Syscon Guide - SCE Syscon Method

Last Updated 7th January 2024

  • What is this? This is a tool to read and write your PS4's Syscon on-board (and off-board) without the need to replace it with a blank (the now considered 'old way').
  • Why do I need this? Modifying the Syscon allows for downgrading (via CoreOS swap), repairing of loadBios -8 type errors and enables service mode.
  • Why isn't this free? This uses a proprietary and unreleased exploit on the R78 chip. It must be pre-flashed and locked on a fresh Arduino. The target market are repariers, hence the price.
  • Is there a cheaper way? Yes, it requires replacing Sony's Syscon with blank RL78 chips. You can dump for free using an Arduino and write your modified Syscon to a blank. This is the safest free method!
  • Do you have a cheaper syscon patcher? Yes, you can use the BwE PS4 and PS5 Web Tool it has everything you need to validate and downgrade your PS4.
  • Is this difficult to install? You have to solder 1 lifted wire to the Syscon whilst on-board and 3 others to alternative points. Once glitched you drop that pin and keep rest of the alternative points on the board.
  • Any discounts? If you buy in bulk, yes.
  • Do you need a backup of the previous version syscon? No you don't need a backup of anything to do this downgrade process, you are switching slots!
  • What if I have a backup of my previous syscon and nor? You can revert to it, just write it to your console.
  • Can I go from 11.00 to 9.00? Only if 9.00 was your PREVIOUS firmware.
  • Can I go from 10.01 to 9.00? Only if 9.00 was your PREVIOUS firmware.
  • Can I go from 9.50 to 4.50? Only if 4.50 was your PREVIOUS firmware.
  • Can I go from 9.00 to 5.50? Only if 5.50 was your PREVIOUS firmware.
  • Which firmware will I go back to? Whichever was your PREVIOUS firmware.

    • Video Guides

    Video thumbnail
    English
     Video thumbnail
    Portuguese
     Video thumbnail
    Hindi/Urdo

    Shopping List

  • BwE PS4 Syscon Writer
  • BwE PS4 NOR Validator
  • BwE PS4 FW Revert Tool
  • BwE PS4 and PS5 Web Tools (Budget Single Use Option!)

    • Optional:
  • Multi LQFP (64-100) to DIP Board ($4AUD)
  • LQFP64 to DIP Board ($4AUD)
  • LQFP64 Socket Adapter ($45AUD)
  • LQFP100 Socket Adapter ($45AUD

    • Soldering, Whats That?:
  • T12-942 QUICKO Soldering Station (SET 5) ($58AUD)
  • DC24v 6A Adapter for Soldering Station ($28AUD)
  • Fake Amtech Flux ($7AUD)
  • Lead Solder Low-ish Melt ($3AUD)
  • Solder Wick ($1AUD)
  • Love Heart Tweezers ($7AUD)
  • 32-34AWG Cable 10m ($4.50AUD)

    • Purchase Links:


    Syscon Writer Year of the Dragon Edition (In Stock Now!)
    Updated Firmware, Voltage Switch, UART Mode, Faster Processor, Fully Integrated Design. Warranty!
    Comes with FW Revert Tool & Syscon Reader/Writer Software For Free!
    $300AUD (€177, $192USD, 1406RMB)
    $200AUD (€121, $131USD, 946RMB)

    Purchase Link





    Note: All Syscon Writers Come With HWID Locked Syscon Writer & Reader Software For Free!
    (Available with USB License for Multi-PC Use)

    New Validation/Patching Option

    You can now validate and patch your PS4 NOR and Syscon for only $20AUD ($13USD) for all those on a budget or not working on a dozen PS4s at a time! Enjoy!

    Visit https://validate.betterwayelectronics.com.au/

    Compatibilitiy


    Do you have the Syscon on the right? You're outta luck. The glitch only works on Renesas RL78 chips. The guide ends here.
    The chip MUST have A0#-COL or A0#-COL2 where the # is a number.

