Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.
PS4 Jailbreaking       Thread starter PSXHAX       Start date Oct 22, 2018 at 4:28 AM       11      
Status
Not open for further replies.
Following the PS4 Syscon Decapping, PS4 Aux Hax research and his recent PS4 HEN version 1.8 Live Demo (GIT - added to PS4 Exploit Host v0.4.6 Alpha1), today PlayStation 4 developer @zecoxao shared via Twitter his latest Github commit dubbed Siscon which is a PS4 Syscon System Controller firmware decrypter allowing further comparison and examination by scene devs. :ninja:

Download: siscon-master.zip / GIT / PS4 Syscon Research & Development Repository

As mentioned in the Tweets embedded below, he reminds those planning to use it "decrypts syscon fw updates from PS4 devkit consoles (you need to provide the keys yourself, but they're not hard to find)"

PS4 HEN 1.8 via mohammadfadel
Download: ps3_syscon_decrypt_tool.py (828 Bytes - script by SocraticBliss, atm it only decrypts the dia-002/deb-001 patch)
PS3 TMU Syscon command list, including addresses and needed permissions: Pastebin.com:
Code:
Command              Address      Permission
w                    0xf98b0000L  0xDD0C0000
r                    0xa58c0000L  0xDD0C0000
w16                  0x2d8e0000   0xDD0C0000
r16                  0xd58e0000L  0xDD0C0000
w32                  0xed8f0000L  0xDD0C0000
r32                  0x91910000L  0xDD0C0000
w64                  0xa9920000L  0xDD0C0000
r64                  0x5d930000   0xDD0C0000
r64d                 0x8f940000L  0xDD0C0000
wbe                  0x65960000   0xDD0C0000
rbe                  0xf9960000L  0xDD0C0000
boardconfig          0xc7990000L  0xDC0C0000
comm                 0x19990000   0xDC0C0000
commt                0x7490200    0xDC0C0000
printmode            0xd9990000L  0xDC0C0000
eepromcheck          0x1d9a0000   0x000C0000
eeprominit           0x659a0000   0x000C0000
hdmi                 0x399f0200   0xDD0C0000
xrcv                 0x13530200   0xDC0C0000
bepkt                0x5d430200   0xDC0C0000
task                 0x5500100    0xDD0C0000
duty                 0x239b0000   0xDD0C0000
tsensor              0x79a20000   0xDD0C0000
bepgoff              0xe7a40000L  0xD00C0000
getrtc               0xf3a60000L  0xDD0C0000
rtcreset             0xbba70000L  0x000C0000
ledmode              0xba80000    0xDC0C0000
buzzpattern          0xb7a80000L  0xDC0C0000
eepcsum              0x65aa0000   0xDD0C0000
tmp                  0x69aa0000   0xDD0C0000
trp                  0x2fab0000   0xDD0C0000
hyst                 0xf5ae0000L  0xDD0C0000
tshutdown            0xa1b20000L  0xDD0C0000
tzone                0xe1b50000L  0xDD0C0000
errlog               0xedb70000L  0xFF0C0000
lasterrlog           0xffb70000L  0xDD0C0000
geterrlog            0x4fb80000   0xDD0C0000
clearerrlog          0xcbb80000L  0xDD0C0000
stoplogerrtsk        0xd9b80000L  0xDD0C0000
startlogerrtsk       0xe7b80000L  0xDD0C0000
stoplogerrtoeep      0xf5b80000L  0xDD0C0000
restartlogerrtoeep   0x3b90000    0xDD0C0000
trace                0x51b90000   0xDD0C0000
disp_err             0x11590200   0xDD0C0000
clear_err            0x5b590200   0xDD0C0000
printpatch           0x4fd90000   0xDD0C0000
patchverram          0x65d90000   0xDD0C0000
patchcsum            0xf7d90000L  0xDD0C0000
patchvereep          0xb1d90000L  0xDD0C0000
portscan             0xdda0000    0xDD0C0000
powupcause           0x21b60000   0xDD0C0000
syspowdown           0xe9b60000L  0xDD0C0000
powbtnmode           0x11b90000   0xDC0C0000
dve                  0x5d990200   0xDC0C0000
fanconpolicy         0xc9bb0000L  0xDD0C0000
fanconmode           0x35bf0000   0xDD0C0000
fanconautotype       0x75c00000   0xDD0C0000
fantbl               0x87c00000L  0xDD0C0000
tshutdowntime        0x5dc90000   0xDD0C0000
fanservo             0x29bf0000   0xDD0C0000
thrm                 0x1dbf0000   0xDD0C0000
fanpol               0x31ca0000   0xDD0C0000
thermfatalmode       0x3bca0000   0xDD0C0000
becount              0x7dca0000   0xDD0C0000
wmmto                0x3bcb0000   0xDC0C0000
ltstest              0x97cb0000L  0xDD0C0000
fancon               0x6dd20000   0x0D000000
powerstate           0x6fce0000   0xDD0C0000
devpm                0x53d00000   0xDD0C0000
wrsxc                0x79d20000   0xDD0C0000
rrsxc                0x13d30000   0xDD0C0000
faninictrl           0xd9d30000L  0x0D000000
therrclr             0xe5d30000L  0xDD0C0000
poll                 0xe3400200L  0xDD0C0000
recv                 0x35410200   0xDD0C0000
send                 0x6f410200   0xDD0C0000
LS                   0x1b420200   0xDD0C0000
hversion             0x2f420200   0xDD0C0000
bstatus              0x69420200   0xDD0C0000
buzz                 0xffa40000L  0xDC0C0000
diag                 0xad9a0000L  0xD00C0000
xdrdiag              0x11e70100   0xF0000000
xiodiag              0x75e80100   0xF0000000
fandiag              0x1be90100   0xF0000000
osbo                 0x3fea0100   0xF0000000
bestat               0x13d40000   0xFD0F0000
bringup              0x97d50000L  0xFD0F0000
shutdown             0xc5d50000L  0xFD0F0000
powersw              0xf9d50000L  0xFD0F0000
resetsw              0x5d60000    0xFC0F0000
ejectsw              0x11d60000   0xFD0F0000
thalttest            0x13d80000   0x000F0000
bsn                  0x5d80000    0xF00F0000
firmud               0x1dd60000   0xFDFF0000
hdmiid               0x1d9d0200   0xDC0F0000
hdmiid2              0x819d0200L  0xDC0F0000
version              0x5fd60000   0xFFFF0000
csum                 0x87d60000L  0xFF0F0000
revision             0xe1d70000L  0xFFFF0000
cp                   0x77e00100   0xF0000000
halt                 0x7e10100    0xF0000000
bootbeep             0x67ea0100   0xF0000000
scopen               0x21e10000   0xFF000000
scclose              0xefe10000L  0xFF000000
scasv2               0x7e20000    0xDD000000
scagv2               0x4fe20000   0xFF000000
Download: patched105_for_DECR.bin (384.06 KB - patched DECR-1000 SC FW that allows you to run any packet as if it did not have restrictions)
