PS3 Fault finding YLOD with the SYSCON - First steps and Error reporting

[vyktormvmpay25]

@RIP-Felix SW is for syscon 2000 /2500/3000 /4000 .That board is 2000 slim dyn001 board I'm still working to get script example from @M4jor to dump automated nvs .
2500 slim i have added photo on syscon thread
All pins for Rx/Tx will be added to this thread as well

https://www.psx-place.com/threads/s...o-what-does-it-mean.26148/page-17#post-273712

 

[marciolsf]

It's really exciting to see that more people are trying out this method! I bring some good news --- @M4j0r has updated the syscon script, which should support python 3+ now, as well as ps3 slims and super slims.

We also have clarification of which modules are really needed (a lot of people have struggled with getting this right). The modules are:

• pycryptodome
• pyserial

The script works on python 2.7, so if you have it working now you the new script should "just work".

Here's the script proper. I'll update it on @db260179's repo later today.

from binascii import unhexlify as uhx
from Crypto.Cipher import AES # pycryptodome
import os
import serial # pyserial
import string
import sys
import time

class PS3UART(object):
    ser = serial.Serial()
    type = ''
           
    sc2tb = uhx('71f03f184c01c5ebc3f6a22a42ba9525')  # Syscon to TestBench Key    (0x130 xor 0x4578)
    tb2sc = uhx('907e730f4d4e0a0b7b75f030eb1d9d36')  # TestBench to Syscon Key    (0x130 xor 0x4588)
    value = uhx('3350BD7820345C29056A223BA220B323')  # 0x45B8
    zero  = uhx('00000000000000000000000000000000')

    auth1r_header = uhx('10100000FFFFFFFF0000000000000000')
    auth2_header  = uhx('10010000000000000000000000000000')
   
    def aes_decrypt_cbc(self, key, iv, in_data):
        return AES.new(key, AES.MODE_CBC, iv).decrypt(in_data)
   
    def aes_encrypt_cbc(self, key, iv, in_data):
        return AES.new(key, AES.MODE_CBC, iv).encrypt(in_data)

    def __init__(self, port, type):
        self.ser.port = port
        if(type == 'CXR' or type == 'SW'):
            self.ser.baudrate = 57600
        elif(type == 'CXRF'):
            self.ser.baudrate = 115200
        else:
            assert(False)
        self.type = type
        self.ser.timeout = 0.1
        self.ser.open()
        assert(self.ser.isOpen())
        self.ser.flush()
       
    def __del__(self):
        self.ser.close()
       
    def send(self, data):
        self.ser.write(data.encode('ascii'))  
                           
    def receive(self):
        return self.ser.read(self.ser.inWaiting())
       
    def command(self, com, wait = 1, verbose = False):
        if(verbose):
            print('Command: ' + com)
       
        if(self.type == 'CXR'):      
            length = len(com)
            checksum = sum(bytearray(com, 'ascii')) % 0x100
            if(length <= 10):
                self.send('C:{:02X}:{}\r\n'.format(checksum, com))
            else:
                j = 10
                self.send('C:{:02X}:{}'.format(checksum, com[0:j]))
                for i in range(length - j, 15, -15):
                    self.send(com[j:j+15])
                    j += 15
                self.send(com[j:] + '\r\n')
        elif(self.type == 'SW'):  
            length = len(com)
            if(length >= 0x40):
                if(self.command('SETCMDLONG FF FF')[0] != 0):
                    return ('Setcmdlong', [])      
            checksum = sum(bytearray(com, 'ascii')) % 0x100
            self.send('{}:{:02X}\r\n'.format(com, checksum))
        else:
            self.send(com + '\r\n')
           
        time.sleep(wait)
        answer = self.receive().decode('ascii').strip()
        if(verbose):
            print('Answer: ' + answer)
       
