MechaCon: Difference between revisions

From PS2 Developer wiki
Jump to navigation Jump to search
Line 25: Line 25:
Firmware comes in an OTP or mask ROM inside MechaCon.
Firmware comes in an OTP or mask ROM inside MechaCon.


TODO
0x0102 | CXP101064-605R
0x0103 | CXP101064-602R
0x0106 | CXP102064-001R (Not confirmed)
0x0107 | CXP102064-003R
0x0108 | CXP102064-002R
0x0109 | CXP102064-751R
0x0200 | CXP102064-004R (Not confirmed)
0x0202 | CXP102064-005R
0x0204 | CXP102064-(1,2,3)01R
0x0205 | CXP102064-702R
0x0206 | CXP102064-(1,2,3)02R
0x0207 | CXP102064-703R
0x0208 | CXP102064-006R (Not confirmed)
0x0209 | CXP102064-704R (Not confirmed)
0x020c | CXP102064-007R/-(1,2,3)03R
0x020d | CXP102064-705R/-752R
0x020e | CXP102064-008R/-(1,2,3)04R
0x0300 | CXP103049-(1,2,3)01GG
0x0302 | CXP103049-001GG/-(1,2,3)02GG
0x0304 | CXP103049-401GG
0x0306 | CXP103049-002GG/-(1,2,3)03GG/-402GG/-501GG
0x0308 | CXP103049-003GG/-403GG


= Dragon =
= Dragon =

Revision as of 04:08, 25 April 2022

MechaCon is short for Mechanics Controller. The main function of it is to control the drive mechanism. However, this chip is also the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption.

There are two known main variants of it.

The earlier one is based on the 16 bit SPC970 CPU core and used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package.

The newer one is ARM based, codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also includes the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, that was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards).

Both have access to a 1 KB / 512 words EEPROM. The EEPROM content is different between the SPC970 based MechaCon and Dragon.

For the SPC970 MechaCon, the EEPROM is an external chip; either a dedicated EEPROM chip on older boards or a combined Rohm RTC+EEPROM chip on later boards.
Dragon has the die of the combined Rohm RTC+EEPROM chip inside its own chip package, however, the EEPROM pins are exposed on the package, and the connection between Dragon and the RTC+EEPROM is done externally on the motherboard.

Every MechaCon has a 3.3 V TTL UART interface that was used by service centers for example to readjust the drive and to write calibration data etc. Today it can be used with tools like PMAP (currently supports consoles up to I-chassis) to readjust the drive mechanism after fitting a replacement laser assembly etc.

SPC970

Hardware revisions

  • CXP101064 (only used on early A-chassis/GH-001 boards)
  • CXP102064 (used from later A-chassis to D/D'-chassis boards)
  • CXP103049 (BGA case, used in F and G-chassis)

The CXP103049 requires a working battery to function properly.

Firmware revisions

Firmware comes in an OTP or mask ROM inside MechaCon.

0x0102 | CXP101064-605R 0x0103 | CXP101064-602R 0x0106 | CXP102064-001R (Not confirmed) 0x0107 | CXP102064-003R 0x0108 | CXP102064-002R 0x0109 | CXP102064-751R 0x0200 | CXP102064-004R (Not confirmed) 0x0202 | CXP102064-005R 0x0204 | CXP102064-(1,2,3)01R 0x0205 | CXP102064-702R 0x0206 | CXP102064-(1,2,3)02R 0x0207 | CXP102064-703R 0x0208 | CXP102064-006R (Not confirmed) 0x0209 | CXP102064-704R (Not confirmed) 0x020c | CXP102064-007R/-(1,2,3)03R 0x020d | CXP102064-705R/-752R 0x020e | CXP102064-008R/-(1,2,3)04R 0x0300 | CXP103049-(1,2,3)01GG 0x0302 | CXP103049-001GG/-(1,2,3)02GG 0x0304 | CXP103049-401GG 0x0306 | CXP103049-002GG/-(1,2,3)03GG/-402GG/-501GG 0x0308 | CXP103049-003GG/-403GG

Dragon

Hardware revisions

  • CXR706F080 (has a flash ROM for firmware; used for engineering, not used in retail consoles)
  • CXR706080 (used in H, I and J chassis SCPH-5XXXX consoles as well as in PSX)
  • CXR716080 (used in K, L and M slim chassis SCPH-70XXX, SCPH-75XXX and SCPH-77XXX consoles)
  • CXR726080 (used in N, P and R slim chassis SCPH-79XXX and SCPH-9XXXX consoles)

Firmware revisions

Firmware comes in an OTP or mask ROM inside MechaCon, except in CXR706F080, which has a reprogrammable flash ROM. It is however possible to apply patches to it via EEPROM.

