Editing MechaCon
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
MechaCon is short for Mechanics Controller. Its main function is to control the drive mechanism. However, this chip also | MechaCon is short for Mechanics Controller. Its main function of it is to control the drive mechanism. However, this chip is also the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption. | ||
There are two known main variants of it. | There are two known main variants of it. | ||
The earlier one is based on the 16-bit SPC970 CPU core | The earlier one is based on the 16-bit SPC970 CPU core and was used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package. | ||
The newer one is ARM-based | The newer one is ARM-based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, which was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards). | ||
Both have access to a 1 KB / 512 words EEPROM. The EEPROM content is different between the SPC970-based MechaCon and Dragon. | Both have access to a 1 KB / 512 words EEPROM. The EEPROM content is different between the SPC970-based MechaCon and Dragon. | ||
For the SPC970 MechaCon, the EEPROM is an external chip; either a dedicated EEPROM chip on | For the SPC970 MechaCon, the EEPROM is an external chip; either a dedicated EEPROM chip on older boards or a combined Rohm RTC+EEPROM chip on later boards.</br> | ||
Dragon has the die of the combined Rohm RTC+EEPROM chip inside its own chip package, however, the EEPROM pins are exposed on the package, and the connection between Dragon and the RTC+EEPROM is done externally on the motherboard. | Dragon has the die of the combined Rohm RTC+EEPROM chip inside its own chip package, however, the EEPROM pins are exposed on the package, and the connection between Dragon and the RTC+EEPROM is done externally on the motherboard. | ||
Every MechaCon has a 3. | Every MechaCon has a 3.3 V TTL UART interface that was used by service centers for example to readjust the drive and write calibration data etc. Today it can be used with tools like PMAP (currently supports consoles up to I-chassis) to readjust the drive mechanism after fitting a replacement laser assembly etc. | ||
= SPC970 = | |||
== Hardware revisions == | |||
* CXP101064 (only used on early A-chassis/GH-001 boards) | |||
* CXP102064 (used from later A-chassis to D/D'-chassis boards) | |||
* CXP103049 (BGA case, used in F and G-chassis) | |||
The CXP103049 requires a working battery to function properly. | |||
==Firmware revisions== | == Firmware revisions == | ||
Firmware comes in an OTP or mask ROM inside MechaCon. | Firmware comes in an OTP or mask ROM inside MechaCon. | ||
TODO | |||
=Dragon= | = Dragon = | ||
== Hardware revisions== | == Hardware revisions == | ||
*CXR706F080 (has a flash ROM for firmware; used for engineering, not used in retail consoles) | * CXR706F080 (has a flash ROM for firmware; used for engineering, not used in retail consoles) | ||
*CXR706080 (used in H, I and J chassis SCPH- | * CXR706080 (used in H, I and J chassis SCPH-5XXXX consoles as well as in PSX) | ||
* CXR716080 (used in K, L and M slim chassis SCPH-70XXX, SCPH-75XXX and SCPH-77XXX consoles) | |||
*CXR716080 (used in K, L and M slim chassis SCPH- | * CXR726080 (used in N, P and R slim chassis SCPH-79XXX and SCPH-9XXXX consoles) | ||
* CXR726080 (used in N, P and R slim chassis SCPH- | |||
==Firmware revisions== | == Firmware revisions == | ||
Firmware comes in an OTP or mask ROM inside MechaCon, except in CXR706F080, which has a reprogrammable flash ROM. It is however possible to apply patches to it via EEPROM. | Firmware comes in an OTP or mask ROM inside MechaCon, except in CXR706F080, which has a reprogrammable flash ROM. It is however possible to apply patches to it via EEPROM. | ||
