq Step = 06 ***
**************************
**************************
*** PowerSeq Step = 07 ***
**************************
**************************
*** PowerSeq Step = 08 ***
**************************
**************************
*** PowerSeq Step = 09 ***
**************************
**************************
*** PowerSeq Step = 10 ***
**************************
**************************
*** PowerSeq Step = 20 ***
**************************
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
**************************
*** PowerSeq Step = 21 ***
**************************
**************************
*** PowerSeq Step = 22 ***
**************************
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
**************************
*** PowerSeq Step = 23 ***
**************************
**************************
*** PowerSeq Step = 30 ***
**************************
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
BE_LIVELOCK_MODE:0xff
BE_LIVELOCK_ACTION:0x2
BE_LIVELOCK_QUIESCE:0xff
[SSM] state: 0203 -> 0104
**************************
*** PowerSeq Step = 31 ***
**************************
**************************
*** PowerSeq Step = 32 ***
**************************
**************************
*** PowerSeq Step = 40 ***
**************************
Psbd_SbTransMode_Full:0x20e2
**************************
*** PowerSeq Step = 50 ***
**************************
**************************
*** PowerSeq Step = 51 ***
**************************
**************************
*** PowerSeq Step = 52 ***
**************************
**************************
*** PowerSeq Step = 60 ***
**************************
[SSM] state: 0104 -> 0204
[SSM] state: 0204 -> 0105
**************************
*** PowerSeq Step = 61 ***
**************************
**************************
*** PowerSeq Step = 62 ***
**************************
**************************
*** PowerSeq Step = FF ***
**************************
[SSM] state: 0105 -> 0400
(PowerOn State)
[SERV NVS] READ CMD
Boot Loader SE Version 0.8.5 (Build ID: 1257,12300, Build Data: 2006-07-06_02:22:23)
Copyright(C) 2006 Sony Computer Entertainment Inc.All Rights Reserved.
[SERV SETCFG] XDR (CH0,CH1) ASSERT
[SERV SETCFG] XDR (CH0,CH1) DEASSERT
[INFO]: Connecting to Debug Device (CP)
[SERV NVS] READ CMD
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV THERM] NOTIFY_MODE CMD
POWER Button released
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NOTIF] CONTROL_BD_HDD_LED
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[WMM1] timeout.(104)
POWER Button pressed
[SERV NOTIF] RING_BUZZER
[SERV NOTIF] CONTROL_LED
POWER Button released
[SERV THERM] NOTIFY_MODE CMD
[SERV NVS] WRITE CMD
[SERV NVS] READ CMD
[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD
[SSM] state: 0400 -> 0500
[POWSEQ] AV Backend Letup
[SSM] ssmCb_AfterBeOn() called.
[SSM] Shutdown mode ... req_wake_src = 000002F4, ctxt=00/00
[SSM] Shutdown mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Letup called.
[SSM] state: 0500 -> 0000
(PowerOff State)
PS3 CELL BE JTAG connector (RISCWatch) documentation: PS3 CELL BE RISCWatch Connection:
Code:
PS3 CELL BE RISCWatch Connection
MPU-501 J1001
-> Standard RISCWatch connector
TMU-520 CN1001 (few missing resistors)
1 +POWER
2 /TRST
3 TDI
4 TDO
5 TMS
6 TCK
7 N.C.
8 GND
9 /HRESET
10 /CKSTP_OUT
COK-00x Testpoints (no CN)
/HRESET CL1102
TDO CL1103
TDI CL1104
TCK CL1105
TMS CL1106
/TRST CL1107
/CKSTP_OUT CN4009#24
+POWER CN4009#27 add 1K resistor in series
GND CN4009#29
SEM-001 CN1001
1 TDI
2 /TRST
3 TCK
4 TMS
5 TDO
6 /HRESET
7 /CKSTP_OUT
8 /HRESET
9 POWER_GOOD
10 GND
11 +POWER add 1K resistor in series
12 GND
Note: Can also be found on later models,
excluding superslim
RISCWatch RS-232 RJ12 Pinout (LtR)
1 N.C.
2 CTS
3 TX
4 GND
5 RX
6 RTS
Spec: 9600 baud, 8N1
Just added second layer decryption to PS3 decrypt tools. You can use it now as a C program if you fancy that more.
