MechaCon: Difference between revisions
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
There are two known main variants of it. | There are two known main variants of it. | ||
The earlier one is based on SPC970 and used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package. | The earlier one is based on the 16 bit SPC970 CPU core and used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package. | ||
The newer one is ARM based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, that was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards). | The newer one is ARM based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, that was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards). | ||
Revision as of 03:17, 25 April 2022
MechaCon is short for Mechanics Controller. The main function of it is to control the drive mechanism. However, this chip is also the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption.
There are two known main variants of it.
The earlier one is based on the 16 bit SPC970 CPU core and used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package.
The newer one is ARM based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, that was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards).
Both have access to a 1 KB / 512 words EEPROM. The EEPROM content is different between the SPC970 based MechaCon and Dragon.
For the SPC970 MechaCon, the EEPROM is an external chip; either a dedicated EEPROM chip on older boards or a combined Rohm RTC+EEPROM chip on later boards.
Dragon has the die of the combined Rohm RTC+EEPROM chip inside its own chip package, however, the EEPROM pins are exposed on the package, and the connection between Dragon and the RTC+EEPROM is done externally on the motherboard.
Every MechaCon has a 3.3 V TTL UART interface that was used by service centers for example to readjust the drive and to write calibration data etc. Today it can be used with tools like PMAP (currently supports consoles up to I-chassis) to readjust the drive mechanism after fitting a replacement laser assembly etc.
SPC970
Hardware revisions
- CXP101064 (only used on early A-chassis/GH-001 boards)
- CXP102064 (used from later A-chassis to D/D'-chassis boards)
- CXP103049 (BGA case, used in F and G-chassis)
The CXP103049 requires a working battery to function properly.
Firmware revisions
Firmware comes in an OTP or mask ROM inside MechaCon.
TODO
Dragon
Hardware revisions
- CXR706F080 (has a flash ROM for firmware; used for engineering, not used in retail consoles)
- CXR706080 (used in H, I and J chassis SCPH-5XXXX consoles as well as in PSX)
- CXR716080 (used in K, L and M slim chassis SCPH-70XXX, SCPH-75XXX and SCPH-77XXX consoles)
- CXR726080 (used in N, P and R slim chassis SCPH-79XXX and SCPH-9XXXX consoles)
Firmware revisions
Firmware comes in an OTP or mask ROM inside MechaCon, except in CXR706F080, which has a reprogrammable flash ROM. It is however possible to apply patches to it via EEPROM.
Dumps: https://mega.nz/folder/MNpAQDzJ#bZpyfb7aGrhGDMR_ZGA8ig
Early versions of the Dragon MechaCon firmware have a tendency to crash by sheer bad luck or on badly readable discs (e.g. badly burned/low quality DVD-R discs or scratched originals), overvolting the focus/tracking coils of the laser and killing them and also the driver IC in the process. Several hardware-based fixes have been developed by the community to address this issue with varying degrees of success.
EEPROM layout
| Start (word) | End (word) | Size (byte) | Offset in file | Description |
|---|---|---|---|---|
| 0 | 48 | 96 | 0x0 | |
| 48 | 90 | 84 | 0x60 | |
| 96 | 128 | 64 | 0xC0 | |
| 128 | 150 | 44 | 0x100 | |
| 160 | 190 | 60 | 0x140 | |
| 192 | 198 | 12 | 0x180 | Region params (only slim) |
| 204 | 208 | 8 | 0x198 | MAC address |
| 211 | 216 | 10 | 0x1A6 | wake up time |
| 216 | 225 | 18 | 0x1B0 | model number |
| 227 | 232 | 10 | 0x1C6 | Region code key seed |
| 232 | 237 | 10 | 0x1D0 | Region code ciphertext |
| 240 | 245 | 10 | 0x1E0 | iLink id |
| 245 | 248 | 6 | 0x1EA | (used by scmd 3, subcmd 48 and 49) |
| 248 | 253 | 10 | 0x1F0 | Console id |
| 253 | 256 | 6 | 0x1FA | (used by scmd 3, subcmd 48 and 49) |
| 256 | 312 | 112 | 0x200 | config 2 |
| 312 | 344 | 64 | 0x270 | config 0 |
| 344 | 400 | 112 | 0x2B0 | config 1 |
| 400 | 512 | 224 | 0x320 | Rom patches ciphertext |
Region code
Decryption
int getRegionFlags()
{
// read kek
uint8_t key508[8];
ksGetKey(key508, 508);
// read saved seed from eeprom
uint8_t keyseed[10];
eepromRead(227, sizeof(keyseed), keyseed);
// read encrypted region from eeprom
uint8_t ciphertext[10];
eepromRead(232, sizeof(ciphertext), ciphertext);
// generate key
uint8_t key[8];
desEncrypt(key508, keyseed, key);
// decrypt ciphertext
uint8_t plaintext[8];
desDecrypt(key, ciphertext, plaintext);
uint16_t crc = *(uint16_t *) plaintext;
crc += *(uint16_t *) &plaintext[2];
crc += *(uint16_t *) &plaintext[4];
// check checksum
if (crc == *(uint16_t *) &plaintext[6])
return *(uint32_t *) plaintext;
retrun 0;
}
Bits
| Bit | Description |
|---|---|
| 0 | Japan |
| 1 | USA |
| 2 | Europe |
| 3 | Oceania |
| 4 | Asia |
| 5 | Russia |
| 6 | China |
| 7 | Mexico |
| 16 | Development (changes MagicGate keys) |
| 17 | Retail MagicGate keys on Development, bypass BootCertify |
| 18 | Arcade (changes MagicGate keys) |
| 19 | Prototype? (changes MagicGate keys) |
| 20 | ? (dvd related) |
Rom patch
Decryption
bool readAndDecryptRomPatch()
{
// read the patch's first half
uint8_t patches[0xDE];
eepromRead(400, 0x70, patches);
// check if the -1th byte is 0 (sum is not checked)
if (patches[0x6E])
return false;
// read the patch's second half
eepromRead(456, 0x70, &patches[0x6E]);
// check if the -1th byte is 0 (sum is not checked)
if (patches[0xDC])
return false;
// read encryption key
uint8_t key504[8];
ksGetKey(key504, 504);
// decrypt the patch using DES-ECB
for (int i = 0; i < 0xD8; i += 8)
desDecrypt(key504, &patches[i], &patches[i]);
// check sum
uint32_t sum = *(uint32_t *)patches;
sum += *(uint32_t *)&patches[4];
sum += *(uint32_t *)&patches[8];
sum += *(uint32_t *)&patches[12];
if (*(uint32_t *) &patches[0xD8] == ~sum)
return false;
return true;
}
Content
The patch can contain up to 4 patches.
addressX = The address where to apply the patch
valueX = The data that's written there
svc_addressX = The address where SVC X instruction jumps to.
payload = Arbitrary, could be code or data as well.
| Offset | Size | Name |
|---|---|---|
| 0x00 | 0x04 | address0 |
| 0x04 | 0x04 | address1 |
| 0x08 | 0x04 | address2 |
| 0x0C | 0x04 | address3 |
| 0x10 | 0x04 | value0 |
| 0x14 | 0x04 | value1 |
| 0x18 | 0x04 | value2 |
| 0x1C | 0x04 | value3 |
| 0x20 | 0x04 | svc_address0 |
| 0x24 | 0x04 | svc_address1 |
| 0x28 | 0x04 | svc_address2 |
| 0x2C | 0x04 | svc_address3 |
| 0x30 | 0xA8 | payload |
| 0xD8 | 0x04 | crc |