    Syscon Pinout


    FAT Syscon

    Slim/Pro Syscon


    Connection Points

    Dumping On-Board
  • If you are dumping on board, lift pin 15 (Pro) or pin 22 (Fat). To do this add flux and low melt solder to the pins and let it soak in.
  • Use tweezers and a thin tip and while applying heat to the pin push from behind with the tweezers until the pin is lifted.
  • Wire pin 5 and 6 flat against the resistors, directly to the pins or the alternative solder points. Following best practice.
  • You do not have to wire pin 16 as you can have the console on standby mode.

    Dumping Off-Board
  • To remove the Syscon chip entirely, apply flux to all of the pins and flood them with low melt solder (chipquik if not using hot air).
  • Apply 480c at 40% pressure from a height of approximately 15cm until the solder is visibly liquidous on all sides.
  • Pull up the chip with an SMD vacuum pen.
  • Tin the pads on the PS4 with low melt solder.
  • Clean pins 1-16 on the Syscon of any solder bridges and solder to pre-tinned breakout board (or place into DIP socket).

  • When reattaching the Syscon first apply a light layer of flux on the already tinned pads.
  • Line up Syscon appropriately or solder each corner manually to ensure the chip does not move during reflow.
  • Apply 480c at 40% pressure from a height of approximately 20cm and slowly drop until you see flux bubble/move and solder shine/glimmer.
  • If you do not want to use hot air, use drag soldering technique or manually solder each pin individually with thin tip tinned with low melt solder.

    Note: When reading/writing Syscon on-board (after patching) wire only pin 5, 6 and ground either directly to the chip or alternative points and have the console on standby.

    • Dumping on-board example

    Best Practice


    Solder the jumper wires flat against the legs.

    The entire jumper wire must fill the entire pad.

    The wire must be parallel to the component termination.

    Reading Syscon (Currently ONLY works on A0#-COL/2 chips):

    1. Connect from your Arduino to the Syscon Chip (See Wiring To Syscon Below)
    2. Launch BwE_PS4_Syscon_Reader.exe, it will auto detect your COM port or prompt you for one.
    3. It will glitch the chip (if this is your first read and you have not enabled OCD mode) and then dump!
    4. It will then re-dump and compare in order to validate them.

      5. If the dumps do not match change resistors (100ohm, 510ohm, 1kohm).
      If it does not even dump check your connections (seriously) or change your Optocoupler.
      If there are any other issues try changing the voltage down from 5v to 3.3v or just remove the chip from the PS4 entirely.

    Patching Syscon Dump:

    1. Run BwE PS4 NOR Validator
    2. Select Option 2 - Scan & Patch PS4 Syscon
    3. Syscon will scan for a patchable slot, if there is one available it will say at the bottom in "Final Results".
    4. If it says "Active Slot Patchable" select Option 1 "Auto Patch"
    5. If it says "Unable to Auto-Patch" it will prompt you to Manually Patch - If so you must select an earlier 080B (Use Verbose Mode) to overwrite the last 080B.
    6. If it says "Syscon NOT Patchable" then call it quits, game over. Your PS4 has either had its initialisation overwritten or some other historical event is blocking the patch.
    7. Any other errors you can likely fix by rebuilding the Syscon
    8. Apply the patch!
    9. It will show you what you are overwriting (and potentially the data you are overwriting it with).
    10. File will be saved as "???_080B_patched.bin" - Keep this and the original, label it appropriately and store it!

    Programming SCE Syscon:

    1. Connect from your Arduino to the Syscon Chip (lift pin 15 and 16 (Pro) or pin 22 and 23 (Fat)if writing on board).
    2. Launch BwE_PS4_Syscon_Writer.exe it will auto detect your COM port or prompt you for one.
    3. Select OCD mode (option 3) for your first write only, this will disable the need to lift pins ever again!
    4. Write the patched dump (or original if you only want to enable OCD mode)
    5. If you selected confirm it will check the dump was written correctly - If there was an error, restart the Arduino and run full and OCD mode (regardless if you have done it before or not).
    6. Do NOT boot the console with patched syscon until you have ALSO patched the NOR.
    Notes:
    You now only need to connect Pins 5, 6 and GND to the Syscon directly or to the alternative points for all future reads and writes!
    You can only write with the supplied Arduino, TTL will not function nor will Renesas Software.
    All future writes do not require full or OCD commands (this will make it only write to 0x60000+), but I highly suggest adding confirm to validate the write.