Download: ps3_syscon_decrypt_tool.py (3.49 KB - PS3 syscon patch and full script for patch and full firmware decryption. made by SocraticBliss, improved by Anonymous and myself
Updated version, including more details: Pastebin.com:
Code:
Command              Address      Permission    Sub-Commands/Params            Function
becount              0xCA7D       0xDD0C0000    -                            Display bringup/shutdown count + Power-on time
bepgoff              0xA4E7       0xD00C0000    -                            BE power grid off
bepkt                0x2435D      0xDC0C0000    show                        Packet permissions
                                                set
                                                unset
                                                mode
                                                debug
                                                help
bestat               0xD413       0xFD0F0000    -                            Get status of BE
boardconfig          0x99C7       0xDC0C0000    -                            Displays board configuration                (NOT WORKING?)
bootbeep             0x1EA67      0xF0000000    stat                        Boot beep
                                                on
                                                off
bringup              0xD597       0xFD0F0000    -                            Turn PS3 on
bsn                  0xD805       0xF00F0000    -                            Get board serial number
bstatus              0x24269      0xDD0C0000    -                            HDMI related status
buzz                 0xA4FF       0xDC0C0000    [freq]                        Activate buzzer
buzzpattern          0xA8B7       0xDC0C0000    [freq] [pattern] [count]    Buzzer pattern
clear_err            0x2595B      0xDD0C0000    last                        Clear errors
                                                eeprom
                                                all
clearerrlog          0xB8CB       0xDD0C0000    -                            Clears error log
comm                 0x9919       0xDC0C0000    -                            Communication mode
commt                0x24907      0xDC0C0000    help                        Manual BE communication
                                                start
                                                stop
                                                send
cp                   0x1E077      0xF0000000    ready                        CP control commands
                                                busy
                                                reset
                                                beepremote
                                                beep2kn1n3
                                                beep2kn2n3
csum                 0xD687       0xFF0F0000    -                            Firmware checksum
devpm                0xD053       0xDD0C0000    ata/pci/pciex/rsx            Device power management
diag                 0x9AAD       0xD00C0000    ...                            Diag (execute without param to show help)    (NOT WORKING?)
disp_err             0x25911      0xDD0C0000    -                            Displays errors
duty                 0x9B23       0xDD0C0000    get/set                        Fan policy
                                                get/setmin
                                                get/setmax
                                                get/setinimin
                                                get/setinimax
dve                  0x2995D      0xDC0C0000    help                        DVE chip parameters
                                                set
                                                save
                                                show
eepcsum              0xAA65       0xDD0C0000    -                            Does nothing
eepromcheck          0x9A1D       0x000C0000    [id]                        Check eeprom
eeprominit           0x9A65       0x000C0000    [id]                        Init eeprom
ejectsw              0xD611       0xFD0F0000    -                            Eject switch
errlog               0xB7ED       0xFF0C0000    -                            Gets the error log
fancon               0xD26D       0x0D000000    -                            Does nothing
fanconautotype       0xC075       0xDD0C0000    -                            Does nothing
fanconmode           0xBF35       0xDD0C0000    get                            Fan control mode 
fanconpolicy         0xBBC9       0xDD0C0000    get/set                        Fan control policy
                                                getini/setini
fandiag              0x1E91B      0xF0000000    -                            Fan test 
faninictrl           0xD3D9       0x0D000000    -                            Does nothing
fanpol               0xCA31       0xDD0C0000    -                            Does nothing
fanservo             0xBF29       0xDD0C0000    -                            Does nothing
fantbl               0xC087       0xDD0C0000    get/set                        Fan table
                                                getini/setini
                                                getselect/setselect
firmud               0xD61D       0xFDFF0000    -                            Firmware update
geterrlog            0xB84F       0xDD0C0000    [id]                        Gets error log
getrtc               0xA6F3       0xDD0C0000    -                            Gets rtc
halt                 0x1E107      0xF0000000    -                            Halts syscon
hdmi                 0x29F39      0xDD0C0000    ...                            HDMI (various commands, use help)
hdmiid               0x29D1D      0xDC0F0000    -                            Get HDMI id's
hdmiid2              0x29D81      0xDC0F0000    -                            Get HDMI id's
hversion             0x2422F      0xDD0C0000    -                            Platform ID
hyst                 0xAEF5       0xDD0C0000    get/set                        Temperature zones
                                                getini/setini
