PS3 Frankenstein PHAT PS3: CECHA with 40nm RSX

Yeah, I thought there was a piece of the puzzle missing too. But maybe it's a, "if you don't know what to do with the information given, then you shouldn't be messing with the code in the first place," kind of thing. Or perhaps it's just he's so deep in now, he forgets our code-fu is so weak we need each step fed to us in bite sized pieces.

I suppose too, he could be indifferent to our plight. I mean, of course an ant looks up to us. So long as it isn't in the way, we'll let it be. But if they make a hill in our back yard, then we feel justified pouring liquid aluminum inside, casting the apocalyptic end of their whole colony and future in metal to be sold as a decorative piece. It sits in our living rooms as a conversation starter. "This is what happens to ants who get in our way." Only Humans memorialize genocide in this way. Worse , we've perverted it into a marvel of the ant world. "How industrious the little creatures are, that they can build something so beautiful and complex." There's no remorse for having gone all "Terminator 2: judgment day" on them for aspiring for more. This must be how the top 1% view the middle class. You know, "Hey you! Get off my lawn!"
 
Last edited:
RIP-Felix said:
Yeah, I thought there was a piece of the puzzle missing too. But maybe it's a, "if you don't know what to do with the information given, then you shouldn't be messing with the code in the first place," kind of thing. Or perhaps it's just he's so deep in now, he forgets our code-fu is so weak we need each step fed to us in bite sized pieces.
Click to expand...

There is no other choice but to mess with it, since we are the few guys attempting to do this king of thing. However the information is not very comprehensive at the moment.

I do have a suspicion of what he was referring to. Let's back track to the point in time when a slightly better explanation was given.

M4j0r said:
Yes, any fw <= 3.55 should be fine.


The special PUP is just any CFW or OFW with changed Syscon patch pkg. This patch does nothing and its only purpose is to overwrite the Sony patch.

Then you need to install a special patch using the UART interface. I'll provide the patch and a python script which automates the task.

The next step is already dumping the firmware. You make sure nothing is plugged into the HDMI port, then listen to the UART interface using e.g. TeraTerm (with the log enabled) and push the power button - the firmware will be dumped.

Then you can use the same python script with the original Syscon patch to restore it.

The original state can be easily recovered, only the patch changes, but we already have that so we can just write it back.

On prototype units, the Syscon gets full firmware updates because it's a flash based model. Retail Syscons store the firmware in ROM and need patches.
The SoftID is 1:1 the firmware version: https://pastebin.com/LhR6s9rp . The patch just gets applied on top of the firmware.

Just tell me when you're ready and I'll provide the files, just need to do some cleanup.
Click to expand...


You have 0F38.0001000500010001 @ SC
Look at the syscon packages that exists (there is only one applicable to your SoftID = 0x0F38), is a file named SYS_CON_FIRMWARE_01050101.pkg
https://www.psdevwiki.com/ps3/System_Controller_Firmware#Known_Retail_syscon_update_packages

----------------------------
What you need to do is do cleanup that patch... and from that point when you enter in the "more system information" screen you are going to see 0F38.0000000000000000 @ SC
All that zeroes means that there are no syscon patches installed. In that state is when you should do the syscon firmware dump :encouragement:
Click to expand...

Based on all of the above, it appears we need to unpack a CFW or OFW pup update file, then find the syscon-firmware package inside it. Then "Clean up that patch", either rename it or hex edit it with the code that major provided?

After that, "installing special patch over UART", I'm quite lost. He has provided a python script, but not the 'new' patch? Or the new patch is actually in the example code?
 
Last edited:
And a few latest thoughts about the added resistors.

Based on this picture, it's very difficult to tell how many resistors and/or if the whole IC were all replaced.
upload_2020-12-31_14-38-11.png

However, having looked at the schematics a bit more I may have a better idea of what happened in that particular PCB neighborhood. But please remember, I am only speculating.

What they did was most likely install another IC - BD3504FVM (Or something similar to it) instead of the BD3520FVM. Why? Possible reasons could be that the original was faulty? Maybe it was causing 1.2v VDDR line to be unstable? Was it just a precaution?