        if(self.type == 'CXR'):
            answer = answer.split(':')
            if(len(answer) != 3):
                return ('Answer length', [])
            checksum = sum(bytearray(answer[2], 'ascii')) % 0x100
            if(answer[0] != 'R' and answer[0] != 'E'):
                return ('Magic', [])
            if(answer[1] != '{:02X}'.format(checksum)):
                return ('Checksum', [])  
            data = answer[2].split(' ')
            if(answer[0] == 'R' and len(data) < 2 or answer[0] == 'E' and len(data) != 2):
                return ('Data length', [])
            if(data[0] != 'OK' or len(data) < 2):
                return (int(data[1], 16), [])
            else:
                return (int(data[1], 16), data[2:])  
        elif(self.type == 'SW'):
            answer = answer.split('\n')
            for i in range(0, len(answer)):
                answer[i] = answer[i].replace('\n', '').rsplit(':', 1)
                if(len(answer[i]) != 2):
                    return ('Answer length', [])
                checksum = sum(bytearray(answer[i][0], 'ascii')) % 0x100
                if(answer[i][1] != '{:02X}'.format(checksum)):
                    return ('Checksum', [])
                answer[i][0] += '\n'
            ret = answer[-1][0].replace('\n', '').split(' ')
            if(len(ret) < 2 or len(ret[1]) != 8 and not all(c in string.hexdigits for c in ret[1])):
                return (0, [x[0] for x in answer])
            elif(len(answer) == 1):        
                return (int(ret[1], 16), ret[2:])
            else:
                return (int(ret[1], 16), [x[0] for x in answer[:-1]])
        else:
            return (0, [answer])
           
    def auth(self):
        if(self.type == 'CXR' or self.type == 'SW'):
            auth1r = self.command('AUTH1 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
            if(auth1r[0] == 0 and auth1r[1] != []):
                auth1r = uhx(auth1r[1][0])
                if(auth1r[0:0x10] == self.auth1r_header):
                    data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
                    if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
                        new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
                        auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
                        auth2r = self.command('AUTH2 ' + ''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
                        if(auth2r[0] == 0):
                            return 'Auth successful'
                        else:
                            return 'Auth failed'
                    else:
                        return 'Auth1 response body invalid'
                else:
                    return 'Auth1 response header invalid'
            else:
                return 'Auth1 response invalid'
        else:
            scopen = self.command('scopen')
            if('SC_READY' in scopen[1][0]):
                auth1r = self.command('10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000')
                auth1r = auth1r[1][0].split('\r')[1][1:]
                if(len(auth1r) == 128):
                    auth1r = uhx(auth1r)
                    if(auth1r[0:0x10] == self.auth1r_header):
                        data = self.aes_decrypt_cbc(self.sc2tb, self.zero, auth1r[0x10:0x40])
                        if(data[0x8:0x10] == self.zero[0x0:0x8] and data[0x10:0x20] == self.value and data[0x20:0x30] == self.zero):
                            new_data = data[0x8:0x10] + data[0x0:0x8] + self.zero + self.zero
                            auth2_body = self.aes_encrypt_cbc(self.tb2sc, self.zero, new_data)
                            auth2r = self.command(''.join('{:02X}'.format(c) for c in bytearray(self.auth2_header + auth2_body)))
                            if('SC_SUCCESS' in auth2r[1][0]):
                                return 'Auth successful'
                            else:
                                return 'Auth failed'
                        else:
                            return 'Auth1 response body invalid'
                    else:
                        return 'Auth1 response header invalid'
                else:
                    return 'Auth1 response invalid'
            else:
                return 'scopen response invalid'
   

def main(argc, argv):
    if(argc < 3):
        print(os.path.basename(__file__) + ' <serial port> <sc type ["CXR", "CXRF", "SW"]>')
        sys.exit(1)
    ps3 = PS3UART(argv[1], argv[2])
    raw_input_c = vars(__builtins__).get('raw_input', input)
    while True:
        in_data = raw_input_c('> ')
        if(in_data.lower() == 'auth'):
            print(ps3.auth())
            continue
        if(in_data.lower() == 'exit'):
            break
        ret = ps3.command(in_data)
        if(argv[2] == 'CXR'):
            print('{:08X}'.format(ret[0]) + ' ' +  ' '.join(ret[1]))
        elif(argv[2] == 'SW'):
            if(len(ret[1]) > 0 and '\n' not in ret[1][0]):
                print('{:08X}'.format(ret[0]) + ' ' + ' '.join(ret[1]))
            else:
                print('{:08X}'.format(ret[0]) + '\n' + ''.join(ret[1]))
        else:
            print(ret[1][0].decode('ascii'))
               
if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

 

[db260179]

It's really exciting to see that more people are trying out this method! I bring some good news --- @M4j0r has updated the syscon script, which should support python 3+ now, as well as ps3 slims and super slims.

We also have clarification of which modules are really needed (a lot of people have struggled with getting this right). The modules are:

• pycryptodome
• pyserial

The script works on python 2.7, so if you have it working now you the new script should "just work".