lasterrlog           0xB7FF       0xDD0C0000    -                            Last error from log
ledmode              0xA80B       0xDC0C0000    [id] [id]                    Get led mode
LS                   0x2421B      0xDD0C0000    -                            LabStation Mode
ltstest              0xCB97       0xDD0C0000    get/set be/rsx                ?Temp related? values
osbo                 0x1EA3F      0xF0000000    -                            Sets 0x2000F60
patchcsum            0xD9F7       0xDD0C0000    -                            Patch checksum
patchvereep          0xD9B1       0xDD0C0000    -                            Patch version eeprom
patchverram          0xD965       0xDD0C0000    -                            Patch version ram
poll                 0x240E3      0xDD0C0000    -                            Poll log
portscan             0xDA0D       0xDD0C0000    [port]                        Scan port                                    (NOT WORKING?)
powbtnmode           0xB911       0xDC0C0000    [mode (0/1)]                Power button mode
powerstate           0xCE6F       0xDD0C0000    -                            Get power state
powersw              0xD5F9       0xFD0F0000    -                            Power switch
powupcause           0xB621       0xDD0C0000    -                            Power up cause
printmode            0x99D9       0xDC0C0000    [mode (0/1/2/3)]            Set printmode
printpatch           0xD94F       0xDD0C0000    -                            Prints patch
r                    0x8CA5       0xDD0C0000    [offset] [length]            Read byte from SC
r16                  0x8ED5       0xDD0C0000    [offset] [length]            Read word from SC
r32                  0x9191       0xDD0C0000    [offset] [length]            Read dword from SC
r64                  0x935D       0xDD0C0000    [offset] [length]            Read qword from SC
r64d                 0x948F       0xDD0C0000    [offset] [length]            Read ?qword data? from SC
rbe                  0x96F9       0xDD0C0000    [offset]                    Read from BE
recv                 0x24135      0xDD0C0000    -                            Receive something
resetsw              0xD605       0xFC0F0000    -                            Reset switch
restartlogerrtoeep   0xB903       0xDD0C0000    -                            Reenable error logging to eeprom
revision             0xD7E1       0xFFFF0000    -                            Get softid
rrsxc                0xD313       0xDD0C0000    [offset] [length]            Read from RSX                 
rtcreset             0xA7BB       0x000C0000    -                            Reset RTC
scagv2               0xE24F       0xFF000000    -                            Auth related?
scasv2               0xE207       0xDD000000    -                            Auth related?
scclose              0xE1EF       0xFF000000    -                            Auth related?
scopen               0xE121       0xFF000000    -                            Auth related?
send                 0x2416F      0xDD0C0000    [variable]                    Send something
shutdown             0xD5C5       0xFD0F0000    -                            PS3 shutdown
startlogerrtsk       0xB8E7       0xDD0C0000    -                            Start error log task
stoplogerrtoeep      0xB8F5       0xDD0C0000    -                            Stop error logging to eeprom
stoplogerrtsk        0xB8D9       0xDD0C0000    -                            Stop error log task
syspowdown           0xB6E9       0xDD0C0000    3 params                    System power down
task                 0x15005      0xDD0C0000    -                            Print tasks
thalttest            0xD813       0x000F0000    -                            Does nothing
thermfatalmode       0xCA3B       0xDD0C0000    canboot/cannotboot            Set thermal boot mode
therrclr             0xD3E5       0xDD0C0000    -                            Thermal register clear
thrm                 0xBF1D       0xDD0C0000    -                            Does nothing
tmp                  0xAA69       0xDD0C0000    [zone]                        Get temperature
trace                0xB951       0xDD0C0000    ...                            Trace tasks (use help)
trp                  0xAB2F       0xDD0C0000    get/set                        Temperature zones
                                                getini/setini
tsensor              0xA279       0xDD0C0000    [sensor]                    Get raw temperature
tshutdown            0xB2A1       0xDD0C0000    get/set                        Thermal shutdown
                                                getini/setini
tshutdowntime        0xC95D       0xDD0C0000    [time]                        Thermal shutdown time
tzone                0xB5E1       0xDD0C0000    -                            Show thermal zones
version              0xD65F       0xFFFF0000    -                            SC firmware version
w                    0x8BF9       0xDD0C0000    [offset] [value]            Write byte to SC
w16                  0x8E2D       0xDD0C0000    [offset] [value]            Write word to SC
w32                  0x8FED       0xDD0C0000    [offset] [value]            Write dword to SC
w64                  0x92A9       0xDD0C0000    [offset] [value]            Write qword to SC
wbe                  0x9665       0xDD0C0000    [offset] [value]            Write to BE
wmmto                0xCB3B       0xDC0C0000    get                            Get watch dog timeout
wrsxc                0xD279       0xDD0C0000    [offset] [value]            Write to RSX
xdrdiag              0x1E711      0xF0000000    start                        XDR diag
                                                info
                                                result
xiodiag              0x1E875      0xF0000000    -                            XIO diag
xrcv                 0x25313      0xDC0C0000    -                            Xmodem receive
DECR syscon boot log, including lv0ldr output: Pastebin.com
Code:
!!! WARNING !!!

