PS3 SYSCON Firmware key is now public (release by zecoxao) - What does it mean?

Developer @zecoxao has recently released something that the dev has been working on obtaining for 10 years now and that obstacle that has now been cleared is the SYSCON Firmware Key and zecoxao has now released it to the public. First off we must erase some misconceptions as this is not going to directly lead us to a CFW on nonCFW PS3's anytime soon. As the dev stated on twitter "needless and pointless to say that the confusion being created around these keys that they will be useful for cfw on ps3 3k and superslim is a very farfetched idea. unless we have access to the TSOP 78K0R models, we will not be able to obtain anything else" and then when @kozarovv provided a follow-up question about 3k models here the developer responded with "don't expect miracles, is all i'm saying ". Now the question (which was asked by @DeViL303) "So what can we do with this as of now, what is possible with just this key alone and current knowledge? Then @zecoxao provides an explanation seen in this post (and also seen below). So this is a great feat that has been made, but its still being investigated and something that will need to be explored in the weeks to come to fully understand what we can be uncovered,. .

​

Release

• 
  
  i got the syscon firmware key, a dream i've been pursuing for the past 10 years. now that i have it i feel like i've acomplished my goal. the rest will follow naturally.
  - https://twitter.com/notzecoxao/status/1168954036541935616​
  
  What can developer's do with this key?
  

  So what can we do with this as of now, what is possible with just this key alone and current knowledge? Custom fan speed profiles? Multiple boot sequences depending on flags or something, or does everything need more work?

  
  via @zecoxao : With this key the following has happened:
  
  14 syscon firmwares for the BGA models (CXR) were decrypted.
  from them, keys for PATCHES and FULL FW signing and encryption, as well as decryption and validation were found. we can now sign our own patches and fws for the following models:
  
  
  • TMU-510
  • COK-001
  • COK-002
  • SEM-001
  • DIA-001
  • DIA-002 or DEB-001 (same soft id)
  
  Additionally we found the initialization key for eid1 as well as the process of initializing it from factory
  We also found 7 extra keys (we still don't know what they do)
  Finally, we found out there is a secret keyslot function that generates keys for
  
  • SNVS
  • AUTH1/AUTH2
  • Regions of EEPROM
  • PATCH keys xoring (to generate the final keys)
  • Relationship with the other 7 Keys
  
  What still has to be done:
  
  • Hack the 78K0R chips (the TSOP ones found in later models)
  • Dump the firmware of those chips
  • Get the DYN-001 patch keys
  • Find an exploit on arm firmware that works in 78k0r firmware
  
  Edit: and yes, you can do all that fun kinky shit of fan boosting at max speeds, led disco panic attack, and star wars theme ON A DECR-1000! THIS is a devkit, so THIS is the ONLY device that supports FULL FUCKING FIRMWARES! DO NOT CONFUSE IT with a DECR-1400, that is a HALF devkit!
  
  

Release Source: twitter.com/notzecoxao
Discussion: psx-place.com

Thanks to @NathanHale for the news alert ​

 

I didn't knew that you replaced the .pkg, the new version works fine .

great, thanks for confirming that everything works as expected now!

 

The problems seem to be related, if you remove the suffix you can't indicate to which console the board or Platform ID belongs. It would make sense to include all the versions, so each superslim model would have at least 4 entries.

Yep, deleting the suffix of the PS3 model was too cheap, i changed my mind about that
I decided to update the Platform ID page instead of Product Sub Code, are similar but the actual Product Sub Code table is derivated from the other Platform ID table, so we need to complete (a bit more) the list of platform IDs first... and eventually we will be able to complete the other table entirelly, maybe with some question marks if needed but having a better understanding of wtf sony did with the superslims

Btw, the main goal of my last edits in the Platform ID page was to move the list from the talk page to front page. It started as something speculative years ago, but when you completed it (with info taken from syscon firmwares) it become 100% confirmed so it was needed to move it to front because we was not going to delete it ever (it was good info) and keeping good info in a talk page indefinitivelly was a bad practise
You should review it btw, specially the "type" column intended to indicate if are "hardcoded", i guess eventually we could so something different in it

I recorded one example of a CECH-4308C with product subcode 0x13. Unknown motherboard.