Another potential reason is that BD3520FVM is only meant to output 1.2v, however the 3504 model can be adjusted to give out variable (0.65~2.5V)...It is probably still set up to output 1.2v in the circuit (I'm assuming?). Or is it possible that the new voltage might actually have been changed entirely? Have there been changes to RSX voltage in further revisions?

Anyways, the IC and around 2-4 resistors were most likely added/replaced to accomplish the same result as what the original BD3520FVM was doing. Why extra resistors? Because BD3520FVM already has them integrated into the IC, while BD3504FVM does not. This IC allows engineers to manually configure required output voltage for the application.

Once again, if my theory is true, these are the only differences. What does it mean? Well, there may be no immediate need to mess with this particular IC. Or you can recalculate the needed values and do it similarly to provide 1.2v (or something higher/lower) . As it stands, we don't have enough information why it was done or what voltage it's actually providing

Here are some pictures to illustrate what I'm talking about. Notice the logic around IC6200

VRM for RSX original.JPG

Now here are very similar ICs used in DC-DC converters on the next page. Look at IC6303 (in red), notice the similarity to VRM for RSX ? Notice further, IC6602 (in blue) is doing similar job as the one in red, but with extra resistors, as they are not originally inside the IC, but we still need to use them to get 1.2v
reference circuits.JPG

Resistors inside BD3520FVM, hence no need to install R1612 and R1614. IC output is already designed to be 1.2v.

BD3520FVM resistors integrated.JPG

And here you get to choose your own resistors.
BD3504FVM resistors.JPG

The formula for this is luckily inside the datasheet:

BD3504FVM formula.JPG

Let's test the equation with the example of IC6602 and its resistors . R1 is equal to R6606, which is equal to 3900 ohms. Therfore R1= 3900 ohms. R2 in this case would be equal to R6607 + R6609 (dont be confused by double resistors, it was probably done to achieve needed value), so 3300+470 =3770 ohms. R2 = 3770, Now plug these numbers into the formula to calculate Vfb terminal to see what happens. Vout will be 1.2v. So we are finding Vfb. The equation is 1.2=x* ( (3900+3740)/3900), x=0.612 v. Fbd is going to be 0.612v this way. As the text states, Typically Vbd is controlled to achieve 0.65v, so this is close enough..So the formula is true. (side thought: you could actually get perfect 0.65v on Vfb if you drop the 470 ohm resistor and use only 3300 and 3900 ohms as the datasheet suggests. Now I don't know why it was designed to get it down to 0.61v, but Sony engineers probably had a reason). And you could also adjust the output to be different. Remember, anywhere from 0.65 to 2.5v...

Now I apologize for terribly long text , but this might clear things up a bit. So what resistors to replace and which ones to add you may ask? If you plan to keep 1.2.v in that line, I will add that info a bit later as I honestly have been spending too much time on the research...
 
Last edited:
My 304GB just got here. I think it's a fake. The first line of text is a slightly different size than the second line.

Bus Pirate is on the way, will be here late next week. I'll get the CHECHK01 system baking to pull RSX and syscon tomorrow, and I'm sure if I just dig through my scrap board pile, I'll find a board that I'm positive has a dead GPU and no other issues. Let's do this!

If we can get the 65nm working and I get comfortable with all of the syscon issues and troubleshooting, then I'll move on to trying to find the right parts for 40nm.
 
DeadEnd said:
Perhaps I misunderstood, but don't we need EEPROM data from the original SYSCON on COK-001/002 because it contains data about the CELL and South Bridge? Unless you are swapping CELLs as well, but then it has been mentioned that they are not pin compatible....
Click to expand...
RIP-Felix said:
Or is there some info we need from it too? Those are some tiniweeny wires to fit under the SYSCON chip if you can't solder to points on the board (COK-001). Someone needs to trace the path of those pins to vias or pads on the COK-001 so we can more easily use the BUS Pirate, unless there's no reason to.
Click to expand...
You need the perconsole data from the EEPROM if you don't want to remarry it which requires more work (Cell is married to Syscon).
All the possible ways of dumping the SC EEPROM via hardware are given on the wiki, there's sadly no better way on the earlier boards.