Download: snvs_decrypt (snvs_decrypt.exe) by Sorvigolova (tool that decrypts SNVS from an EEPROM full dump taken with hardware flasher)
Download: TIME.py (2.77 KB)
Download: GARBAGE.py (1000 Bytes - script that generates the garbage that is not used in syscon eeprom.)
Download: INIT.py (4.16 KB - init script that decrypts the initialization (personalization) sections from eeprom and verifies their cmac (from 0x2A0 to 0x360))
Download: ram_dumps.7z (16.58 KB - PS3 syscon ram dumps for help with RE)
How to dump the complete CXR Syscon flash:
Code:
*0x3800000 = 0x05;
*0x1005554 = 0x55;
*0x100AAAA = 0xA0;
Read 0x1000000-0x107FFFF:
0x1000000-0x101FFFF Backup Bank
0x1020000-0x107FFFF Main Bank
Download: cok-001_firmware.bin (384 KB)
Download: 0xF9F00 - 0xFFEE0_with_zeroes.bin (1023.72 KB)
Download: DEB-001_rom.bin (384 KB)
These patches allow you to read/write the whole PS3 CXR Syscon EEPROM from the CELL (via the Device Access Service) or using the UART interface and the r8/w8 commands: From Pastebin.com: PS3 Syscon (Mullion Sherwood) script
Code:
from binascii import unhexlify as uhx
from Crypto.Cipher import AES # pycryptodome
import os
import serial # pyserial
import string
import sys
import time
class PS3UART(object):
ser = serial.Serial()
type = ''
sc2tb = uhx('71f03f184c01c5ebc3f6a22a42ba9525') # Syscon to TestBench Key (0x130 xor 0x4578)
tb2sc = uhx('907e730f4d4e0a0b7b75f030eb1d9d36') # TestBench to Syscon Key (0x130 xor 0x4588)
value = uhx('3350BD7820345C29056A223BA220B323') # 0x45B8
zero = uhx('00000000000000000000000000000000')
auth1r_header = uhx('10100000FFFFFFFF0000000000000000')
auth2_header = uhx('10010000000000000000000000000000')
def aes_decrypt_cbc(self, key, iv, in_data):
return AES.new(key, AES.MODE_CBC, iv).decrypt(in_data)
def aes_encrypt_cbc(self, key, iv, in_data):
return AES.new(key, AES.MODE_CBC, iv).encrypt(in_data)
def __init__(self, port, type):
self.ser.port = port
if(type == 'CXR' or type == 'SW'):
self.ser.baudrate = 57600
elif(type == 'CXRF'):
self.ser.baudrate = 115200
else:
assert(False)
self.type = type
self.ser.timeout = 0.1
self.ser.open()
assert(self.ser.isOpen())
self.ser.flush()
def __del__(self):
self.ser.close()
def send(self, data):
self.ser.write(data.encode('ascii'))
def receive(self):
return self.ser.read(self.ser.inWaiting())
def command(self, com, wait = 1, verbose = False):
if(verbose):
print('Command: ' + com)
if(self.type == 'CXR'):
length = len(com)
checksum = sum(bytearray(com, 'ascii')) % 0x100
if(length <= 10):
self.send('C:{:02X}:{}\r\n'.format(checksum, com))
else:
j = 10
self.send('C:{:02X}:{}'.format(checksum, com[0:j]))
for i in range(length - j, 15, -15):
self.send(com[j:j+15])
j += 15
self.send(com[j:] + '\r\n')
elif(self.type == 'SW'):
length = len(com)
if(length >= 0x40):
if(self.command('SETCMDLONG FF FF')[0] != 0):
return (0xFFFFFFFF, ['Setcmdlong'])
checksum = sum(bytearray(com, 'ascii')) % 0x100
self.send('{}:{:02X}\r\n'.format(com, checksum))
else:
self.send(com + '\r\n')
time.sleep(wait)
answer = self.receive().decode('ascii').strip()
if(verbose):
print('Answer: ' + answer)
if(self.type == 'CXR'):
answer = answer.split(':')
if(len(answer) != 3):
