MechaCon
Jump to navigation
Jump to search
MechaCon is short for Mechanics Controller. This chip is the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption.
There are two known main variants of it.
The earlier one is based on SPC 9700 and used till GH-016.
The newer one is ARM based, codenamed "Dragon".
The chip includes an 512 word eeprom. The content is different between the two main reversions.
SCP
TODO
Dragon
EEPROM layout
| Start (word) | End (word) | Size (byte) | Description |
|---|---|---|---|
| 0 | 48 | 96 | |
| 48 | 90 | 84 | |
| 96 | 128 | 64 | |
| 128 | 150 | 44 | |
| 160 | 190 | 60 | |
| 192 | 198 | 12 | Region params |
| 204 | 208 | 8 | MAC address |
| 211 | 216 | 10 | wake up time |
| 216 | 225 | 18 | model number |
| 227 | 232 | 10 | Region code key seed |
| 232 | 237 | 10 | Region code ciphertext |
| 240 | 245 | 10 | iLink id |
| 245 | 248 | 6 | (used by scmd 3, subcmd 48 and 49) |
| 248 | 253 | 10 | Console id |
| 253 | 256 | 6 | (used by scmd 3, subcmd 48 and 49) |
| 256 | 312 | 112 | config 2 |
| 312 | 344 | 64 | config 0 |
| 344 | 400 | 112 | config 1 |
| 400 | 512 | 224 | Rom patches ciphertext |
Region code
Decryption
int getRegionFlags()
{
// read kek
uint8_t key508[8];
ksGetKey(key508, 508);
// read saved seed from eeprom
uint8_t keyseed[10];
eepromRead(227, sizeof(keyseed), keyseed);
// read encrypted region from eeprom
uint8_t ciphertext[10];
eepromRead(232, sizeof(ciphertext), ciphertext);
// generate key
uint8_t key[8];
desEncrypt(key508, keyseed, key);
// decrypt ciphertext
uint8_t plaintext[8];
desDecrypt(key, ciphertext, plaintext);
uint16_t crc = *(uint16_t *) plaintext;
crc += *(uint16_t *) &plaintext[2];
crc += *(uint16_t *) &plaintext[4];
// check checksum
if (crc == *(uint16_t *) &plaintext[6])
return *(uint32_t *) plaintext;
retrun 0;
}
Bits
| Bit | Description |
|---|---|
| 1 | Japan |
| 2 | USA |
| 3 | Europe |
| 4 | Oceania |
| 5 | Asia |
| 6 | Russia |
| 7 | China |
| 8 | Mexico |
| 17 | Development (changes KELF keys) |
| 18 | Retail KELF keys on Development |
| 19 | Arcade (changes KELF keys) |
| 20 | Prototype? (changes KELF keys) |
| 21 | ? (dvd related) |
Rom patch
Decryption
bool readAndDecryptRomPatch()
{
// read the patch's first half
uint8_t patches[0xDE];
eepromRead(400, 0x70, patches);
// check if the -1th byte is 0 (sum is not checked)
if (patches[0x6E])
return false;
// read the patch's second half
eepromRead(456, 0x70, &patches[0x6E]);
// check if the -1th byte is 0 (sum is not checked)
if (patches[0x6E])
return false;
// read encryption key
ksGetKey(key504, 504);
// decrypt the patch using DES-ECB
for (int i = 0; i < 0xD8; i += 8)
desDecrypt(key504, &patches[i], &patches[i]);
// check sum
uint32_t sum = *(uint32_t *)patches;
sum += *(uint32_t *)&patches[4];
sum += *(uint32_t *)&patches[8];
sum += *(uint32_t *)&patches[12];
if (*(uint32_t *) &patches[0xD8] == ~sum)
return false;
return true;
}
Content
The patch can contain up to 4 patches.
addressX = The address where to apply the patch
valueX = The data that's written there
svc_addressX = The address where SVC X instruction jumps to.
payload = Arbitrary, could be code or data as well.
| Offset | Size | Name |
|---|---|---|
| 0x00 | 0x04 | address0 |
| 0x04 | 0x04 | address1 |
| 0x08 | 0x04 | address2 |
| 0x0C | 0x04 | address3 |
| 0x10 | 0x04 | value0 |
| 0x14 | 0x04 | value1 |
| 0x18 | 0x04 | value2 |
| 0x1C | 0x04 | value3 |
| 0x20 | 0x04 | svc_address0 |
| 0x24 | 0x04 | svc_address1 |
| 0x28 | 0x04 | svc_address2 |
| 0x2C | 0x04 | svc_address3 |
| 0x30 | 0xA8 | payload |
| 0xD8 | 0x04 | crc |