DeadEnd said:
So I've tried studying the links, but it made little sense to me at this point. Maybe it's better to ELI5. You say the actual modified firmware needs to have a syscon patch. So how do I create such a firmware? The code which you have provided as examples, where do I use it ? My board is COK-002 btw.
Click to expand...
I create the patches by hand, I just posted the patch offsets and the patch data.
The first wiki link contains the actual patch structure, the second one the encrypted patch structure. The patch then needs to go into a PKG and then into the PUP. So it's Patch -> Encrypted Patch -> PKG -> PUP. Or just Patch -> Encrypted Patch and then write it over UART (if there's no patch from Sony already applied).
Just for verification purposes I created a script which decodes the patch: https://twitter.com/MinaRalwasser/status/1243231992679993352 (with some examples provided).

RIP-Felix said:
But maybe it's a, "if you don't know what to do with the information given, then you shouldn't be messing with the code in the first place," kind of thing
Click to expand...
Yes, it's exactly that, since the actual remarry procedure which needs to be done if somebody messes up isn't pleasant at all.

DeadEnd said:
I do have a suspicion of what he was referring to. Let's back track to the point in time when a slightly better explanation was given.
Based on all of the above, it appears we need to unpack a CFW or OFW pup update file, then find the syscon-firmware package inside it. Then "Clean up that patch", either rename it or hex edit it with the code that major provided?
After that, "installing special patch over UART", I'm quite lost. He has provided a python script, but not the 'new' patch? Or the new patch is actually in the example code?
Click to expand...
That was just about how you dump the firmware.
But it's always the same: Get rid of the Sony patch (via PUP) and then write your own (via PUP or UART). That's because the Sony patch prevents you from overwriting it via UART.
And the python script is just an obsolete variant of the original python script I released.
The syscon handler is implemented as a class so it's very easy to automate things.

squeept said:
My 304GB just got here. I think it's a fake. The first line of text is a slightly different size than the second line.
Click to expand...
I got a few fake ones, I just identify them by looking at the bottom.
 
Let's dumb it down even more.

Problem number one here is the wording. Using the term "patch" for slightly different things; "Sony patch", "original patch", "custom patch", etc. Patches all over the place.. It's so easy to lose track.

Stage 1. Dumping original EEPROM.

Possibility 1 : Dump over hardware.

So dumping/writing directly to the syscon is possible with a type of "dongle" tool under the name of Bus Pirate (around 30$ for that bad boy). Here is the guide for it https://www.psdevwiki.com/ps3/SC_EEPROM#Dumping_SC_EEPROM_-_hardware_way
 
Last edited:
DeadEnd said:
And a few latest thoughts about the added resistors.

Based on this picture, it's very difficult to tell how many resistors and/or if the whole IC were all replaced.
View attachment 29570

However, having looked at the schematics a bit more I may have a better idea of what happened in that particular PCB neighborhood. But please remember, I am only speculating.

What they did was most likely install another IC - BD3504FVM (Or something similar to it) instead of the BD3520FVM. Why? Possible reasons could be that the original was faulty? Maybe it was causing 1.2v VDDR line to be unstable? Was it just a precaution?

Another potential reason is that BD3520FVM is only meant to output 1.2v, however the 3504 model can be adjusted to give out variable (0.65~2.5V)...It is probably still set up to output 1.2v in the circuit (I'm assuming?). Or is it possible that the new voltage might actually have been changed entirely? Have there been changes to RSX voltage in further revisions?

Anyways, the IC and around 2-4 resistors were most likely added/replaced to accomplish the same result as what the original BD3520FVM was doing. Why extra resistors? Because BD3520FVM already has them integrated into the IC, while BD3504FVM does not. This IC allows engineers to manually configure required output voltage for the application.