    Reading & Writing NOR:

  • Dump the NOR using SPIWay (illustrated below) or through a CH341A or something faster like the XGECU (illustrated below).
  • You can either solder directly to the pins, their resistors/pads and dump/flash on-board (@ ~3.0v Only) or remove the chip entirely, I highly recommend just removing the chip entirely.
  • You can also follow this guide on my website in which I illustrate further the process behind dumping the NOR and enabling UART (I recommend you do this).


    XGECU

    CH341A (Modified for 2.8v)

    Teensy (SPIWay)


    8-Pin 16-pin Usage Teensy++ 2.0
    SPIway    		 Description
    - 1 SIO3 B5 8pin: Not Available - not used / 16pin: Serial Data Input & Output (for 4xI/O read mode)
    8 2 VCC +5V pad +3V DC Power Supply
    7 3 HOLD#/RESET# B6 8pin: Hold, to pause the device without deselecting the device / 16pin: Hardware Reset Pin Active low
    - 4 NC NC No Connection
    - 5 NC NC No Connection
    - 6 NC NC No Connection
    1 7 CS# B0 Chip Select
    2 8 SO/SIO1 B3 Serial Data Output (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)
    3 9 WP#/SIO2 B4 Write Protection: connect to GND or Serial Data Input & Output (for 4x I/O read mode)
    4 10 GND GND Ground
    - 11 NC NC No Connection
    - 12 NC NC No Connection
    - 13 NC NC No Connection
    - 14 NC NC No Connection
    5 15 SI/SIO0 B2 Serial Data Input (for 1 x I/O) or Serial Data Input & Output (for 2x I/O or 4x I/O read mode)
    6 16 SCLK B1 Clock Input


    8 Pin WSON8 - Pro & Slim

    16 Pin SOP16 - Fat


    Hardwiring Example

    Non-Invasive Method

    2.8v CH341A Mod

    2.8v CH341A Mod

    Patching NOR Dump:

    1. Run BwE PS4 NOR Validator
    2. Select Option 1 "Validate or Patch PS4 NOR"
    3. Select your NOR file
    4. Select Option 10 or 11 "Validate" and patch for UART when prompted
    5. If your NOR is valid go back and select Option 5 "Patch CoreOS & Southbridge (LoadBios Repair & Downgrading)"
    6. Read the warnings!
    7. Select Option 1 "Auto Generate CoreOS Header & UART Patches"
    8. NOR will be saved as "?_coreos-uart-patched_*.bin" 14 times!
    9. Apply each patch in sequence (without patching Syscon) and read the UART logs (See Final Step).
    10. When the correct patch has been found, then you can patch the syscon! Downgrade will be complete (See Final Step).

    Preliminary Step - UART


    To find out if you can even get to a lower firmware you should do the following!

  • Patch the Syscon
  • Patch NOR for UART Only!
  • Write both patches together and boot
  • View UART log
  • The standby version = the firmware you can revert to! (See below "How Does It Look From UART" section!)
  • Continue with Official Method (if that firmware is what you want!)

    Final Step - LoadBios Repair / Downgrade (FW Revert):

    There are three methods, pick whichever suits you! The third is the quickest, but not as tested as the others

    Official Method:
  • Patch the UART patched NOR with the CoreOS patch
  • Boot console and read UART log
  • If UART log says "checkUpdVersion 0xffffffff != 0x(Lower Firmware)" and has a lower Secure Loader firmware...
  • You can then write the Syscon patch to the console
  • If not, try another patch and repeat the process (you must try ALL patches - Save each log file)
  • On success the console will boot to safe mode and prompt to install lower firmware (recovery).