Dumps: https://mega.nz/folder/MNpAQDzJ#bZpyfb7aGrhGDMR_ZGA8ig | Dumps: https://mega.nz/folder/MNpAQDzJ#bZpyfb7aGrhGDMR_ZGA8ig | ||
Early versions of the Dragon MechaCon firmware (specifically in SCPH-5XXXX and SCPH-70XXX consoles) have a tendency to crash by sheer bad luck or on badly readable discs (e.g. badly burned/low-quality DVD-R discs or scratched originals), overvolting the focus/tracking coils of the laser and killing them and also the driver IC in the process. Several hardware-based mitigations/"fixes" have been developed by the community to address this issue with varying degrees of success. The most notable of these fixes are the "Romeo-mod"/"LA-fix" for SCPH-5XXXX consoles and "summ0ne's fix" for SCPH-70XXX consoles. | |||
==EEPROM layout== | == EEPROM layout == | ||
{| | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
!Start (word)!!End (word) !!Size (byte)!!Offset in file!! Description | ! Start (word) !! End (word) !! Size (byte) !! Offset in file !! Description | ||
|- | |- | ||
| | | 0 || 48 || 0x60 || 0x0 || | ||
|- | |- | ||
| | | 48 || 90 || 0x54 || 0x60 || | ||
|- | |- | ||
| | | 90 || 96 || 0xC || 0xB4 || gap | ||
|- | |- | ||
| | | 96 || 128 || 0x40 || 0xC0 || | ||
|- | |- | ||
| | | 128 || 150 || 0x2C || 0x100 || | ||
|- | |- | ||
| | | 150 || 160 || 0x14 || 0x12C || gap | ||
|- | |- | ||
| | | 160 || 190 || 0x3C || 0x140 || | ||
|- | |- | ||
| | | 190 || 192 || 0x4 || 0x17C || gap | ||
|- | |- | ||
| | | 192 || 198 || 0xC || 0x180 || Region params (only slim) | ||
|- | |- | ||
| | | 198 || 204 || 0xC || 0x18C || gap | ||
|- | |- | ||
| | | 204 || 208 || 0x8 || 0x198 || MAC address (only slim) | ||
|- | |- | ||
| | | 208 || 211 || 0x6 || 0x1A0 || gap | ||
|- | |- | ||
| | | 211 || 216 || 0xA || 0x1A6 || wake up time | ||
|- | |- | ||
| | | 216 || 225 || 0x12 || 0x1B0 || model number | ||
|- | |- | ||
| | | 225 || 227 || 0x4 || 0x1C2 || gap | ||
|- | |- | ||
| | | 227 || 232 || 0xA || 0x1C6 || Region code key seed | ||
|- | |- | ||
| | | 232 || 237 || 0xA || 0x1D0 || Region code ciphertext | ||
|- | |- | ||
| | | 237 || 240 || 0x6 || 0x1DA || gap | ||
|- | |- | ||
| | | 240 || 245 || 0xA || 0x1E0 || iLink id | ||
|- | |- | ||
| | | 245 || 248 || 0x6 || 0x1EA || (used by scmd 3, subcmd 48 and 49) | ||
|- | |- | ||
| 248 || 253 || 0xA || 0x1F0 || Console id | |||
| | |||
| | |||
|- | |- | ||
| | | 253 || 256 || 0x6 || 0x1FA || (used by scmd 3, subcmd 48 and 49) | ||
|- | |- | ||
| | | 256 || 312 || 0x70 || 0x200 || config 2 | ||
|- | |- | ||
| | | 312 || 344 || 0x40 || 0x270 || config 0 | ||
|- | |- | ||
| | | 344 || 400 || 0x70 || 0x2B0 || config 1 | ||
|- | |- | ||
| | | 400 || 512 || 0xE0 || 0x320 || Rom patches ciphertext | ||
|- | |- | ||
|} | |} | ||
== | == Region params == | ||
{| class="wikitable FCK__ShowTableBorders" | {| class="wikitable FCK__ShowTableBorders" | ||
|- | |- | ||
! colspan="2" |Offset!!Size!!Description | ! colspan="2" | Offset !! Size !! Description | ||
|- {{cellcolors|lightgrey}} | |-{{cellcolors|lightgrey}} | ||
| colspan="2" | | | colspan="2" | 0x180 || 0x0C || Various region parameters. Type char. Zero padded. On dragon FATs (mechacon v5) filled with FF. Does not have checksum. Normally write-protected by mechacon. | ||
|- | |- | ||
| rowspan="4" | <abbr title="Region params: 0x180-0x18B"><small>1</small></abbr> || 0x180 || 1 || On 70k exists but has no effect. On Deckard will patch rom0:ROMVER (4th byte 0220HD20060905) and rom0. Possible values: "J" - for Japan, "A" - for America and Mexico, "E" - for Europe, Oceania and Russia, "H" - for region Asia, Taiwan, Korea, "C" - for region Mainland China. Each region checks license data in the PS2 titles. A region has this check disabled. H region untested. | |||