!!! SYSCON RESET DETECTED !!!

Syscon Service Manager started.

Bringup Mode #0 (0xFF)

[WMM0] Watch module manager started.

[WMM1] Watch module manager started.

BD is available.

BE-SC Communication Module started.

[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM]Fake Eject.
[SSM] First Boot.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
**************************
*** PowerSeq Step = 00 ***
**************************
**************************
*** PowerSeq Step = 01 ***
**************************
**************************
*** PowerSeq Step = 02 ***
**************************
**************************
*** PowerSeq Step = 03 ***
**************************
**************************
*** PowerSeq Step = 04 ***
**************************
**************************
*** PowerSeq Step = 05 ***
**************************
**************************
*** PowerSeq Step = 06 ***
**************************
**************************
*** PowerSeq Step = 07 ***
**************************
**************************
*** PowerSeq Step = 08 ***
**************************
**************************
*** PowerSeq Step = 09 ***
**************************
**************************
*** PowerSeq Step = 10 ***
**************************
**************************
*** PowerSeq Step = 20 ***
**************************
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
**************************
*** PowerSeq Step = 21 ***
**************************
**************************
*** PowerSeq Step = 22 ***
**************************
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
**************************
*** PowerSeq Step = 23 ***
**************************
**************************
*** PowerSeq Step = 30 ***
**************************
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
BE_LIVELOCK_MODE:0xff
BE_LIVELOCK_ACTION:0x2
BE_LIVELOCK_QUIESCE:0xff
[SSM] state: 0203 -> 0104
**************************
*** PowerSeq Step = 31 ***
**************************
**************************
*** PowerSeq Step = 32 ***
**************************
**************************
*** PowerSeq Step = 40 ***
**************************
Psbd_SbTransMode_Full:0x20e2
**************************
*** PowerSeq Step = 50 ***
**************************
**************************
*** PowerSeq Step = 51 ***
**************************
**************************
*** PowerSeq Step = 52 ***
**************************
**************************
*** PowerSeq Step = 60 ***
**************************
[SSM] state: 0104 -> 0204
[SSM] state: 0204 -> 0105
**************************
*** PowerSeq Step = 61 ***
**************************
**************************
*** PowerSeq Step = 62 ***
**************************
**************************
*** PowerSeq Step = FF ***
**************************
[SSM] state: 0105 -> 0400
(PowerOn State)
[SERV NVS] READ CMD
[INFO]: trace level 3
[INFO]: timebase_clock 04c4b400(4f)
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
livelock_detection is enable.
be::setup_default(true)
sb::setup_default(true)
rs::setup_default(true)
exist RS

Boot Loader SE Version 0.8.5 (Build ID: 1257,12300, Build Data: 2006-07-06_02:22:23)
Copyright(C) 2006 Sony Computer Entertainment Inc.All Rights Reserved.
[INFO]: xdr::query_config (basic) returns 0x00000000
[INFO]: query_system_power_up_cause returns successfully.
[INFO]: requested_os_context: 0x00
[INFO]: current_os_context  : 0x00
[INFO]: requested_gr_context: 0x00
[INFO]: current_gr_context  : 0x00
[INFO]: last_shutdown_cause : 0x00
[INFO]: wake_source         : 0x00000004
[INFO]: b_str: bool(0)
[INFO]: xio_ref_clk: 400 MHz
[INFO]: be_ref_clk: 400 MHz
[INFO]: be_pll_multiplier: 8
[INFO]: dump basic_config byte stream: size 128
04:02:10:20:08:00:00:01:80:00:ff:c0:32:00:06:11:
01:70:7c:fe:48:20:00:00:01:e0:62:84:05:5a:d6:b0:

5d:70:71:80:02:10:00:00:0a:96:3d:60:e1:c0:c8:00:
00:00:00:00:00:00:00:00:ed:d6:12:29:59:4b:a6:b4:
53:49:ac:b6:88:c4:62:20:00:00:00:00:00:40:00:00:
08:a0:0c:a0:14:79:18:79:00:58:00:80:00:01:fc:01:
00:06:00:0f:fc:0a:00:06:00:0f:37:00:00:3f:23:28:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
[INFO]: ------------------------------- dump end
[SERV SETCFG] XDR (CH0,CH1) ASSERT
[SERV SETCFG] XDR (CH0,CH1) DEASSERT
[WMM1] timeout.(1344)

[INFO]: XDR Link successfully initilized.
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
check_board_version: Cyt1 is false. Cyt3.2
check_board_version: Cyt2 is false. Cyt3.2
check_board_version: Cyt3 is true. Cyt3.2
[INFO]: flash format 1
[INFO] is_boot_memory_type_nand type 257
[INFO]: DX configuration start.
copy_to_main_memory: src 2401fc40200, size 000003e0
copy_to_main_memory: start_sector 00000201, sector_count 00000002
copy_to_main_memory: copied_addr 01010080, offset 00000480
copy_to_main_memory: src 2401fcc0000, size 00000020
copy_to_main_memory: start_sector 00000600, sector_count 00000001
copy_to_main_memory: copied_addr 01010480, offset 00000680
copy_to_main_memory: src 240203c0010, size 000003e0
copy_to_main_memory: start_sector 00003e00, sector_count 00000002
copy_to_main_memory: copied_addr 01010690, offset 00000a80
copy_to_main_memory: src 24020476ea0, size 0004b550
copy_to_main_memory: start_sector 000043b7, sector_count 0000025b
copy_to_main_memory: copied_addr 01010b20, offset 0004c080
[INFO]: Connecting to Debug Device (CP)
[SERV NVS] READ CMD
[INFO]: trace level 3
[INFO]: timebase_clock 04c4b400(4f)
memory_budget::initialize: addr = 0x56000, size = 0x6c000
memory_budget::initialize: addr = 0x1c000000, size = 0x4000000
allocate (0x400, 0x1000)
allocate (0x3000, 0x1000)
allocate (0x110000, 0x10000)
ea_addr_ss2 0x000000001c010000, m_io_addr_ss2 0x0000000000000000, size_ss2 00100080, allocate_size 00110000
allocate (0x8000, 0x80)
allocate (0x8000, 0x80)
devpm_version 0101
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
get_power_status<pci_bus> status 0
set_power_status<pci_bus> on
[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD
[WMM1] timeout.(432)
[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD
set_power_status<pci_bus> success
allocate (0x100000, 0x1000)
get pif5 parameter. cp_version(00000000_00000808), param(02010000_00000000)
[INFO]: force standalone mode
allocate (0x12000, 0x1000)
allocate (0x12000, 0x1000)
allocate (0x12000, 0x1000)
output: debugI/F was selected
[SERV NVS] WRITE CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD
[SERV NVS] READ CMD

---- Cytology-Genri2 BOARD CONFIGURATION ----
BE VRM:FF
RS VRM:FF
BE VRM 2ND:FF
XCG BE:FF RS:FF RRAC:20 XDR:FF
USE_XCG2:TRUE (00)
XCG2 BE 5:84 6:16
XCG2 RS 5:FF 6:FF
XCG2 XDR 5:84 6:16
SB_TRANS_MODE:FULL (01)
USE_RS:TRUE (00)
USE_SB_CHECKSTOP:TRUE (00)
SB IOIF RESET:TRUE (FF)
BE_CHIP_VER:DD3.1
SB_CHIP_VER:#3.2
RS_CHIP_VER:RSX B01
SECU_OVER:NONE
BE_PLL_ENABLE:DISABLE
BE_PLL:FF FF FF FF FF FF FF FF
MASTER SPU:00
-----------------------------------
Download: v1.0.5c1_TMU510_u_patched2_extra_diag_porn.bin (384.06 KB)
list of eid1 key offsets and their functions:
+ 0x150 : authenticated regions (fun stuff) (0x400)
+ 0x160: 0x2710 (0x40)
+ 0x170: 0x2760 (0x20)
+ 0x180: 0x2790 (0x20)
+ 0x190: 0x26B0, 0x26E0, 0x26F0 (0x10)
+ 0x1A0 : 0x26C0 (0x10)
+ 0x1B0 : 0x26D0 (0x10)
0x140: patch key generation (0x10*2)
needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else
Only glimmer of hope, is that a flaw in the ARM fw leads us to the ability to dump 78K0R version sc fw. Other than that, 78K0R(predecessor to RL78) is locked up tight, debugger via flash sequencer(not code) vs vulnerable ocd rom(on ps4 RL78) which made glitching possible.
Knowledge of sc interfaces on ARM can lead to possible glitching attacks, or code injection on a 78k0r maybe.
fyi, SCA like DPA/CPA on the 78K0R is not possible due to the elimination of external EEPROM I/O on its packaging. No control over crypto input means no effect on power signal for crypto and thus nothing to correlate with.
Here's a script that derivates the keys for sc patches on the wiki backwards:

Download: patch.py (2.74 KB)
As you can see from the output it produces. the keys are generated from xoring a sentence of 16 bytes containing the soft id in decimal form (ranging from 0000 to 3899) with two keys, to finally encrypt it and generate the final key.
Download: encrypt.py (1.16 KB - signing script for PS3 SC full firmware)
Download: keyvault_dumper.rar (390.72 KB - keyvault dumper SC fw and usage)
From Pastebin.com: PowerOn Reset DECR
Code:
[SSM] state: 0000 -> 0101

Bringup Mode #0 (0xFF)

[SSM] ssmCb_OnStartingBePowOn() called.

