MechaCon

From PS2 Developer wiki
Jump to navigation Jump to search

MechaCon is short for Mechanics Controller. Its main function of it is to control the drive mechanism. However, this chip is also the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption.

There are two known main variants of it.

The earlier one is based on the 16-bit SPC970 CPU core and was used till GH-022. Chip name starts with "CXP10". Older versions come in a 100-pin QFP package, newer versions in a 136-ball BGA package.

The newer one is ARM-based (Sony SR11 core, 32-bit, ARM7TDMI), codenamed "Dragon", and used from GH-023 (SCPH-5000X) onwards. Chip name starts with "CXR7". All versions come in a 164-ball BGA package. Besides this, "Dragon" also fulfils the functions that were fulfilled by the separate SysCon chip on earlier boards up to GH-022, as well as the RTC+EEPROM chip, which was separate on earlier boards (or dedicated EEPROM and RTC chips on even earlier boards).

Both have access to a 1 KB / 512 words EEPROM. The EEPROM content is different between the SPC970-based MechaCon and Dragon.

For the SPC970 MechaCon, the EEPROM is an external chip; either a dedicated EEPROM chip on older boards or a combined Rohm RTC+EEPROM chip on later boards.
Dragon has the die of the combined Rohm RTC+EEPROM chip inside its own chip package, however, the EEPROM pins are exposed on the package, and the connection between Dragon and the RTC+EEPROM is done externally on the motherboard.

Every MechaCon has a 3.3 V TTL UART interface exposed on test pads that was used by service centers for example to readjust the drive and write calibration data etc. Today it can be used with tools like PMAP (currently supports consoles up to I-chassis) to readjust the drive mechanism after fitting a replacement laser assembly etc. See Test points.

Additionaly, at least the SPC970-based MechaCon (both, QFP and BGA revisions) provide an I²C interface with SDA and SCL being exposed on test pads next to the MechaCon.

SPC970

Hardware revisions

  • CXP101064 (only used on early A-chassis/GH-001 boards)
  • CXP102064 (used from later A-chassis to D/D'-chassis boards)
    • <imgur w=480>dWB8SQQ.jpg</imgur>
  • CXP103049 (BGA case, used in F and G-chassis)
    • requires a working battery to function properly.

Firmware revisions

Firmware comes in an OTP or mask ROM inside MechaCon.

TODO

EEPROM layout

TODO

Dragon

Hardware revisions

  • CXR706F080 (has a flash ROM for firmware; used for engineering, not used in retail consoles)
  • CXR706080 (used in H, I and J chassis SCPH-5XXXX consoles as well as in PSX)
  • CXR716080 (used in K, L and M slim chassis SCPH-70XXX, SCPH-75XXX and SCPH-77XXX consoles)
  • CXR726080 (used in N, P and R slim chassis SCPH-79XXX and SCPH-9XXXX consoles)

Firmware revisions

Firmware comes in an OTP or mask ROM inside MechaCon, except in CXR706F080, which has a reprogrammable flash ROM. It is however possible to apply patches to it via EEPROM.

Dumps: https://mega.nz/folder/MNpAQDzJ#bZpyfb7aGrhGDMR_ZGA8ig

Early versions of the Dragon MechaCon firmware (specifically in SCPH-5XXXX and SCPH-70XXX consoles) have a tendency to crash by sheer bad luck or on badly readable discs (e.g. badly burned/low-quality DVD-R discs or scratched originals), overvolting the focus/tracking coils of the laser and killing them and also the driver IC in the process. Several hardware-based mitigations/"fixes" have been developed by the community to address this issue with varying degrees of success. The most notable of these fixes are the "Romeo-mod"/"LA-fix" for SCPH-5XXXX consoles and "summ0ne's fix" for SCPH-70XXX consoles.

PSX uses MechaCon v5.10 (CXR706080-702GG) (for DESR-x000 and DESR-x100) and v5.14 (CXR706080-703GG) (for DESR-x500 and DESR-x700).

EEPROM layout

Start (word) End (word) Size (byte) Offset in file Description
0 48 0x60 0x0
48 90 0x54 0x60
90 96 0xC 0xB4 gap
96 128 0x40 0xC0
128 150 0x2C 0x100
150 160 0x14 0x12C gap
160 190 0x3C 0x140
190 192 0x4 0x17C gap
192 198 0xC 0x180 Region params (only slim)
198 204 0xC 0x18C gap
204 208 0x8 0x198 MAC address (only slim)
208 211 0x6 0x1A0 gap
211 216 0xA 0x1A6 wake up time
216 225 0x12 0x1B0 model number
225 227 0x4 0x1C2 gap
227 232 0xA 0x1C6 Region code key seed
232 237 0xA 0x1D0 Region code ciphertext
237 240 0x6 0x1DA gap
240 245 0xA 0x1E0 iLink id
245 248 0x6 0x1EA (used by scmd 3, subcmd 48 and 49)
248 253 0xA 0x1F0 Console id
253 256 0x6 0x1FA (used by scmd 3, subcmd 48 and 49)
256 312 0x70 0x200 config 2
312 344 0x40 0x270 config 0 (EEGS)
344 400 0x70 0x2B0 config 1 (OSD)
400 512 0xE0 0x320 Rom patches ciphertext