return (0xFFFFFFFF, ['Answer length'])
checksum = sum(bytearray(answer[2], 'ascii')) % 0x100
if(answer[0] != 'R' and answer[0] != 'E'):
return (0xFFFFFFFF, ['Magic'])
if(answer[1] != '{:02X}'.format(checksum)):
return (0xFFFFFFFF, ['Checksum'])
data = answer[2].split(' ')
if(answer[0] == 'R' and len(data) < 2 or answer[0] == 'E' and len(data) != 2):
return (0xFFFFFFFF, ['Data length'])
if(data[0] != 'OK' or len(data) < 2):
return (int(data[1], 16), [])
else:
return (int(data[1], 16), data[2:])
elif(self.type == 'SW'):
answer = answer.split('\n')
for i in range(0, len(answer)):
answer[i] = answer[i].replace('\n', '').rsplit(':', 1)
if(len(answer[i]) != 2):
return (0xFFFFFFFF, ['Answer length'])
checksum = sum(bytearray(answer[i][0], 'ascii')) % 0x100
if(answer[i][1] != '{:02X}'.format(checksum)):
return (0xFFFFFFFF, ['Checksum'])
answer[i][0] += '\n'
ret = answer[-1][0].replace('\n', '').split(' ')
if(len(ret) < 2 or len(ret[1]) != 8 and not all(c in string.hexdigits for c in ret[1])):
return (0, [x[0] for x in answer])
elif(len(answer) == 1):
return (int(ret[1], 16), ret[2:])
else:
return (int(ret[1], 16), [x[0] for x in answer[:-1]])
else:
return (0, [answer])
def auth(self):
if(self.type == 'CXR' or self.type == 'SW'):
auth1r = self.command('AUTH1 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
if(auth1r[0] == 0 and auth1r[1] != []):
auth1r = uhx(auth1r[1][0])
if(auth1r[0:0x10] == self.auth1r_header):
data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
auth2r = self.command('AUTH2 ' + ''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
if(auth2r[0] == 0):
return 'Auth successful'
else:
return 'Auth failed'
else:
return 'Auth1 response body invalid'
else:
return 'Auth1 response header invalid'
else:
return 'Auth1 response invalid'
else:
scopen = self.command('scopen')
if('SC_READY' in scopen[1][0]):
auth1r = self.command('10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
auth1r = auth1r[1][0].split('\r')[1][1:]
if(len(auth1r) == 128):
auth1r = uhx(auth1r)
if(auth1r[0:0x10] == self.auth1r_header):
data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
auth2r = self.command(''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
if('SC_SUCCESS' in auth2r[1][0]):
return 'Auth successful'
else:
return 'Auth failed'
else:
return 'Auth1 response body invalid'
else:
return 'Auth1 response header invalid'
else:
return 'Auth1 response invalid'
else:
return 'scopen response invalid'
def main(argc, argv):
if(argc < 3):
print(os.path.basename(__file__) + ' <serial port> <sc type ["CXR", "CXRF", "SW"]>')
sys.exit(1)
ps3 = PS3UART(argv[1], argv[2])
raw_input_c = vars(__builtins__).get('raw_input', input)
while True:
in_data = raw_input_c('> ')
if(in_data.lower() == 'auth'):
print(ps3.auth())
continue
if(in_data.lower() == 'exit'):
break
ret = ps3.command(in_data)
if(argv[2] == 'CXR'):
print('{:08X}'.format(ret[0]) + ' ' + ' '.join(ret[1]))
elif(argv[2] == 'SW'):
if(len(ret[1]) > 0 and '\n' not in ret[1][0]):
print('{:08X}'.format(ret[0]) + ' ' + ' '.join(ret[1]))
else:
print('{:08X}'.format(ret[0]) + '\n' + ''.join(ret[1]))
else:
print(ret[1][0].decode('ascii'))
if __name__ == '__main__':
main(len(sys.argv), sys.argv)