[SSM] Bringup mode : syspm_stat=00000000/00000000

[POWSEQ] PowerSeq_Setup called.

**************************

*** PowerSeq Step = 00 ***

**************************

**************************

*** PowerSeq Step = 01 ***

**************************

**************************

*** PowerSeq Step = 02 ***

**************************

**************************

*** PowerSeq Step = 03 ***

**************************

**************************

*** PowerSeq Step = 04 ***

**************************

**************************

*** PowerSeq Step = 05 ***

**************************

**************************

*** PowerSeq Step = 06 ***

**************************

**************************

*** PowerSeq Step = 07 ***

**************************

**************************

*** PowerSeq Step = 08 ***

**************************

**************************

*** PowerSeq Step = 09 ***

**************************

**************************

*** PowerSeq Step = 10 ***

**************************

**************************

*** PowerSeq Step = 20 ***

**************************

[SSM] state: 0101 -> 0201

[POWSEQ] AV Backend Setup

[SSM] state: 0201 -> 0102

**************************

*** PowerSeq Step = 21 ***

**************************

**************************

*** PowerSeq Step = 22 ***

**************************

[SSM] state: 0102 -> 0202

[SSM] state: 0202 -> 0103

**************************

*** PowerSeq Step = 23 ***

**************************

**************************

*** PowerSeq Step = 30 ***

**************************

[SSM] state: 0103 -> 0203

[SSM] ssmCb_BeforeBeOn() called.

BE_LIVELOCK_MODE:0xff

BE_LIVELOCK_ACTION:0x2

BE_LIVELOCK_QUIESCE:0xff

[SSM] state: 0203 -> 0104

**************************

*** PowerSeq Step = 31 ***

**************************

**************************

*** PowerSeq Step = 32 ***

**************************

**************************

*** PowerSeq Step = 40 ***

**************************

Psbd_SbTransMode_Full:0x20e2

**************************

*** PowerSeq Step = 50 ***

**************************

**************************

*** PowerSeq Step = 51 ***

**************************

**************************

*** PowerSeq Step = 52 ***

**************************

**************************

*** PowerSeq Step = 60 ***

**************************

[SSM] state: 0104 -> 0204

[SSM] state: 0204 -> 0105

**************************

*** PowerSeq Step = 61 ***

**************************

**************************

*** PowerSeq Step = 62 ***

**************************

**************************

*** PowerSeq Step = FF ***

**************************

[SSM] state: 0105 -> 0400

(PowerOn State)

[SERV NVS] READ CMD

Boot Loader SE Version 0.8.5 (Build ID: 1257,12300, Build Data: 2006-07-06_02:22:23)

Copyright(C) 2006 Sony Computer Entertainment Inc.All Rights Reserved.

[SERV SETCFG] XDR (CH0,CH1) ASSERT

[SERV SETCFG] XDR (CH0,CH1) DEASSERT

[INFO]: Connecting to Debug Device (CP)

[SERV NVS] READ CMD

[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD

[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD

[SERV DEVPM] GET_PCI_BUS_POWER_STATE CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV THERM] NOTIFY_MODE CMD

POWER Button released

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NOTIF] CONTROL_BD_HDD_LED

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[SERV NVS] READ CMD

[WMM1] timeout.(104)

POWER Button pressed

[SERV NOTIF] RING_BUZZER

[SERV NOTIF] CONTROL_LED

POWER Button released

[SERV THERM] NOTIFY_MODE CMD

[SERV NVS] WRITE CMD

[SERV NVS] READ CMD

[SERV DEVPM] CONTROL_PCI_BUS_POWER_STATE CMD

[SSM] state: 0400 -> 0500

[POWSEQ] AV Backend Letup

[SSM] ssmCb_AfterBeOn() called.

[SSM] Shutdown mode ... req_wake_src = 000002F4, ctxt=00/00

[SSM] Shutdown mode : syspm_stat=00000000/00000000

[POWSEQ] PowerSeq_Letup called.