Region params

Offset Size Description
0x180 0xF Various region parameters. Type char. Zero padded. On dragon FATs (mechacon v5) filled with FF. Does not have checksum. Normally write-protected by mechacon.
Region params 0x180 1 On 70k exists but has no effect. On Deckard will patch rom0:ROMVER (4th byte 0220HD20060905) and rom0. Possible values: "J" - for Japan, "A" - for America and Mexico, "E" - for Europe, Oceania and Russia, "H" - for region Asia, Taiwan, Korea, "C" - for region Mainland China. Each region checks license data in the PS2 titles. "A" region has this check disabled. "H" region untested.
0x181 4 On all slims will patch rom0:OSDVER (5-8th byte) ("0190Csch"). This mostly controls OSD language sets, and other changes are not tested. Possible values: "Jjpn" - for Japan, "Aeng" - for America, "Eeng" - for Europe and Oceania, "Heng" - for Asia, "Reng" - for Russia, "Csch" - for mainland China, "Kkor" - for Korea, "Htch" - for Taiwan, "Aspa" - for Mexico. "Ccsh" will crash cause rom2 (containing Simplified Chinese font) is missing on slims.
0x185 1 On 70k exists but has no effect. On Deckard will patch rom0:VERSTR (0x22 byte: "System ROM Version 5.0 06/23/03 J") and rom0. Possible values: "J" - for Japan, Asia, Taiwan, Korea, China, "A" - for America, Mexico, "E" - for Europe, Oceania and Russia. Each region checks license data in the PS1 titles. "A" region has this check disabled.
0x186 1 On all slims will patch rom1:DVDID (5th byte) ("3.11A"). This change DVD player region. Possible values: "JUEAORCM".
0x187-0x18B 5 Zero filled.

MAC address

Offset Size Description
0x198 0x8 48-bit MAC address. On dragon FATs (mechacon v5) filled with FF. On 70k exists but has no effect.
MAC address 0x198 3 Organizationally unique identifier (OUI). On 70k always 00:04:1F and has no effect. On Deckard units can be 00:13:15, 00:15:C1, 00:19:C5, 00:1D:0D, 00:1F:A7, 00:24:8D, 28:0D:FC, A8:E3:EE. Full list unknown. By OUI registration date, console manufacture date can be partially evaluated.
0x19B 3 Random part of MAC address. On 70k always 00:00:00 and has no effect. Assignment unknown: probably is somehow calculated from data on the sticker.
0x19E 1 checksum of even bytes uint8_t sum = 0x199 + 0x19B + 0x19D
0x19E 1 checksum of odd bytes uint8_t sum = 0x198 + 0x19A + 0x19C

Model number

Offset Size Description
0x1B0 0x12 Model number string. Type char. Zero padded.
Model number 0x1B0 1-16 Model name string. Max 15 or 16 characters. Zero padded. If started with "DTL-H" then OSD will block DVD player from work.
0x1C0 1 Null.
0x1C1 1 uint8_t sum = 0xFF - sum(0x1B0:0x1BF)

Region code

Decryption

int getRegionFlags()
{
	// read kek
	uint8_t key508[8];
	ksGetKey(key508, 508);
	
	// read saved seed from eeprom
	uint8_t keyseed[10];
	eepromRead(227, sizeof(keyseed), keyseed);
	
	// read encrypted region from eeprom
	uint8_t ciphertext[10];
	eepromRead(232, sizeof(ciphertext), ciphertext);
	
	// generate key
	uint8_t key[8];
	desEncrypt(key508, keyseed, key);
	
	// decrypt ciphertext
	uint8_t plaintext[8];
	desDecrypt(key, ciphertext, plaintext);
	
	uint16_t crc = *(uint16_t *) plaintext;
	crc += *(uint16_t *) &plaintext[2];
	crc += *(uint16_t *) &plaintext[4];
	
