You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is this? This is a tool to read and write your PS4's Syscon on-board (and off-board) without the need to replace it with a blank (the now considered 'old way').
Why do I need this? Modifying the Syscon allows for downgrading (via CoreOS swap), repairing of loadBios -8 type errors and enables service mode.
Why isn't this free? This uses a proprietary and unreleased exploit on the R78 chip. It must be pre-flashed and locked on a fresh Arduino. The target market are repariers, hence the price.
Is there a cheaper way? Yes, it requires replacing Sony's Syscon with blank RL78 chips. If its cheap/free you get what you pay for!
Is this difficult to install? You have to solder 1 lifted wire to the Syscon whilst on-board and 3 others to alternative points. Once glitched you drop that pin and keep rest of the alternative points on the board.
Any discounts? If you buy in bulk, yes.
Do you need a backup of the previous version syscon? No you don't need a backup of anything to do this downgrade process, you are switching slots!
Can I go from 10.50 to 9.00? Only if 9.00 was your PREVIOUS firmware.
Can I go from 10.01 to 9.00? Only if 9.00 was your PREVIOUS firmware.
Can I go from 9.50 to 9.00? Only if 9.00 was your PREVIOUS firmware.
Can I go from 9.00 to 5.50? Only if 5.50 was your PREVIOUS firmware.
Which firmware will I go back to? Whichever was your PREVIOUS firmware.
Syscon Writer Black Edition (New Release!) Voltage Switch, UART Mode, Faster Processor, Fully Integrated Design. Warranty!
$385AUD (233Euro, $252USD) $300AUD (177Euro, $192USD, 1406RMB)
Note: All Syscon Writers Come With HWID Locked Syscon Writer & Reader Software For Free! (Available with USB License for Multi-PC Use)
Compatibilitiy
Do you have the Syscon on the right? You're outta luck. The glitch only works on Renesas RL78 chips. The guide ends here. The chip MUST have A0#-COL or A0#-COL2 where the # is a number.
Syscon Pinout
FAT Syscon
Slim/Pro Syscon
Connection Points
Dumping On-Board
If you are dumping on board, lift pin 15 (Pro) or pin 22 (Fat). To do this add flux and low melt solder to the pins and let it soak in.
Use tweezers and a thin tip and while applying heat to the pin push from behind with the tweezers until the pin is lifted.
Wire pin 5 and 6 flat against the resistors, directly to the pins or the alternative solder points. Following best practice.
You do not have to wire pin 16 as you can have the console on standby mode.
Dumping Off-Board
To remove the Syscon chip entirely, apply flux to all of the pins and flood them with low melt solder (chipquik if not using hot air).
Apply 480c at 40% pressure from a height of approximately 15cm until the solder is visibly liquidous on all sides.
Pull up the chip with an SMD vacuum pen.
Tin the pads on the PS4 with low melt solder.
Clean pins 1-16 on the Syscon of any solder bridges and solder to pre-tinned breakout board (or place into DIP socket).
When reattaching the Syscon first apply a light layer of flux on the already tinned pads.
Line up Syscon appropriately or solder each corner manually to ensure the chip does not move during reflow.
Apply 480c at 40% pressure from a height of approximately 20cm and slowly drop until you see flux bubble/move and solder shine/glimmer.
If you do not want to use hot air, use drag soldering technique or manually solder each pin individually with thin tip tinned with low melt solder.
Note: When reading/writing Syscon on-board (after patching) wire only pin 5, 6 and ground either directly to the chip or alternative points and have the console on standby.
Dumping on-board example
Best Practice
Solder the jumper wires flat against the legs.
The entire jumper wire must fill the entire pad.
The wire must be parallel to the component termination.
Reading Syscon (Currently ONLY works on A0#-COL/2 chips):
Connect from your Arduino to the Syscon Chip (See Wiring To Syscon Below)
Launch BwE_PS4_Syscon_Reader.exe, it will auto detect your COM port or prompt you for one.
It will glitch the chip (if this is your first read and you have not enabled OCD mode) and then dump!
It will then re-dump and compare in order to validate them.
If the dumps do not match change resistors (100ohm, 510ohm, 1kohm).
If it does not even dump check your connections (seriously) or change your Optocoupler.
Patching Syscon Dump:
Run BwE PS4 NOR Validator
Select Option 2 - Scan & Patch PS4 Syscon
Syscon will scan for a patchable slot, if there is one available it will say at the bottom in "Final Results".
If it says "Active Slot Patchable" select Option 1 "Auto Patch"
If it says "Unable to Auto-Patch" it will prompt you to Manually Patch - If so you must select an earlier 080B (Use Verbose Mode) to overwrite the last 080B.
If it says "Syscon NOT Patchable" then call it quits, game over. Your PS4 has either had its initialisation overwritten or some other historical event is blocking the patch.
Any other errors you can likely fix by rebuilding the Syscon
Apply the patch!
It will show you what you are overwriting (and potentially the data you are overwriting it with).
File will be saved as "???_080B_patched.bin" - Keep this and the original, label it appropriately and store it!
Programming SCE Syscon:
Connect from your Arduino to the Syscon Chip (lift pin 15 and 16 (Pro) or pin 22 and 23 (Fat)if writing on board).
Launch BwE_PS4_Syscon_Writer.exe it will auto detect your COM port or prompt you for one.
Select OCD mode for your first write only (option 3), this will disable the need to lift pins ever again!
Write the patched dump (or original if you only want to enable OCD mode)
If you selected confirm it will check the dump was written correctly - If there was an error, restart the Arduino and run full and OCD mode (regardless if you have done it before or not).
Do NOT boot the console with patched syscon until you have ALSO patched the NOR. Doing so is only useful for seeing what the previous version is - only do this with NOR backup also.