Edit: https://www.psx-place.com/threads/r...im-nor-emmc-consoles.16133/page-7#post-103347

https://mega.nz/file/FF0RUAiI#3PBptvwq6rXWHQtwuiXVSeQS-pBUhXMlpx8Nqy9KSWw

Is fine, it still matches with the "latest theory" we have
There is a bit of speculation involved here, by me and m4j0r and i guess maybe some from you too when you did the initial versions of the list (at some point you need to review incase you still have the dumps)

What happened with superslims is sony was producing 2 motherboards simulateously, and every motherboard was produced in 2 "flavours" (with NOR or with eMMC)
The Platform ID of superslims depends of the motherboard name... but also the flash type... so there are 4 "platform ID" posibles for CECH-43xx series
Take a look at Product Sub Code page while looking at this image, in CECH-42xx and CECH-40xx is pretty much the same method

I only did it with the CECH-43xx series as an example to show it to you, but im not publishing it because is too much speculative
The best we can do to try to make sense of it is by completing the Platform ID missing from superslims
We just need a few more reports of the missing ones to see if the speculations that appears in the "notes" columns gets confirmed

I have fixed it some time ago, I didn't release a new version, I just replaced the .pkg with a working one. I tested the .pkg on Rebug 4.84 (CEX), and the Toolset GUI launches as expected. I didn't compile or rebuild any of the tool.self because those were working fine.

Have you tried the new .pkg? just re-download it and delete the old one, it should work.

Nice, it was added at top of the Platform ID page, i also added a banner with a kitty to convince superslim owners to help us in completing this reserarch, that kitty is unbeatable, it should work

 

The table is straight from lv1 and the information about the arcade keys from lv1ldr. I have no idea why they introduced these models (4.31 dates to October 2012).

In that sentence we was talking about the Product Sub Code, i have an important doubt about it, the Chassis ID/Type bigger than 0x0C (K) for superslims was confirmed too from lv1, lv1ldr, or are speculative ?
By looking at the page histories it seems was added by you in this edit, but are not added in the Chassis ID page

If are confirmed then needs to be added to the "Chassis ID" page
If are speculative then we need to add some question marks in them in the "product sub code" table
Is making me wonder if are correctly ordered

And why the product subcode 0x8F and 0x90 are located in that exact position ? (in between 0x12 and 0x13), that position is confirmed ?

Are small details, but that order is important for the brainstormings trying to identify them
Also, compare with the platform IDs of superslims... in theory 0x12 are the motherboards starting with letter "N" and 0x13 starts with "P"
So... if 0x8F and 0x90 are located in between 0x12 and 0x13... it means the motherboard name starts with a "O" ?

 

In that sentence we was talking about the Product Sub Code, i have an important doubt about it, the Chassis ID/Type bigger than 0x0C (K) for superslims was confirmed too from lv1, lv1ldr, or are speculative ?
By looking at the page histories it seems was added by you in this edit, but are not added in the Chassis ID page

If are confirmed then needs to be added to the "Chassis ID" page
If are speculative then we need to add some question marks in them in the "product sub code" table
Is making me wonder if are correctly ordered

And why the product subcode 0x8F and 0x90 are located in that exact position ? (in between 0x12 and 0x13), that position is confirmed ?

Are small details, but that order is important for the brainstormings trying to identify them
Also, compare with the platform IDs of superslims... in theory 0x12 are the motherboards starting with letter "N" and 0x13 starts with "P"
So... if 0x8F and 0x90 are located in between 0x12 and 0x13... it means the motherboard name starts with a "O" ?