	// check checksum
	if (crc  == *(uint16_t *) &plaintext[6])
		return *(uint32_t *) plaintext;
	
	retrun 0;
}

Bits

Bit Description
0 Japan
1 USA
2 Europe
3 Oceania
4 Asia
5 Russia
6 China
7 Mexico
16 Development (changes MagicGate keys)
17 Retail MagicGate keys on Development, bypass BootCertify
18 Arcade (changes MagicGate keys)
19 Prototype? (changes MagicGate keys)
20 ? (dvd related)

i.Link ID

Offset Size Description
0x1E0 0xA i.Link ID
Console id 0x1E0 1 EMCS ID. Id of plant, where the console was manufactured. Can be restored from the console sticker. 0x10 - SKZ (SONY KISARAZU, Japan), 0x11 SKD (SONY KOHDA, Japan), 0x18 - S.EMCS (Japan) only seen for PSX DESR, 0x20 - FOXC (Foxconn, China), 0x21 - FOXC (Foxconn, China), 0x30 - SZMT (SuZhou MainTek), 0x40 - S WUXI, only seen for SCPH-50009. Difference between 0x21 and 0x20 is unknown, 0x21 appeared in 2007-2008. EMCS ID (0x20-0x21) changed somewhere in 77k era, early 77k were still with 0x20, while older 77k already has 0x21. EMCS ID almost always is printed on sticker - this is first 2-digits in the barcode.
0x1E2 3 Model ID. Can be calculated from Console Model ID (0x1F0-0x1F1) = ConsoleModelID + 0x200001
0x1E4 3 i.Link ID. Can be calculated from Console Serial Number (0x1F4-0x1F6) = 0xFFFFFF - SerialNumber
0x1E7 1 Unknown. 0xB0 on PSX DESR units, 0x80 on all other units.
0x1E8 1 Null.
0x1E9 1 uint8_t sum = 0xFF - sum(0x1E0:0x1E7)

Console id

Offset Size Description
0x1F0 0xA Console ID
0x1F0 2 Console Model ID. Unique per model number, color and edition. Can be restored from the console sticker. 0xd301 - 0xd37f reserved for DTL/TEST units, 0xd380 - 0xd400 reserved for PSX DESR units, 0xd401 - 0xd48f reserved for retail units. Full list isn't yet collected, currently it contains more than 100 collected IDs.
0x1F2 2 0x0111 - always. In pre-Dragon units known as SDMI Company ID.
0x1F4 3 Console Serial Number (in dec). Can be restored from the console sticker.
0x1F7 1 EMCS ID. Id of plant, where the console was manufactured. Can be restored from the console sticker. 0x10 - SKZ (SONY KISARAZU, Japan), 0x11 SKD (SONY KOHDA, Japan), 0x18 - S.EMCS (Japan) only seen for PSX DESR, 0x20 - FOXC (Foxconn, China), 0x21 - FOXC (Foxconn, China), 0x30 - SZMT (SuZhou MainTek), 0x40 - S WUXI, only seen for SCPH-50009. Difference between 0x21 and 0x20 is unknown, 0x21 appeared in 2007-2008. EMCS ID (0x20-0x21) changed somewhere in 77k era, early 77k were still with 0x20, while older 77k already has 0x21. EMCS ID almost always is printed on sticker - this is first 2-digits in the barcode.
0x1F8 1 Null.
0x1F9 1 uint8_t sum = 0xFF - sum(0x1F0:0x1F7)

Config 0 (EEGS)

Offset Size Description
0x270 0x40 Config 0 (EEGS)
EEGS 0x270 1 Unknown, 0x00 or 0x01
0x271 1 Unknown, 0x03 or 0x00
0x272 13 Unknown, always zero
0x27F 1 uint8_t sum = sum(0x270-0x27E)
0x280 1 bit 7, enable/disable networking features, always = 1, if cleared will show all network devices as disabled
0x281 3 Unknown, always zero
0x294 1 Unknown, always zero. In elec tool, March 2003, 0xC0 bitmask is compared to check if console is PAL,

but no real console were found with that bitmask

0x295 1 bit 5, 1=pal, 0=ntsc, 0x10 bitmask is compared to check if console is PAL
0x296 9 Unknown, always zero
0x28F 1 uint8_t sum = sum(0x280-0x28E)
0x290 15 Unknown
0x29F 1 uint8_t sum = sum(0x290-0x29E)
0x2A0 15 Unknown
0x2AF 1 uint8_t sum = sum(0x2A0-0x2AE)
0x2B0 15 Unknown
0x2BF 1 uint8_t sum = sum(0x2B0-0x2BE)

Config 1 (OSD)

