Editing MechaCon
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
MechaCon is short for Mechanics Controller. | MechaCon is short for Mechanics Controller. This chip is the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption. | ||
There are two known main variants of it. | There are two known main variants of it. | ||
The earlier one is based on | The earlier one is based on SPC 9700 and used till GH-022. Chip name starts with "CXP10". Older versions come in a QFP package, newer versions in a BGA package. | ||
The newer one is ARM | The newer one is ARM based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, that was separate on earlier boards. | ||
The | The chip includes (Dragon) or is connected to (on earlier boards) an 512 word eeprom. The content is different between the two main revisions. | ||
= SPC = | |||
TODO | |||
Dragon | = Dragon = | ||
== EEPROM layout == | |||
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | |||
== | |||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
!Start (word)!!End (word)!!Size (byte)!!Offset in file!!Description | ! Start (word) !! End (word) !! Size (byte) !! Offset in file !! Description | ||
|- | |- | ||
| 0 || 48 || 96 || 0x0 || | |||
| | |||
| | |||
|- | |- | ||
| | | 48 || 90 || 84 || 0x60 || | ||
|- | |- | ||
| | | 96 || 128 || 64 || 0xC0 || | ||
|- | |- | ||
| | | 128 || 150 || 44 || 0x100 || | ||
|- | |- | ||
| | | 160 || 190 || 60 || 0x140 || | ||
|- | |- | ||
| 192 || 198 || 12 || 0x180 || Region params (only slim) | |||
| | |||
| | |||
|- | |- | ||
| | | 204 || 208 || 8 || 0x198 || MAC address | ||
|- | |- | ||
| | | 211 || 216 || 10 || 0x1A6 || wake up time | ||
|- | |- | ||
| | | 216 || 225 || 18 || 0x1B0 || model number | ||
| | |||
| | |||
|- | |- | ||
| 227 || 232 || 10 || 0x1C6 || Region code key seed | |||
| | |||
| | |||
|- | |- | ||
| | | 232 || 237 || 10 || 0x1D0 || Region code ciphertext | ||
|- | |- | ||
| | | 240 || 245 || 10 || 0x1E0 || iLink id | ||
|- | |- | ||
| | | 245 || 248 || 6 || 0x1EA || (used by scmd 3, subcmd 48 and 49) | ||
|- | |- | ||
| | | 248 || 253 || 10 || 0x1F0 || Console id | ||
|- | |- | ||
| | | 253 || 256 || 6 || 0x1FA || (used by scmd 3, subcmd 48 and 49) | ||
6 | |||
|- | |- | ||
| 256 || 312 || 112 || 0x200 || config 2 | |||
| | |||
| | |||
|- | |- | ||
| | | 312 || 344 || 64 || 0x270 ||config 0 | ||
|- | |- | ||
| | | 344 || 400 || 112 || 0x2B0 || config 1 | ||
|- | |- | ||
| | | 400 || 512 || 224 || 0x320 || Rom patches ciphertext | ||
|- | |- | ||
|} | |} | ||
== Region code == | |||
=== Decryption === | |||
<pre> | <pre> | ||
Line 363: | Line 96: | ||
return *(uint32_t *) plaintext; | return *(uint32_t *) plaintext; | ||
retrun 0; | |||
} | } | ||
</pre> | </pre> | ||
=== Bits === | |||
{| | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Bit!!Description | ! Bit !! Description | ||
|- | |- | ||
| | | 0 || Japan | ||
|- | |- | ||
| | | 1 || USA | ||
|- | |- | ||
| | | 2 || Europe | ||
|- | |- | ||
| | | 3 || Oceania | ||
|- | |- | ||
| | | 4 || Asia | ||
|- | |- | ||
| | | 5 || Russia | ||
|- | |- | ||
| | | 6 || China | ||
|- | |- | ||
| | | 7 || Mexico | ||
|- | |- | ||
| | | 16 || Development (changes MagicGate keys) | ||
|- | |- | ||
| | | 17 || Retail MagicGate keys on Development, bypass BootCertify | ||
|- | |- | ||
| | | 18 || Arcade (changes MagicGate keys) | ||
|- | |- | ||
| | | 19 || Prototype? (changes MagicGate keys) | ||
|- | |- | ||
| | | 20 || ? (dvd related) | ||
|- | |- | ||
|} | |} | ||
== Rom patch == | |||
=== Decryption === | |||
<pre> | <pre> | ||
Line 615: | Line 177: | ||
</pre> | </pre> | ||
=== Content === | |||
The patch can contain up to 4 patches. | The patch can contain up to 4 patches. | ||
Line 627: | Line 189: | ||
payload = Arbitrary, could be code or data as well. | payload = Arbitrary, could be code or data as well. | ||
{| | {| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;" | ||
|- bgcolor="#cccccc" | |- bgcolor="#cccccc" | ||
! Offset!!Size!! Name | ! Offset !! Size !! Name | ||
|- | |- | ||
|0x00||0x04|| address0 | | 0x00 || 0x04 || address0 | ||
|- | |- | ||
|0x04 || 0x04||address1 | | 0x04 || 0x04 || address1 | ||
|- | |- | ||
|0x08||0x04||address2 | | 0x08 || 0x04 || address2 | ||
|- | |- | ||
|0x0C||0x04||address3 | | 0x0C || 0x04 || address3 | ||
|- | |- | ||
|0x10||0x04 ||value0 | | 0x10 || 0x04 || value0 | ||
|- | |- | ||
|0x14||0x04||value1 | | 0x14 || 0x04 || value1 | ||
|- | |- | ||
|0x18|| 0x04||value2 | | 0x18 || 0x04 || value2 | ||
|- | |- | ||
| 0x1C||0x04||value3 | | 0x1C || 0x04 || value3 | ||
|- | |- | ||
|0x20||0x04||svc_address0 | | 0x20 || 0x04 || svc_address0 | ||
|- | |- | ||
| 0x24|| 0x04||svc_address1 | | 0x24 || 0x04 || svc_address1 | ||
|- | |- | ||
|0x28||0x04||svc_address2 | | 0x28 || 0x04 || svc_address2 | ||
|- | |- | ||
|0x2C||0x04 ||svc_address3 | | 0x2C || 0x04 || svc_address3 | ||
|- | |- | ||
| 0x30 ||0xA8||payload | | 0x30 || 0xA8 || payload | ||
|- | |- | ||
|0xD8|| 0x04||crc | | 0xD8 || 0x04 || crc | ||
|- | |- | ||
|} | |} |