[SSM] state: 0500 -> 0000

(PowerOff State)
Download: encrypt.py (1.75 KB - previous script was actually the decrypting script, this is the encrypt script)
PS3 CELL BE JTAG connector (RISCWatch) documentation: PS3 CELL BE RISCWatch Connection:
Code:
PS3 CELL BE RISCWatch Connection

MPU-501 J1001
-> Standard RISCWatch connector

TMU-520 CN1001 (few missing resistors)
1    +POWER
2    /TRST
3    TDI
4    TDO
5    TMS
6    TCK
7    N.C.
8    GND
9    /HRESET
10    /CKSTP_OUT

COK-00x Testpoints (no CN)
/HRESET        CL1102
TDO            CL1103
TDI            CL1104
TCK            CL1105
TMS            CL1106
/TRST        CL1107
/CKSTP_OUT    CN4009#24
+POWER        CN4009#27    add 1K resistor in series
GND            CN4009#29

SEM-001 CN1001
1    TDI
2    /TRST
3    TCK
4    TMS
5    TDO
6    /HRESET
7    /CKSTP_OUT
8    /HRESET
9    POWER_GOOD
10    GND
11    +POWER        add 1K resistor in series
12    GND
Note: Can also be found on later models,
      excluding superslim

RISCWatch RS-232 RJ12 Pinout (LtR)
1    N.C.
2    CTS
3    TX
4    GND
5    RX
6    RTS
Spec: 9600 baud, 8N1
Download: EID1.py (1.16 KB - EID1 decrypt script. it'll decrypt the second layer of eid1 that you can obtain using ps3_decrypt_tools or libeid)
Just added second layer decryption to PS3 decrypt tools. You can use it now as a C program if you fancy that more.
Download: snvs_decrypt (snvs_decrypt.exe) by Sorvigolova (tool that decrypts SNVS from an EEPROM full dump taken with hardware flasher)
Download: TIME.py (2.77 KB)
Download: GARBAGE.py (1000 Bytes - script that generates the garbage that is not used in syscon eeprom.)
Download: INIT.py (4.16 KB - init script that decrypts the initialization (personalization) sections from eeprom and verifies their cmac (from 0x2A0 to 0x360))
Download: ram_dumps.7z (16.58 KB - PS3 syscon ram dumps for help with RE)
How to dump the complete CXR Syscon flash:
Code:
*0x3800000 = 0x05;
*0x1005554 = 0x55;
*0x100AAAA = 0xA0;

Read 0x1000000-0x107FFFF:
0x1000000-0x101FFFF Backup Bank
0x1020000-0x107FFFF Main Bank
Download: COK-001_SC_dump.bin (384 KB)
Download: cok-001_firmware.bin (384 KB)
Download: 0xF9F00 - 0xFFEE0_with_zeroes.bin (1023.72 KB)
Download: DEB-001_rom.bin (384 KB)
These patches allow you to read/write the whole PS3 CXR Syscon EEPROM from the CELL (via the Device Access Service) or using the UART interface and the r8/w8 commands: From Pastebin.com: PS3 Syscon (Mullion Sherwood) script
Code:
from binascii import unhexlify as uhx
from Crypto.Cipher import AES # pycryptodome
import os
import serial # pyserial
import string
import sys
import time

class PS3UART(object):
    ser = serial.Serial()
    type = ''
         
    sc2tb = uhx('71f03f184c01c5ebc3f6a22a42ba9525')  # Syscon to TestBench Key    (0x130 xor 0x4578)
    tb2sc = uhx('907e730f4d4e0a0b7b75f030eb1d9d36')  # TestBench to Syscon Key    (0x130 xor 0x4588)
    value = uhx('3350BD7820345C29056A223BA220B323')  # 0x45B8
    zero  = uhx('00000000000000000000000000000000')

    auth1r_header = uhx('10100000FFFFFFFF0000000000000000')
    auth2_header  = uhx('10010000000000000000000000000000')
 
    def aes_decrypt_cbc(self, key, iv, in_data):
        return AES.new(key, AES.MODE_CBC, iv).decrypt(in_data)
 
    def aes_encrypt_cbc(self, key, iv, in_data):
        return AES.new(key, AES.MODE_CBC, iv).encrypt(in_data)

    def __init__(self, port, type):
        self.ser.port = port
        if(type == 'CXR' or type == 'SW'):
            self.ser.baudrate = 57600
        elif(type == 'CXRF'):
            self.ser.baudrate = 115200
        else:
            assert(False)
        self.type = type
        self.ser.timeout = 0.1
        self.ser.open()
        assert(self.ser.isOpen())
        self.ser.flush()
     
    def __del__(self):
        self.ser.close()
     
    def send(self, data):
        self.ser.write(data.encode('ascii')) 
                         
    def receive(self):
        return self.ser.read(self.ser.inWaiting())
     
    def command(self, com, wait = 1, verbose = False):
        if(verbose):
            print('Command: ' + com)
     
        if(self.type == 'CXR'):     
            length = len(com)
            checksum = sum(bytearray(com, 'ascii')) % 0x100
            if(length <= 10):
                self.send('C:{:02X}:{}\r\n'.format(checksum, com))
            else:
                j = 10
                self.send('C:{:02X}:{}'.format(checksum, com[0:j]))
                for i in range(length - j, 15, -15):
                    self.send(com[j:j+15])
                    j += 15
                self.send(com[j:] + '\r\n')
        elif(self.type == 'SW'): 
            length = len(com)
            if(length >= 0x40):
                if(self.command('SETCMDLONG FF FF')[0] != 0):
                    return (0xFFFFFFFF, ['Setcmdlong'])     
            checksum = sum(bytearray(com, 'ascii')) % 0x100
            self.send('{}:{:02X}\r\n'.format(com, checksum))
        else:
            self.send(com + '\r\n')
         