Offset Size Description
0x2B0 0x70 Config 1 (OSD)
Config 1 (OSD) 0x2B0 1 PS1 (ps1drv settings) Unknown, mostly zero
0x2B1 14 Unused, the rest of PS1 block, always zero
0x2BF 1 uint8_t sum = sum(0x2B0-0x2BE)
0x2C0 15 PS2
0x2C0 bit 0 spdif: 0=enabled, 1=disabled handled by OSD
bit 1-2 Aspct: Aspect Ration 0=4:3, 1=fullscreen, 2=16:9, 3=unused, handled by OSD
bit 3 Video: 0=rgb(scart), 1=component, handled by OSD
bit 4 oldLang: always set to 1. Leftover from older OSD configuration block, left for compatibility.
bit 5 currentVersion: 0-standard languages, 1-extended languages: Simplified Chinese, Russian, Korean, Traditional Chinese
bit 6-7 unused: 0-always zero
0x2C1 bit 0-4 newLang, handled by OSD, Japanese=0,English=1,French=2,Spanish=3,German=4,Italian=5,Dutch=6,Portugese=7,

Russian=8,Korean=9,Traditional Chinese=10,Simplified Chinese=11, 12-31 unused

bit 5-7 maxVersion: 2=Dragon,1=Pre-Dragon (not used), 0 Unknown, 3-7 unused
0x2C2 bit 0-2 TimeZoneH: Timezone minutes offset from GMT, higher 3 bits, total 11 bit, handled by OSD
bit 3 SummerTime: 0=standard(winter), 1=daylight savings(summer), handled by OSD
bit 4 TimeNotation: 0=24 hour, 1=12 hour, handled by OSD
bit 5-6 DateNotation: 0=YYYYMMDD, 1=MMDDYYYY, 2=DDMMYYYY, 3-Unused, handled by OSD
bit 7 Init: 0=OOBE, 1=normal, 0 - will start OSD Initialization on next boot
0x2C3 1 TimeZoneL: Timezone minutes offset from GMT, lower 5 bits, total 11 bit, handled by OSD
0x2C4 bit 0 TimeZoneCityH: Timezone ID, higher 1 bit, total 9 bit, handled by OSD
bit 1-3 Unknown, Value is carried over
bit 4 dvdpProgressive: 0=disabled, 1=enabled Whether the DVD player should have progressive scanning enabled, handled by DVD Player
bit 5 rcSupported: always 1=enabled, Whether the Remote Control is supported by the PlayStation 2. Unknown how 0=disabled will affect.
bit 6 rcGameFunction: 0=disabled, 1=enabled, Remote Control Game Function On/Of, handled by OSD
bit 7 rcEnabled: 0=disabled, 1=enabled, Remote Control On/Off option, handled by OSD
0x2C5 1 TimeZoneCityL: Timezone ID, lower 8 bits, total 9 bit, handled by OSD
0x2C6 9 Unused, always zero
0x2CF 1 uint8_t sum = sum(0x2C0-0x2CE)
0x2D0 15 Unknown
0x2DF 1 int8_t sum = sum(0x2D0-0x2DE)
0x2E0 15 Unknown
0x2EF 1 uint8_t sum = sum(0x2E0-0x2EE)
0x2F0 15 Unknown
0x2FF 1 uint8_t sum = sum(0x2F0-0x2FE)
0x300 15 Unknown
0x30F 1 uint8_t sum = sum(0x300-0x30E)
0x310 15 Unknown
0x31F 1 uint8_t sum = sum(0x310-0x31E)

Rom patch

Decryption

bool readAndDecryptRomPatch()
{
	// read the patch's first half
	uint8_t patches[0xDE];
	eepromRead(400, 0x70, patches);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0x6E])
		return false;

	// read the patch's second half
	eepromRead(456, 0x70, &patches[0x6E]);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0xDC])
		return false;

	// read encryption key
	uint8_t key504[8];
	ksGetKey(key504, 504);
	
	// decrypt the patch using DES-ECB
	for (int i = 0; i < 0xD8; i += 8)
		desDecrypt(key504, &patches[i], &patches[i]);

	// check sum
	uint32_t sum = *(uint32_t *)patches;
	sum += *(uint32_t *)&patches[4];
	sum += *(uint32_t *)&patches[8];
	sum += *(uint32_t *)&patches[12];

	if (*(uint32_t *) &patches[0xD8] == ~sum)
		return false;
		
	return true;
}

Content

The patch can contain up to 4 patches.

addressX = The address where to apply the patch

valueX = The data that's written there

svc_addressX = The address where SVC X instruction jumps to.

payload = Arbitrary, could be code or data as well.

Offset Size Name
0x00 0x04 address0
0x04 0x04 address1
0x08 0x04 address2
0x0C 0x04 address3
0x10 0x04 value0
0x14 0x04 value1
0x18 0x04 value2
0x1C 0x04 value3
0x20 0x04 svc_address0
0x24 0x04 svc_address1
0x28 0x04 svc_address2
0x2C 0x04 svc_address3
0x30 0xA8 payload
0xD8 0x04 crc