Dumps: https://mega.nz/folder/MNpAQDzJ#bZpyfb7aGrhGDMR_ZGA8ig

Early versions of the Dragon MechaCon firmware (specifically in SCPH-5XXXX and SCPH-70XXX consoles) have a tendency to crash by sheer bad luck or on badly readable discs (e.g. badly burned/low quality DVD-R discs or scratched originals), overvolting the focus/tracking coils of the laser and killing them and also the driver IC in the process. Several hardware-based mitigations/"fixes" have been developed by the community to address this issue with varying degrees of success. The most notable of these fixes are the "Romeo-mod"/"LA-fix" for SCPH-5XXXX consoles and "summ0ne's fix" for SCPH-70XXX consoles.

EEPROM layout

Start (word) End (word) Size (byte) Offset in file Description
0 48 96 0x0
48 90 84 0x60
96 128 64 0xC0
128 150 44 0x100
160 190 60 0x140
192 198 12 0x180 Region params (only slim)
204 208 8 0x198 MAC address
211 216 10 0x1A6 wake up time
216 225 18 0x1B0 model number
227 232 10 0x1C6 Region code key seed
232 237 10 0x1D0 Region code ciphertext
240 245 10 0x1E0 iLink id
245 248 6 0x1EA (used by scmd 3, subcmd 48 and 49)
248 253 10 0x1F0 Console id
253 256 6 0x1FA (used by scmd 3, subcmd 48 and 49)
256 312 112 0x200 config 2
312 344 64 0x270 config 0
344 400 112 0x2B0 config 1
400 512 224 0x320 Rom patches ciphertext

Region code

Decryption

int getRegionFlags()
{
	// read kek
	uint8_t key508[8];
	ksGetKey(key508, 508);
	
	// read saved seed from eeprom
	uint8_t keyseed[10];
	eepromRead(227, sizeof(keyseed), keyseed);
	
	// read encrypted region from eeprom
	uint8_t ciphertext[10];
	eepromRead(232, sizeof(ciphertext), ciphertext);
	
	// generate key
	uint8_t key[8];
	desEncrypt(key508, keyseed, key);
	
	// decrypt ciphertext
	uint8_t plaintext[8];
	desDecrypt(key, ciphertext, plaintext);
	
	uint16_t crc = *(uint16_t *) plaintext;
	crc += *(uint16_t *) &plaintext[2];
	crc += *(uint16_t *) &plaintext[4];
	
	// check checksum
	if (crc  == *(uint16_t *) &plaintext[6])
		return *(uint32_t *) plaintext;
	
	retrun 0;
}

Bits

Bit Description
0 Japan
1 USA
2 Europe
3 Oceania
4 Asia
5 Russia
6 China
7 Mexico
16 Development (changes MagicGate keys)
17 Retail MagicGate keys on Development, bypass BootCertify
18 Arcade (changes MagicGate keys)
19 Prototype? (changes MagicGate keys)
20 ? (dvd related)

Rom patch

Decryption

bool readAndDecryptRomPatch()
{
	// read the patch's first half
	uint8_t patches[0xDE];
	eepromRead(400, 0x70, patches);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0x6E])
		return false;

	// read the patch's second half
	eepromRead(456, 0x70, &patches[0x6E]);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0xDC])
		return false;

	// read encryption key
	uint8_t key504[8];
	ksGetKey(key504, 504);
	
	// decrypt the patch using DES-ECB
	for (int i = 0; i < 0xD8; i += 8)
		desDecrypt(key504, &patches[i], &patches[i]);

	// check sum
	uint32_t sum = *(uint32_t *)patches;
	sum += *(uint32_t *)&patches[4];
	sum += *(uint32_t *)&patches[8];
	sum += *(uint32_t *)&patches[12];

	if (*(uint32_t *) &patches[0xD8] == ~sum)
		return false;
		
	return true;
}

Content

The patch can contain up to 4 patches.

addressX = The address where to apply the patch

valueX = The data that's written there

svc_addressX = The address where SVC X instruction jumps to.

payload = Arbitrary, could be code or data as well.

Offset Size Name
0x00 0x04 address0
0x04 0x04 address1
0x08 0x04 address2
0x0C 0x04 address3
0x10 0x04 value0
0x14 0x04 value1
0x18 0x04 value2
0x1C 0x04 value3
0x20 0x04 svc_address0
0x24 0x04 svc_address1
0x28 0x04 svc_address2
0x2C 0x04 svc_address3
0x30 0xA8 payload
0xD8 0x04 crc