I've updated to m4j0r latest script - https://github.com/db260179/ps3syscon/blob/master/ps3_syscon_uart_script23.py

But thanks for stating the update.

 

[marciolsf]

I've updated to m4j0r latest script - https://github.com/db260179/ps3syscon/blob/master/ps3_syscon_uart_script23.py

But thanks for stating the update.

Great! I've been out of loop for a bit -- for some reason I didn't get update notifications on any of the threads I watch for almost 2 weeks now.

 

[squeept]

Added another fail to my list just for posterity. Some idiot gouging the CELL when delidding then melting it with a heatgun gives: A0....every goddamn error code available.

 

[vyktormvmpay25]

Did few more tests and seems to work for me. Now this dyn001 has defective mobo with artefacts on rsx. Swapped twice did not fix this issue so I may ask if anyone has slim 2000 series with dyn001 and do an errlog.
I only get this so my mother is starting and goes to XMB, probably that's why I don't see nothing

Got another dyn001 that think is related to power of rsx. Could be NEC, can't say as didn't take any measurements, It was reballed cpu/rsx as normal and after 3 days of normal testing with games it did not open any more. Done few power on/off cycles and started.
From what I see on error table 3004 is in table with BE. Could this be an defective cpu?

 

[RIP-Felix]

Did you probe VDDC (+1.2v +/-50mv), filter caps? On BC boards I have suspected bad tokins might cause 3000-3005 (power failure). If VRM voltages look good, I'd trace power back from the chip to the main supply checking each cap along the way for shorts or excessive ripple. Sounds simple, but I bet it's tedious without a schematic. That's why I only work on BC models :p

Of course my reballing skillz aren't there yet, so I have to resort to the desperate measures of checking everything else first. BC's are all BGA, so my successes are ZERO, so far. Feel free not to listen to me...lol!

 

[vyktormvmpay25]

Did not tested voltage so far I want to go further with 5 Super slims. All dead. One with some vertical strange lines on screen after swapped rsx still same issue on screen.
About 1.5 v on ram it has to normal to slims and super slim. Why? Because on ps4 all rams are out of gpu and all powered in parallel from a strong line with same 1.5v.
Ps4 designed very similar to ps3.

Edit
Testing Nxp001 motherboard superslim models

I think I may be out of faulty table?

 

[Arin]

Thank you everyone for your help with running the script everything is working now. Here are the errors I have. 4412 is BE or RSX data error and 3034 is BE fatal booting error. I have a YLOD within 2 seconds of booting. Checked the voltage before the voltage regulators and have 12 volts within those 2 seconds checked on the other side of the regulators and get to about 1.29 volts before it shuts down same voltage after the NEC TOKIN's. Not sure where I should be looking next. I cleared the error log but same errors repeat on the next boot.

>$ clearerrlog
clearerrlog
ERRLOG CLEARED
[mullion]$
>$ errlog
[SSM] state: 0600 -> 0000
[SSM] Error state is cleared.
(PowerOff State)
[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
[SSM] state: 0203 -> 0104
Psbd_SbTransMode_Half:0x21e2
[POWERSEQ] Error : BitTraining RSX:RRAC:RX1:GLOBAL1:RX_STATUS
[SSM] state: 0104 -> 0304
[SSM] ssmCb_AfterBeOn2() called.
[SSM] PowSeq Fail : Detected !
[SSM] state: 0304 -> 0700
[POWSEQ] AV Backend Letup
[SSM] Shutdown mode : syspm_stat=00000000/00000000
[ERROR]: 0xa0404412
[ERROR]: 0xa0403034
[POWSEQ] PowerSeq_Letup called.
[SSM] state: 0700 -> 0600
(PowerOff State) (Fatal)
errlog
ofst[ 8]:err_code:0xffffffff, clock:0xffffffff
ofst[ 12]:err_code:0xffffffff, clock:0xffffffff
ofst[ 16]:err_code:0xffffffff, clock:0xffffffff
ofst[ 20]:err_code:0xffffffff, clock:0xffffffff
ofst[ 24]:err_code:0xffffffff, clock:0xffffffff
ofst[ 28]:err_code:0xffffffff, clock:0xffffffff
ofst[ 32]:err_code:0xffffffff, clock:0xffffffff
ofst[ 36]:err_code:0xffffffff, clock:0xffffffff
ofst[ 40]:err_code:0xffffffff, clock:0xffffffff
ofst[ 44]:err_code:0xffffffff, clock:0xffffffff
ofst[ 48]:err_code:0xffffffff, clock:0xffffffff
ofst[ 52]:err_code:0xffffffff, clock:0xffffffff
ofst[ 56]:err_code:0xffffffff, clock:0xffffffff
ofst[ 60]:err_code:0xffffffff, clock:0xffffffff
ofst[ 64]:err_code:0xffffffff, clock:0xffffffff
ofst[ 68]:err_code:0xffffffff, clock:0xffffffff
ofst[ 72]:err_code:0xffffffff, clock:0xffffffff
ofst[ 76]:err_code:0xffffffff, clock:0xffffffff
ofst[ 80]:err_code:0xffffffff, clock:0xffffffff
ofst[ 84]:err_code:0xffffffff, clock:0xffffffff
ofst[ 88]:err_code:0xffffffff, clock:0xffffffff
ofst[ 92]:err_code:0xffffffff, clock:0xffffffff
ofst[ 96]:err_code:0xffffffff, clock:0xffffffff
ofst[100]:err_code:0xffffffff, clock:0xffffffff
ofst[104]:err_code:0xffffffff, clock:0xffffffff
ofst[108]:err_code:0xffffffff, clock:0xffffffff
ofst[112]:err_code:0xffffffff, clock:0xffffffff
ofst[116]:err_code:0xffffffff, clock:0xffffffff
ofst[120]:err_code:0xffffffff, clock:0xffffffff
ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0404412, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