    Lazy Method (No UART Needed)
  • Patch the NOR with CoreOS patch
  • Write the Syscon patch to the console
  • If the console does not boot...
  • Repeat first two steps, pick a new Patch for NOR (you must try ALL patches) and re-use the same patch for Syscon.
  • On success the console will boot to safe mode and prompt to install lower firmware (recovery).

    New Method (Legitimate CoreOS Patch)
  • Dump NOR & Syscon (keep, do not delete)
  • Update Console to SAME firmware (if 9.03, install 9.03 again etc) via safemode
  • Dump NOR again after update but rename and add '_updated_coreos' to the end of the file name (Example: nor1.bin is now nor1_updated_coreos.bin)
  • Run NOR Validator and select the first dump you made. In the CoreOS patcher (Option 5) you can now select Generate Legitimate Patch (Option 3)
  • Program will output your dump with the name '_patched_coreos' (Example: nor1.bin is now now1_patched_coreos.bin)
  • Upload the newly patched dump back to the PS4 along with a patched copy of the original Syscon

    Troubleshooting:
  • If you still have loadBios -8 and the Bootloader version has changed you have an issue with your RAM, replace and or repair it.
  • If you have errors about wrong version at the bottom of the UART log, you need to patch your Southbridge.
  • How can you see the previous firmware? Upload only the patched Syscon and read UART. Standby Version = Previous Firmware
  • Why so many CoreOS patches? Because CoreOS is encrypted, we cannot make a real patch, we are corrupting it in a way that allows it to think the value is real. Different consoles behave differently so there is now 14 patches. Luckily there is a new method (see above) which is signifigantly quicker, it uses the legitimate header value from an update (even if its the same firmware) and it patches that on your old dump.
  • The standby version and or the release version has changed, but the console still just says checkUpdVersion 0xfffff etc. This is because the Syscon patch has failed, you need to use the Syscon Rebuilder to rebuild the syscon and patch it with the -2 patch (Option 4), this will remove the error.


    How Does It Look From UART? 9.60 -> 9.00

  • Patch 1
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]

    Boots Normally (Fail)
  • Patch 2
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]

    Boots Normally (Fail)
  • Patch 3
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]

    Boots Normally (Fail)
  • Patch 4
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]
    ERROR: main(4122) loadBios -8

    BLOD (Fail)
  • Patch 5
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]

    Boots Normally (Fail)
  • Patch 6
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]

    Boots Normally (Fail)
  • Patch 7
    secure loader build: May 10 2022 05:23:21 (r10568:release_branches/release_09.600) [711MHz]
    ERROR: main(3738) checkUpdVersion 0xffffffff != 0x9600000

    Slot Switched To Current Slot (Fail)
  • Patch 8
    secure loader build: Sep 1 2021 05:19:44 (r10468:release_branches/release_09.000) [711MHz]
    ERROR: main(3738) checkUpdVersion 0xffffffff != 0x9008000

    Secure Loader & CheckUpdVersion Lower = Success!! Patch Syscon Now!
  • After Syscon Patch
    secure loader build: Sep 1 2021 05:19:44 (r10468:release_branches/release_09.000) [711MHz]
    standby 09600000

    9.00 Secure Loader and 9.60 Standby. Slots successfully switched! Booting into 9.00!

    Getting Support (Read This!)

    If you want support from BwE, you must provide a UART log for each NOR patch (without flashing Syscon) then another with only the patched Syscon.
    That means a total of 15 logs, they must be labelled to represent each patch number and in .txt format. Zip it and email it/message it to me.
    If you do not do this, I will not provide support

    Credits/Greetz:

    DarkNESMonk
    Wildcard
    fail0verflow
    JEFF
    PDJ
    Hoea
    Donators & Suppliers of Dumps/Syscons
    All the people who steal my work, you realise you're just supplying me with your dissatisfied users, right? Thanks for the free marketing!