I'm talking about the minimum allowed firmware version table in lv1. It maps the chassis id to the firmware value. Directly above that there's a table which maps the product sub code to the chassis id (the numerical value). I used 4.84 as a reference and just combined them. I also analyzed other firmwares, that's where the extra information (e.g. 1.95 vs 1.97) comes from.
The list contains all the valid product sub codes and chassis ids. SSL cross checked that.
I didn't add them to the Chassis ID page because the actual string value isn't confirmed yet for all variants. Lv1 doesn't contain that information.

 

I'm talking about the minimum allowed firmware version table in lv1. It maps the chassis id to the firmware value. Directly above that there's a table which maps the product sub code to the chassis id (the numerical value). I used 4.84 as a reference and just combined them.

Im assuming all the values for "product sub code", "chassis type" and "minimun firmware" are right, what is making me doubt is how are ordered in the tables

Im trying to figure how to fill the "Product sub code" table with the correct values, this is something we cant do yet, and we are not sure yet but most probably follows the same order than the rows of the "platform ID" table (that needs also to be reordered, but we cant do it yet either)
Lets say... im going some steps further in my private brainstormings trying to figure what we are going to find later
And while thinking about that i see there 2 or 3 weird things

One of them is... as you was mentioning some days ago, there are 8 "product sub code" for superslim retail motherboards but there are only 7 superslims motherboards known, the unknown one (im going to name it UNK-001) belongs to the group of motherboards starting with letter "N" and have platform ID CokN20 and CokN40
The question is... which one from the "product sub code" table is it ?
If we follow the actual order of the "platform ID" table it looks like is going to be one with minimal firmware 4.20... but at this point i dont want to make any bet... im completly lost about this
One way or the other... the actual "product sub code" table is assigning the 8 product subcodes to 8 retail PS3 models, i guess thats not right (because one of them is the UNK-001 motherboard)... so we need to delete one of the "PS3 model" names and replace it by a question mark

The other things that looks a bit weird in relationship with the order is the "product sub code" 0x8F and 0x90 (minimal firmware 4.31) are located after minimal firmware 4.40
If we move the table rows for "product sub code" 0x8F and 0x90 two positions up (to locate minimal firmware 4.31 before 4.40... and having all minimal firmware versions ordered incrementally) the result is we would be "breaking" the incremental order of the chassis ID
This is why i was asking if the way how are assigned the chassis ID with the other columns was definitive
The point is... the order of the rows of the "product sub code" table cant be changed because all the values are ordered incrementally (except the minimal firmware ver)

-----
And just another btw, now that im looking at it (a bit related with my previous post)
For the superlims we have 4 groups of motherboard names: "M" "N" "P" "R"
The UNK-001 belongs to the group "N"

Note they was not following alphabetical order strictly because there are not retail superslim motherboards starting with letter "O" or "Q", either they ignored them... or the name of the misterious motherboards with "product sub code" 0x8F and 0x90 starts with "O" or "Q"
If this is true maybe it matches with the order of the platform ID table, this way:
"M" "N" "O" "P" "R"
Or this way:
"M" "N" "P" "Q" "R"

 

One of them is... as you was mentioning some days ago, there are 8 "product sub code" for superslim retail motherboards but there are only 7 superslims motherboards known, the unknown one (im going to name it UNK-001) belongs to the group of motherboards starting with letter "N" and have platform ID CokN20 and CokN40
The question is... which one from the "product sub code" table is it ?
If we follow the actual order of the "platform ID" table it looks like is going to be one with minimal firmware 4.20... but at this point i dont want to make any bet... im completly lost about this

Yes, we need to have more data before we can really do anything.

One way or the other... the actual "product sub code" table is assigning the 8 product subcodes to 8 retail PS3 models, i guess thats not right (because one of them is the UNK-001 motherboard)... so we need to delete one of the "PS3 model" names and replace it by a question mark

But we don't know which one it is.