 

[squeept]

I decided to have a fun experiment on the latest CECHE01 because after I lifted the RSX and saw the damage to the substrate, combined with the warping and previous reflow of ALL the chips, I decided it was no longer worth pushing forward. So.... I've been wanting to see what would happen if I turned on the system with the RSX missing completely.

As I feared would be the case, I could smell some magic smoke pretty much immediately, but I didn't see any fireworks. Then I still got a 2 second YLOD. I got errors A0A02031 and A0201B02 at once. I ohm tested across the TOKIN after and got a dead short. Couldn't find what gave up the smoke.

I don't know if that's useful information, but... now you know it!

 

[db260179]

Thank you everyone for your help with running the script everything is working now. Here are the errors I have. 4412 is BE or RSX data error and 3034 is BE fatal booting error. I have a YLOD within 2 seconds of booting. Checked the voltage before the voltage regulators and have 12 volts within those 2 seconds checked on the other side of the regulators and get to about 1.29 volts before it shuts down same voltage after the NEC TOKIN's. Not sure where I should be looking next. I cleared the error log but same errors repeat on the next boot.

>$ clearerrlog
clearerrlog
ERRLOG CLEARED
[mullion]$
>$ errlog
[SSM] state: 0600 -> 0000
[SSM] Error state is cleared.
(PowerOff State)
[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
[SSM] state: 0203 -> 0104
Psbd_SbTransMode_Half:0x21e2
[POWERSEQ] Error : BitTraining RSX:RRAC:RX1:GLOBAL1:RX_STATUS
[SSM] state: 0104 -> 0304
[SSM] ssmCb_AfterBeOn2() called.
[SSM] PowSeq Fail : Detected !
[SSM] state: 0304 -> 0700
[POWSEQ] AV Backend Letup
[SSM] Shutdown mode : syspm_stat=00000000/00000000
[ERROR]: 0xa0404412
[ERROR]: 0xa0403034
[POWSEQ] PowerSeq_Letup called.
[SSM] state: 0700 -> 0600
(PowerOff State) (Fatal)
errlog

ofst[ 0]:err_code:0xa0404412, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

When you see this - [POWERSEQ] Error : BitTraining RSX:RRAC:RX1:GLOBAL1:RX_STATUS
and the following

ofst[ 0]:err_code:0xa0404412, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

This is the RSX having data connection issues, so usually a fix is to reflow the RSX.

You can try to push the rsx chip down by hand and see if the ylod goes away.

 

[squeept]

Ran outta PS3, 10 more on the way, no idea when they'll get here with current shipping delays on all major carriers. Guess I'll work on some Segas now.

Oh, I didn't forget about the fan data, I'll play around with some scrap boards before the new systems start trickling in.

 

[vyktormvmpay25]

Does anyone know what a0805fff errors is in SW 3 mobo kte001, 3 seconds ylod. Seems dead rsx. I would like some help if anyone can see this error.

 

[Byteman]

Turning on PS3 without RSX will definitely blow your TOKINs. They will be shorted.