        time.sleep(wait)
        answer = self.receive().decode('ascii').strip()
        if(verbose):
            print('Answer: ' + answer)
     
        if(self.type == 'CXR'):
            answer = answer.split(':')
            if(len(answer) != 3):
                return (0xFFFFFFFF, ['Answer length'])
            checksum = sum(bytearray(answer[2], 'ascii')) % 0x100
            if(answer[0] != 'R' and answer[0] != 'E'):
                return (0xFFFFFFFF, ['Magic'])
            if(answer[1] != '{:02X}'.format(checksum)):
                return (0xFFFFFFFF, ['Checksum']) 
            data = answer[2].split(' ')
            if(answer[0] == 'R' and len(data) < 2 or answer[0] == 'E' and len(data) != 2):
                return (0xFFFFFFFF, ['Data length'])
            if(data[0] != 'OK' or len(data) < 2):
                return (int(data[1], 16), [])
            else:
                return (int(data[1], 16), data[2:]) 
        elif(self.type == 'SW'):
            answer = answer.split('\n')
            for i in range(0, len(answer)):
                answer[i] = answer[i].replace('\n', '').rsplit(':', 1)
                if(len(answer[i]) != 2):
                    return (0xFFFFFFFF, ['Answer length'])
                checksum = sum(bytearray(answer[i][0], 'ascii')) % 0x100
                if(answer[i][1] != '{:02X}'.format(checksum)):
                    return (0xFFFFFFFF, ['Checksum'])
                answer[i][0] += '\n'
            ret = answer[-1][0].replace('\n', '').split(' ')
            if(len(ret) < 2 or len(ret[1]) != 8 and not all(c in string.hexdigits for c in ret[1])):
                return (0, [x[0] for x in answer])
            elif(len(answer) == 1):      
                return (int(ret[1], 16), ret[2:])
            else:
                return (int(ret[1], 16), [x[0] for x in answer[:-1]])
        else:
            return (0, [answer])
         
    def auth(self):
        if(self.type == 'CXR' or self.type == 'SW'):
            auth1r = self.command('AUTH1 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
            if(auth1r[0] == 0 and auth1r[1] != []):
                auth1r = uhx(auth1r[1][0])
                if(auth1r[0:0x10] == self.auth1r_header):
                    data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
                    if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
                        new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
                        auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
                        auth2r = self.command('AUTH2 ' + ''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
                        if(auth2r[0] == 0):
                            return 'Auth successful'
                        else:
                            return 'Auth failed'
                    else:
                        return 'Auth1 response body invalid'
                else:
                    return 'Auth1 response header invalid'
            else:
                return 'Auth1 response invalid'
        else:
            scopen = self.command('scopen')
            if('SC_READY' in scopen[1][0]):
                auth1r = self.command('10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
                auth1r = auth1r[1][0].split('\r')[1][1:]
                if(len(auth1r) == 128):
                    auth1r = uhx(auth1r)
                    if(auth1r[0:0x10] == self.auth1r_header):
                        data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
                        if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
                            new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
                            auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
                            auth2r = self.command(''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
                            if('SC_SUCCESS' in auth2r[1][0]):
                                return 'Auth successful'
                            else:
                                return 'Auth failed'
                        else:
                            return 'Auth1 response body invalid'
                    else:
                        return 'Auth1 response header invalid'
                else:
                    return 'Auth1 response invalid'
            else:
                return 'scopen response invalid'
 

def main(argc, argv):
    if(argc < 3):
        print(os.path.basename(__file__) + ' <serial port> <sc type ["CXR", "CXRF", "SW"]>')
        sys.exit(1)
    ps3 = PS3UART(argv[1], argv[2])
    raw_input_c = vars(__builtins__).get('raw_input', input)
    while True:
        in_data = raw_input_c('> ')
        if(in_data.lower() == 'auth'):
            print(ps3.auth())
            continue
        if(in_data.lower() == 'exit'):
            break
        ret = ps3.command(in_data)
        if(argv[2] == 'CXR'):
            print('{:08X}'.format(ret[0]) + ' ' +  ' '.join(ret[1]))
        elif(argv[2] == 'SW'):
            if(len(ret[1]) > 0 and '\n' not in ret[1][0]):
                print('{:08X}'.format(ret[0]) + ' ' + ' '.join(ret[1]))
            else:
                print('{:08X}'.format(ret[0]) + '\n' + ''.join(ret[1]))
        else:
            print(ret[1][0].decode('ascii'))
             
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)
Siscon PS4 Syscon System Controller Firmware Decrypter by Zecoxao.jpg
 

Comments

I'll just grab my spare dev kit ps4...

Anyone care to share a decrypted dump? Would be nice to see.
 
Stay on 1.7 for now this isnt for casual users but for the devs

I read that if were able to obtain the app to create master discs we can strip games built on newer firmwares and repackage as 4.55 5.03 and 5.05... is this true does it seem possible..?
 
Somehow the anime girl distracts me LOL It's nice to have something different for a change, rather than the usual boring pics of PS4 and its peripherals.

And good job zecoxao, hopefully this can push the scene forward however little.
 
Status
Not open for further replies.
Back
Top