|- | |- | ||
| | | 0x181 || 4 || On all slims will patch rom0:OSDVER (5-8th byte) ("0190Csch"). This mostly controls OSD language sets, and other changes are not tested. Possible values: "Jjpn" - for Japan, "Aeng" - for America, "Eeng" - for Europe and Oceania, "Heng" - for Asia, "Reng" - for Russia, "Csch" - for mainland China, "Kkor" - for Korea, "Htch" - for Taiwan, "Aspa" - for Mexico. "Ccsh" will crash cause rom2 (containing Simplified Chinese font) is missing on slims. | ||
|- | |- | ||
| | | 0x185 || 1 || On 70k exists but has no effect. On Deckard will patch rom0:VERSTR (0x22 byte: "System ROM Version 5.0 06/23/03 J") and rom0. Possible values: "J" - for Japan, Asia, Taiwan, Korea, China, "A" - for America, Mexico, "E" - for Europe, Oceania and Russia. Each region checks license data in the PS1 titles. A region has this check disabled. | ||
|- | |- | ||
| | | 0x185 || 1 || On all slims will patch rom1:DVDID (5th byte) ("3.11A"). This change DVD player region. Possible values: "JUEAORCM". | ||
|- | |- | ||
|} | |} | ||
== Region code == | |||
=== Decryption === | |||
<pre> | <pre> | ||
Line 363: | Line 154: | ||
return *(uint32_t *) plaintext; | return *(uint32_t *) plaintext; | ||
retrun 0; | |||
} | } | ||
</pre> | </pre> | ||
=== Bits === | |||
{| | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Bit!!Description | ! Bit !! Description | ||
|- | |- | ||
| | | 0 || Japan | ||
|- | |- | ||
| | | 1 || USA | ||
|- | |- | ||
| | | 2 || Europe | ||
|- | |- | ||
| | | 3 || Oceania | ||
|- | |- | ||
| | | 4 || Asia | ||
|- | |- | ||
| | | 5 || Russia | ||
|- | |- | ||
| | | 6 || China | ||
|- | |- | ||
| | | 7 || Mexico | ||
|- | |- | ||
| | | 16 || Development (changes MagicGate keys) | ||
|- | |- | ||
| | | 17 || Retail MagicGate keys on Development, bypass BootCertify | ||
|- | |- | ||
| | | 18 || Arcade (changes MagicGate keys) | ||
|- | |- | ||
| | | 19 || Prototype? (changes MagicGate keys) | ||
|- | |- | ||
| | | 20 || ? (dvd related) | ||
|- | |- | ||
|} | |} | ||
== Rom patch == | |||
=== Decryption === | |||
<pre> | <pre> | ||
Line 615: | Line 235: | ||
</pre> | </pre> | ||
=== Content === | |||
The patch can contain up to 4 patches. | The patch can contain up to 4 patches. | ||
Line 627: | Line 247: | ||
payload = Arbitrary, could be code or data as well. | payload = Arbitrary, could be code or data as well. | ||
{| | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Offset!!Size!! Name | ! Offset !! Size !! Name | ||
|- | |- | ||
|0x00||0x04|| address0 | | 0x00 || 0x04 || address0 | ||
|- | |- | ||
|0x04 || 0x04||address1 | | 0x04 || 0x04 || address1 | ||
|- | |- | ||
|0x08||0x04||address2 | | 0x08 || 0x04 || address2 | ||
|- | |- | ||
|0x0C||0x04||address3 | | 0x0C || 0x04 || address3 | ||
|- | |- | ||
|0x10||0x04 ||value0 | | 0x10 || 0x04 || value0 | ||
|- | |- | ||
|0x14||0x04||value1 | | 0x14 || 0x04 || value1 | ||
|- | |- | ||
|0x18|| 0x04||value2 | | 0x18 || 0x04 || value2 | ||
|- | |- | ||
| 0x1C||0x04||value3 | | 0x1C || 0x04 || value3 | ||
|- | |- | ||
|0x20||0x04||svc_address0 | | 0x20 || 0x04 || svc_address0 | ||
|- | |- | ||
| 0x24|| 0x04||svc_address1 | | 0x24 || 0x04 || svc_address1 | ||
|- | |- | ||
|0x28||0x04||svc_address2 | | 0x28 || 0x04 || svc_address2 | ||
|- | |- | ||
|0x2C||0x04 ||svc_address3 | | 0x2C || 0x04 || svc_address3 | ||
|- | |- | ||
| 0x30 ||0xA8||payload | | 0x30 || 0xA8 || payload | ||
|- | |- | ||
|0xD8|| 0x04||crc | | 0xD8 || 0x04 || crc | ||
|- | |- | ||
|} | |} |