 

[squeept]

Turning on PS3 without RSX will definitely blow your TOKINs. They will be shorted.

this guy doesn't "fun experiment"

 

[formerlychucks]

got error code A0313032 on my cechg model. any ideas on how to fix it? I tried grounding the tristate with still the same ylod.
should I swap the southbridge or is there any other way to fix it?

 

[formerlychucks]

got error code A0313032 on my cechg model. any ideas on how to fix it? I tried grounding the tristate with still the same ylod.
should I swap the southbridge or is there any other way to fix it?

also, if it helps, here's my bootlog:

[SSM] state: 0000 -> 0101
Bringup Mode #0 (0xFF)
[SSM] ssmCb_OnStartingBePowOn() called.
[SSM] First Boot.
[SSM] Bringup mode : syspm_stat=00000000/00000000
[POWSEQ] PowerSeq_Setup called.
[SSM] state: 0101 -> 0201
[POWSEQ] AV Backend Setup
[SSM] state: 0201 -> 0102
[SSM] state: 0102 -> 0202
[SSM] state: 0202 -> 0103
[SSM] state: 0103 -> 0203
[SSM] ssmCb_BeforeBeOn() called.
[SSM] state: 0203 -> 0104
[SSM] state: 0104 -> 0304
[SSM] ssmCb_AfterBeOn2() called.
[SSM] PowSeq Fail : Detected !
[SSM] state: 0304 -> 0700
[POWSEQ] AV Backend Letup
[SSM] Shutdown mode : syspm_stat=00000000/00000000
[ERROR]: 0xa031303

 

[nyislander]

When you see this - [POWERSEQ] Error : BitTraining RSX:RRAC:RX1:GLOBAL1:RX_STATUS
and the following

ofst[ 0]:err_code:0xa0404412, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

This is the RSX having data connection issues, so usually a fix is to reflow the RSX.

You can try to push the rsx chip down by hand and see if the ylod goes away.

I have 3 consoles with the following errors. Are you suggesting a RSX reflow/reball for CECHA #2 & CECHE and perhaps a BE reflow/reball for CECHA #1?

CECHA #1
[POWERSEQ] Error : BitTraining BE:RRAC:RX4:GLOBAL1:RX_STATUS

ofst[120]:err_code:0xffffffff, clock:0xffffffff
ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0403034, clock:0xffffffff

CECHA #2
[POWERSEQ] Error : BitTraining RSX:RRAC:BX0:BX:FLEXIO_ID

ofst[120]:err_code:0xffffffff, clock:0xffffffff
ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0403034, clock:0xffffffff

CECHE
[POWERSEQ] Error : BitTraining RSX:RRAC:RX3:GLOBAL1:RX_STATUS

ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0404432, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

 

[vyktormvmpay25]

I have 3 consoles with the following errors. Are you suggesting a RSX reflow/reball for CECHA #2 & CECHE and perhaps a BE reflow/reball for CECHA #1?

CECHA #1
[POWERSEQ] Error : BitTraining BE:RRAC:RX4:GLOBAL1:RX_STATUS

ofst[120]:err_code:0xffffffff, clock:0xffffffff
ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0403034, clock:0xffffffff

CECHA #2
[POWERSEQ] Error : BitTraining RSX:RRAC:BX0:BX:FLEXIO_ID

ofst[120]:err_code:0xffffffff, clock:0xffffffff
ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0403034, clock:0xffffffff

CECHE
[POWERSEQ] Error : BitTraining RSX:RRAC:RX3:GLOBAL1:RX_STATUS

ofst[124]:err_code:0xffffffff, clock:0xffffffff
ofst[ 0]:err_code:0xa0404432, clock:0xffffffff
ofst[ 4]:err_code:0xa0403034, clock:0xffffffff

Yes. Seems to all imperfect connection. Now about reflow not really an option but you can do it if not very confident with reball. You probably know reball is more efficient. Anyway got my error A0805fff sorted was dead cpu. Took rsx on another working motherboard and all good in games. I couldn't find any issue on power lines, took me time to take measurements on all parts, and this tool for finding YLOD problems will save me time from now.

 

[nyislander]

Thanks @vyktormvmpay25.

I want to explore all the "easy" ways to diagnosis the mobo problems: visual, JL voltage checks, syscon, etc. before reballing. I'm trying to do everything I can to reach a point in the board repair process so that the resulting syscon error a0403034 leaves no other possible solution.