The other things that looks a bit weird in relationship with the order is the "product sub code" 0x8F and 0x90 (minimal firmware 4.31) are located after minimal firmware 4.40
If we move the table rows for "product sub code" 0x8F and 0x90 two positions up (to locate minimal firmware 4.31 before 4.40... and having all minimal firmware versions ordered incrementally) the result is we would be "breaking" the incremental order of the chassis ID
This is why i was asking if the way how are assigned the chassis ID with the other columns was definitive

More interestingly firmware 4.31 doesn't even support 0x8F and 0x90, they added that entry later which means it's a special 4.31 build (like firmware 2.20 with Sherwood support). For example firmware 100.004 is based on 241.000.

Note they was not following alphabetical order strictly because there are not retail superslim motherboards starting with letter "O" or "Q", either they ignored them... or the name of the misterious motherboards with "product sub code" 0x8F and 0x90 starts with "O" or "Q"
If this is true maybe it matches with the order of the platform ID table, this way:
"M" "N" "O" "P" "R"
Or this way:
"M" "N" "P" "Q" "R"

Yes, we don't know that but the motherboard serials might help.

 

Hola, tengo una super slim, ya hice el procedimiento con el nuevo pkg, pero no se como subirlo, lo siento no se como escribirlo en inglés.

 

new firmware coming up
cc @sandungas @mysis @bguerville @M4j0r @STLcardsWS

 

Renesas recommended
View attachment 35595

Moderation Team edit:
We re-uploaded & re-attached the pdf which for some reason was not usable in Tapatalk.
It should now download fine both in browsers & Tapatalk..

 

new firmware coming up
cc @sandungas @mysis @bguerville @M4j0r @STLcardsWS

Thx, if at some point you get your hands into a FLASH dump from another SW2-303 configured for JTP-001 motherboard please remember to share it
Im mentioning it because the JTP-001 and JSD-001 are one of the few cases of 2 Slim motherboards that are almost identical (as far i remember the only notable difference is the integrated BD controller chip, renesas VS sony)

Just to be clear, in the way im labeling the dumps, the file you just uploaded is:
CokJ20, JSD-001, SW2-303 (FLASH).bin
The only other dump i have most closer to it chronologically (and from the SW2 series) is:
CokG11, DYN-001, SW2-301 (FLASH).bin

But there are huge differences when comparing them in a hexeditor, the handy thing would be to compare:
CokJ13, JTP-001, SW2-303 (FLASH).bin
CokJ20, JSD-001, SW2-303 (FLASH).bin

Because i guess the syscon FLASH dumps of JTP-001 and JSD-001 are going to be 99.9% identical (the base firmware should, and most of the other settings probably too), the small differences in between them could help to identify new details

 

Would it be possible to implement fan test mode on the NAND consoles with this?

 

@sandungas mr. dungas, how do i know if i have a JTP-001

 

@sandungas mr. dungas, how do i know if i have a JTP-001

https://www.psdevwiki.com/ps3/Platform_ID#Example_from_syscon_config

 

@sandungas mr. dungas, how do i know if i have a JTP-001

@sysconxao is located at offset 0xA0000 in the FLASH dump (or at offset 0x0 in the virtual EEPROM)
The first byte is the "Platform ID" in hex format, and the next 8 bytes are the "Platform ID" as a string

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000A0000  80 43 6F 6B 4A 32 30 00 00                       €CokJ20..

In some cases the hex value is shared by several motherboards, like in this example 0x80 is used by JSD-001 and JTP-001, but the text string is an unique identifyer
JTP-001 = CokJ13
JSD-001 = CokJ20

 

can anyone send the pinouts for fat and slim boards?

 

one more coming up...
@sandungas @M4j0r @bguerville @mysis @STLcardsWS @littlebalup

 

Great stuff ze..
Keep them coming. ;-)

 

acording to @M4j0r this firmware was also used in prototype 2500 boards

 

One more, SW3-304 Full dump.
@sandungas @bguerville @STLcardsWS @littlebalup @vyktormvmpay25 @mysis

 

Only missing SW3-301 and SW3-302.