Notes:
You now only need to connect Pins 5, 6 and GND to the Syscon directly or to the alternative points for all future reads and writes!
You can only write with the supplied Arduino, TTL will not function nor will Renesas Software. All future writes do not require full or OCD commands (this will make it only write to 0x60000+), but I highly suggest adding confirm to validate the write.
Reading & Writing NOR:
Dump the NOR using SPIWay (illustrated below) or through a CH341A or something faster like the XGECU (illustrated below).
You can either solder directly to the pins, their resistors/pads and dump/flash on-board (@ ~3.0v Only) or remove the chip entirely, I highly recommend just removing the chip entirely.
You can also follow this guide on the Repair Wiki in which I illustrate the process behind enabling UART (I recommend you do this).
XGECU CH341A (Modified for 2.8v) Teensy (SPIWay)
8-Pin
16-pin
Usage
Teensy++ 2.0 SPIway
Description
-
1
SIO3
B5
8pin: Not Available - not used / 16pin: Serial Data Input & Output (for 4xI/O read mode)
8
2
VCC
+5V pad
+3V DC Power Supply
7
3
HOLD#/RESET#
B6
8pin: Hold, to pause the device without deselecting the device / 16pin: Hardware Reset Pin Active low
-
4
NC
NC
No Connection
-
5
NC
NC
No Connection
-
6
NC
NC
No Connection
1
7
CS#
B0
Chip Select
2
8
SO/SIO1
B3
Serial Data Output (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)
3
9
WP#/SIO2
B4
Write Protection: connect to GND or Serial Data Input & Output (for 4x I/O read mode)
4
10
GND
GND
Ground
-
11
NC
NC
No Connection
-
12
NC
NC
No Connection
-
13
NC
NC
No Connection
-
14
NC
NC
No Connection
5
15
SI/SIO0
B2
Serial Data Input (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)
6
16
SCLK
B1
Clock Input
8 Pin WSON8 - Pro & Slim
16 Pin SOP16 - Fat
Hardwiring Example
Non-Invasive Method
2.8v CH341A Mod
2.8v CH341A Mod
Patching NOR Dump:
Run BwE PS4 NOR Validator
Select Option 1 "Validate or Patch PS4 NOR"
Select your NOR file
Select Option 10 or 11 "Validate" and patch for UART when prompted
If your NOR is valid go back and select Option 5 "Patch CoreOS & Southbridge (LoadBios Repair & Downgrading)"
NOR will be saved as "?_coreos-uart-patched_*.bin" 14 times!
Apply each patch in sequence (without patching Syscon) and read the UART logs (See Final Step).
When the correct patch has been found, then you can patch the syscon! Downgrade will be complete (See Final Step).
Final Step - LoadBios Repair / Downgrade:
There are three methods, pick whichever suits you! The third is the quickest, but not as tested as the others
Official Method:
Patch the UART patched NOR with the CoreOS patch
Boot console and read UART log
If UART log says "checkUpdVersion 0xffffffff != 0x(Lower Firmware)" and has a lower Secure Loader firmware...
You can then write the Syscon patch to the console
If not, try another patch and repeat the process (you must try ALL patches)
On success the console will boot to safe mode and prompt to install lower firmware (recovery).
Lazy Method (No UART Needed)
Patch the NOR with CoreOS patch
Write the Syscon patch to the console
If the console does not boot...
Repeat first two steps, pick a new Patch for NOR (you must try ALL patches) and re-use the same patch for Syscon.
On success the console will boot to safe mode and prompt to install lower firmware (recovery).
New Method (Legitimate CoreOS Patch)
Dump NOR & Syscon (keep, do not delete)
Update Console to SAME firmware (if 9.03, install 9.03 again etc) via safemode
Dump NOR again after update but rename and add '_updated_coreos' to the end of the file name (Example: nor1.bin is now nor1_updated_coreos.bin)
Run NOR Validator and select the first dump you made. In the CoreOS patcher (Option 5) you can now select Generate Legitimate Patch (Option 3)
Program will output your dump with the name '_patched_coreos' (Example: nor1.bin is now now1_patched_coreos.bin)
Upload the newly patched dump back to the PS4 along with a patched copy of the original Syscon
Troubleshooting:
If you still have loadBios -8 and the Bootloader version has changed you have an issue with your RAM, replace and or repair it.
If you have errors about wrong version at the bottom of the UART log, you need to patch your Southbridge.
How can you see the previous firmware? Upload only the patched Syscon and read UART. Standby Version = Previous Firmware
Why so many CoreOS patches? Because CoreOS is encrypted, we cannot make a real patch, we are corrupting it in a way that allows it to think the value is real. Different consoles behave differently so there is now 14 patches. Luckily there is a new method (see above) which is signifigantly quicker, it uses the legitimate header value from an update (even if its the same firmware) and it patches that on your old dump.
The standby version and or the release version has changed, but the console still just says checkUpdVersion 0xfffff etc. This is because the Syscon patch has failed, you need to use the Syscon Rebuilder to rebuild the syscon and patch it with the -2 patch (Option 4), this will remove the error.
After Syscon Patch secure loader build: Sep 1 2021 05:19:44 (r10468:release_branches/release_09.000) [711MHz]
standby 09600000 9.00 Secure Loader and 9.60 Standby. Slots successfully switched! Booting into 9.00!
Getting Support
If you want support from BwE, you must provide a UART log for each NOR patch (without flashing Syscon) then another with only the patched Syscon.
That means a total of 15 logs, they must be labelled to represent each patch number and in .txt format. Zip it and email it/message it to me.
If you do not do this, I will not provide support
Credits/Greetz:
DarkNESMonk
Wildcard
fail0verflow
JEFF
PDJ
Hoea
Donators & Suppliers of Dumps/Syscons