Once again, if my theory is true, these are the only differences. What does it mean? Well, there may be no immediate need to mess with this particular IC. Or you can recalculate the needed values and do it similarly to provide 1.2v (or something higher/lower) . As it stands, we don't have enough information why it was done or what voltage it's actually providing

Here are some pictures to illustrate what I'm talking about. Notice the logic around IC6200

View attachment 29571

Now here are very similar ICs used in DC-DC converters on the next page. Look at IC6303 (in red), notice the similarity to VRM for RSX ? Notice further, IC6602 (in blue) is doing similar job as the one in red, but with extra resistors, as they are not originally inside the IC, but we still need to use them to get 1.2v
View attachment 29572

Resistors inside BD3520FVM, hence no need to install R1612 and R1614. IC output is already designed to be 1.2v.

View attachment 29573

And here you get to choose your own resistors.
View attachment 29574

The formula for this is luckily inside the datasheet:

View attachment 29576

Let's test the equation with the example of IC6602 and its resistors . R1 is equal to R6606, which is equal to 3900 ohms. Therfore R1= 3900 ohms. R2 in this case would be equal to R6607 + R6609 (dont be confused by double resistors, it was probably done to achieve needed value), so 3300+470 =3770 ohms. R2 = 3770, Now plug these numbers into the formula to calculate Vfb terminal to see what happens. Vout will be 1.2v. So we are finding Vfb. The equation is 1.2=x* ( (3900+3740)/3900), x=0.612 v. Fbd is going to be 0.612v this way. As the text states, Typically Vbd is controlled to achieve 0.65v, so this is close enough..So the formula is true. (side thought: you could actually get perfect 0.65v on Vfb if you drop the 470 ohm resistor and use only 3300 and 3900 ohms as the datasheet suggests. Now I don't know why it was designed to get it down to 0.61v, but Sony engineers probably had a reason). And you could also adjust the output to be different. Remember, anywhere from 0.65 to 2.5v...

Now I apologize for terribly long text , but this might clear things up a bit. So what resistors to replace and which ones to add you may ask? If you plan to keep 1.2.v in that line, I will add that info a bit later as I honestly have been spending too much time on the research...
Click to expand...
Yes, that may very well explain those resistors being populated. My guess is that SONY's engineers designed the board to accommodate various ICs and the potential for adding resistors to get the Voltage right. That way if the part goes EOL during the manufacturing run they can quickly change gears without needing to redesign board. It also gives them flexibility in parts chosen for repairs during the warranty period. Maybe that IC was what they had on hand during the repair and they needed to add the resistors, like you calculated. Or perhaps there's some function of the new IC that the new RSX requires? We need to verify the RSX VDDR voltage is the same between RSX revisions otherwise we'll need to set the voltage with the appropriate resistors.

I looked up some terminology to try and make some sense of Vcc vs Vdd and VDDC vs VDDR that are seen in the schematics (COK-001 "VRM for RSX(2phases)" pg. 25). This will be helpful:
  • VDDC: GPU Voltage
  • VDDR: Supply voltage to the memory
  • Vdd: Positive supply voltage of a Field Effect Transistor (FET)
  • Vcc: Positive supply voltage of a Bipolar Junction Transistor (BJT)

I spent alot of time looking at the RSX-VDDC side of things, because it's where the TOKINs play a major role:
From the COK-001 schematics, I did quite a bit of reverse engineering to figure out the voltage to RSX_VDDC. I simplified it into the following diagram:
KtnSTNe.jpg

This was just to help identify the filtering scheme used. Mains power passes through the primary stage filter. It's an ordinary LC filter designed to provide IC6202 clean power (DC-DC switching Voltage Regulator, IP2003ATRPBF).DC-DC switching voltage regulators introduce noise, so a second stage filter is needed to remove it. That's where the NEC/TOKINs come in. It's more complicated than the first LC filter, employing more effective strategies to maximize noise reduction. I've indicated them in the simplified schematic above, but it amounts to an RLC filter. A while back I found this article which is more technical than anyone wants to tackle, but that I think it explains what's going on here:
Kevin Tompsett said:
For higher current supplies it is beneficial to replace the resistor in the pi filter with an inductor as shown [below]. This configuration gives very good ripple and switching noise rejection in addition to low power loss. The issue is that we have now introduced an additional tank circuit that can resonate. This can result in oscillations and an unstable power supply. Therefore, the first step to designing this filter is to choose how to damp the filter.
Click to expand...
figure4.jpg


Kevin Tompsett said:
Technique 2 has the advantage of maximizing filter performance. If an all ceramic design is desired, RD can be a discrete resistor in series with a ceramic capacitor. Otherwise a physically large capacitor with a high ESR is required. This additional capacitance (CD) can add significant cost and size to the design. Damping Technique 3 looks very advantageous since the dampening capacitor CE is added to the output where it might help somewhat with transient response and output ripple. However, this is the most expensive technique since the amount of capacitance required is much larger. In addition, the relatively large amount of capacitance on the output will lower the frequency of the filter resonance, which will reduce the achievable bandwidth of the converter—therefore Technique 3 is not recommended.
Click to expand...
Now the damp filters are tuned iteratively to arrive at a specific resonance frequency, so changing this equation doesn't bode well (EE joke) for the tantalum fix as written! We need to get both the ESR and Capacitance to match, otherwise we're "de-tuning" the filter circuit, which would result in worse noise rejection.
...but the RSX_VDDR voltages are not shared from the same source, probably because the memory requires a constant set voltage (Vs) from IC6200, whereas the GPU requests switching voltages (Vsw) from IC6202/3 (which needs to be filtered). In other words, the tokens are only part of the RSX power equation. The RSX memory is separately powered.

I think I remember from my overclocking days, if graphics memory doesn't have enough voltage (or stable voltage) it'll cause artifacting, freezes, & BSODs. Sounds alot like a GLOD! Yawl may want to double check my reasoning, but maybe IC6200 pin 6 is something we should start probing more often, just to be sure the RSX memory is getting a stable 1.2v.
cap2.png
 
RIP-Felix said:
I looked up some terminology to try and make some sense of Vcc vs Vdd and VDDC vs VDDR that are seen in the schematics (COK-001 "VRM for RSX(2phases)" pg. 25). This will be helpful:
  • VDDC: GPU Voltage
  • VDDR: Supply voltage to the memory
  • Vdd: Positive supply voltage of a Field Effect Transistor (FET)
  • Vcc: Positive supply voltage of a Bipolar Junction Transistor (BJT)

...but the RSX_VDDR voltages are not shared from the same source, probably because the memory requires a constant set voltage (Vs) from IC6200, whereas the GPU requests switching voltages (Vsw) from IC6202/3 (which needs to be filtered). In other words, the tokens are only part of the RSX power equation. The RSX memory is separately powered.

I think I remember from my overclocking days, if graphics memory doesn't have enough voltage (or stable voltage) it'll cause artifacting, freezes, & BSODs. Sounds alot like a GLOD! Yawl may want to double check my reasoning, but maybe IC6200 pin 6 is something we should start probing more often, just to be sure the RSX memory is getting a stable 1.2v.
Click to expand...

90nm RSX is using Quimonda memory, 65nm uses Samsung and 40nm uses Hynix. After going briefly through their datasheets, there is no mention of 1.2v at all. There are mentions of VDDQ and VDD being 1.8v and 2.0v. So is RSX doing some kind of undervoltage conversion? Or is the memory adjusted to work at 1.2v then?

By the way, speaking of resets. What is the most obvious difference between 90nm and 65nm and 40nm RSX besides their size? The memory chips. Perhaps the hardware adjustments were only done to accommodate new memory? There are also a few words on resets, which I have not fully read, but I suggest you take a look (also check the full datasheets).

Quimonda (90nm):
Quimonda reset.JPG
Quimonda reset 2.JPG
Samsung (65nm):
samsung reset.JPG
Hynix (40nm):
Hynix mem.JPG

Also here are some links related to ram as well.

Quimonda https://www.psdevwiki.com/ps3/HYB18H512322AF-14 (not much info, claims datasheet is unavailable, but I found it on the web)
Samsung https://www.psdevwiki.com/ps3/K4J52324QC-SC14 (mentions 1.8v VDDQ, but 1.2v VDDR)
 

Attachments

Last edited:
The datasheet you link isn't an exact match for the HYB18H512322AF-14. It's for the 321AF. Regardless, it's probably similar. The recommended voltage scenario says +1.9v - 2.1v, but says the absolute min is -0.5v and max is 2.5v (pg. 80-81). It's the same for the 45nm and 65nm datasheets. So it can technically can be run at +1.2.

Like I said, the voltage for the RSX VDDC measures closer to 1.3v, despite the schematic saying 1.2v. So who knows what the actual voltage is on the VDDR until it's actually measured. The Hynix (45nm) datasheet notes the frequency that the typical Voltages support on page 42. We know RSX memory is clocked at 650MHz, which would correlate to 1.8v-1.9v according to that table. So there's your theoretical VDDR. Now go see if you get a real world measurement to match. They rarely do.

In any case, the data sheets don't reveal much. I think we need to measure the voltage on the consoles themselves, note the part number on the VRM, and presence/value of resistors. If the voltages all match up, then the COK-001 is fine as is (unless there is a problem with the VRM). If we need to adjust the voltage, then that may explain why the VRM and resistors were changed.
 
You're correct.

I can measure it on COK-002 ( which would probably be the same as on COK-001 since that VRM circuit is identical on both). But I don't have a ps3 slim to compare it to (since that's the one using 40nm RSX). Somebody else here owning a ps3 slim can test it though..
 
ElGris said:
I have a MSX001 at hand, what do you need?
Click to expand...

We need to test 1.2v at the *VDDR line which goes to memory on RSX. Unless you know which points to test, I suppose you could start with taking hi-res pictures of the board, especially areas around RSX. Both sides.
 
Last edited:
Isn't 40nm rsx 1.08 v or a I have a confusion? Not sure may test if isn't reported by then. Have one working msx without blu-ray.
Need to create a jig for test in order to confirm.
Attention! Rsx from 4000 series will not match mechanical to 3000 or 2500. Ihs will have more space between die and copper. It will work soldering and start fine but it will heat quickly. Have done test before and got trouble on rsx temperature while testing. Was a pain and I have desoldered and looked at light I could see about 0.1mm difference.
So 2500 and 3000 they match. Be careful not to fry it from 4000.
 
Last edited:
No it's the VDDR line we are trying to figure out. The VRM voltage to the RSX memory. On COK-001 it pin 6 on the IC6200:
cap2-png.29614


I also want to know the peak-peak noise. The data sheet says it's supposed to be under 25mV.
 
My mistake with the VDDC. I haven't double checked what I wrote... Yes, VDDR. But difficult to know where the IC is since we don't have service manual for Slim model. That's why I was asking for pictures.
 
Thanks @vyktormvmpay25 We will probably need a copper shim if using them.

We were just speculating on the physical difference seen in the photos of the working SONY refirb units that have the swap done. One had some resistors added to the VRM and @DeadEnd speculates they were needed to get the voltage right, after it was replaced with a different part. Makes sense. That caused us to wonder if the VRM voltages are the same between the 90nm, 65nm, and 40nm models. The datasheets tend to agree that their suggested memory voltage (VDDQ) should be about 1.8v +/- 25mVpp, but the COK-001 schematics say VDDR is 1.2v! I wonder why the discrepancy? That's why I wanted to confirm the voltages on working consoles. If they're all basically the same we won't need to change the VRM module or resistors.

Also it gives those trying to repair PS3's something else to check when troubleshooting a board, as the RSX GPU is powered separately (NEC/TOKINs) from its onboard memory (VRM). Noise or low voltage in memory power could easily cause artifacting, freezes and BSODs. In otherwords, GLODs may indicate a VRM problem.
 
Would be 2500 jtp as reference good enough? This is an working board done today and already on jig. I must solder wires because radiator will cover that side. Or wait to modify another piece to let that part open.
b1888193bf60e7a5137c30b9940393bc.jpg

82bd8b32d291bf07853ca84ad136b231.jpg
 
I have the same problem with mine. That's why I haven't probed it yet. I'm lazy...lol!

You could dremmel that heatsink to cut off 2-3 fins. That way you can get next to the RSX and probe both the tokins and that VRM module. Shouldn't loose much cooling for a quick test.
 
You must log in or register to reply here.

Similar threads

Back
Top