Here's what I've found out on the software protocol.
There are several software layers, with messages being somehow forward from one layer to another, and finally passed to hardware IRQ handlers.
And the whole thing depends on state variables, which are used to decide which messages are generated or processed at which time.
Controller Port Commands
This part is quite simple. There are 8 commands, although one 6 or 7 are actually used, and some of them seem to be "duplicated" (offering ways to transfer different amounts of data).
Code: Select all
Controller Port Commands
Send 41h 1xh .. .. ;1xh = 11h..18h
Reply 00h 5Ah .. ..
Commands:
11h len=5 reply: 00 5A 8E 0n 00 ;cmd 11h..18h: n=0 or 1
12h len=7 reply: 00 5A 6F 00 00 0n 00 ; (n=1 after cmd 13h,0Fh)
13h len=5 reply: 00 5A C0 0n 00 ; (n=0 after cmd 17h)
14h len=88h reply: 00 5A 00 00 00 00 00 00 00 .. .. 0n 00 ;DATA[80h+3]
15h len=1Fh reply: 00 5A 00 00 00 00 00 00 00 .. .. 0n 00 ;DATA[..]
16h len=5 reply: 00 5A 4A 0n 00
17h len=5 reply: 00 5A 56 0n 00 ;FLAG
18h len=6 reply: 00 5A 00 00 0n 00 ;DATA[..]
There seem to be two data streams:
Small Control Messages (sent/received via command 14h, 15h, or 18h)
Large 80h-byte Data Blocks (sent/received via command 14h)
The games are sending data at 500kbit/s (except, the first byte (41h) should be
always sent at 250kbit/s, to properly deselect controllers or memory cards).
BUG: The 1st reply byte is 00h (rather than HighZ), that reply byte will occur
even when trying to access other hardware like joypads or memory cards.
Command 11h (unused in Hamster Club-i)
Send Recv
00h 41h 00h ;#cmd
01h 11h 5Ah ;/
02h ? 8Eh ;-
03h ? 00h or 01h ;#stat/flag?
04h ? 00h ;/
Command 12h
Send Recv
00h 41h 00h ;#cmd
01h 12h 5Ah ;/
02h 00h..04h 6Fh ;# ;<-- always sends 00h
03h 03h or 06h 00h ;
04h ? 00h ;/
05h ? 00h or 01h ;#stat/flag?
06h ? 00h ;/
Command 13h
Send Recv
00h 41h 00h ;#cmd
01h 13h 5Ah ;/
02h 0Fh C0h ;-
03h ? 00h or 01h ;#stat/flag?
04h ? 00h ;/
Command 14h
Send Recv
00h 41h 00h ;#cmd
01h 14h 5Ah ;/
02h Data[80h] Data[80h] ;#
82h ? ? ;# ; checksummed
83h ? ? ; OtherData[3] ? ;
84h ? ? ;/ ;/
85h Chksum? Chksum ;-checksum (above bytes XORed)
86h ? 00h or 01h ;#stat/flag?
87h ? 00h ;/
Command 15h
Send Recv
00h 41h 00h ;#cmd
01h 15h 5Ah ;/
02h Data[1Ah] Data[1Ah] ;-checksummed
1Ch Chksum? Chksum ;-checksum (above bytes XORed)
1Dh ? 00h or 01h ;#stat/flag?
1Eh ? 00h ;/
Command 16h
Send Recv
00h 41h 00h ;#cmd
01h 16h 5Ah ;/
02h 00h or 01h 4Ah ;- ;<-- 00h=UseCmd15h, 01h=UseCmd14h
03h ? 00h or 01h ;#stat/flag?
04h ? 00h ;/
Command 17h
Send Recv
00h 41h 00h ;#cmd
01h 17h 5Ah ;/
02h FLAGS 56h ;-
03h ? 00h or 01h ;#stat/flag?
04h ? 00h ;/
FLAGS (03h or 0Ch or 0Fh or 10h):
bit0 Clear Send queue ;#clear queue inside of PSX (probably implies
bit1 Clear Recv queue ;/request to also clear queue in Fujitsu chip)
bit2 Ack/swap/apply/discard TX block number? ;#for 80h-byte data blocks
bit3 Ack/swap/apply/discard RX block number? ;/
bit4 Reset
Command 18h
Send Recv
00h 41h 00h ;#cmd
01h 18h 5Ah ;/
02h Data[2] Data[2] ;-
04h ? 00h or 01h ;#stat/flag?
05h ? 00h ;/
I-Mode Messages
These messages are more deeply hidden in the executable, and they seem to be the crucial part for understanding the hardware.
At the moment I've merely compiled a list of existing messages...
Theoretically those messages should be officially documented somewhere, help on finding those documents would be very welcome!!!
Code: Select all
I-Mode Messages
Hamster Club-i is sending/receiving the following messages.
Unknown how it's doing that, probably via command 14h, 15h, and/or 18h.
The messages start with an 8bit value (eg. 85h), following by several "4bit
bytes" (which have the upper 4bits set to zero).
Send:
85h,01h,01h,02h,plain_random[8],00h,03h,00h,00h,01h ;#AUTH related?
85h,01h,04h,02h,crypted_random[8] ;/
85h,01h,05h,02h
85h,01h,06h
8Eh ;-is that same 8Eh as in Keitai Eddy?
F2h,00h,01h,02h,00h,00h,00h,00h,00h
F2h,00h,01h,02h,01h,00h,00h,00h,00h
F2h,00h,01h,02h,08h,00h,00h,00h,00h
Recv:
38h,02h,.. ;return 06h=CONNECTED ;#
85h,01h,02h,.. ;return 02h=AUTH_STARTED ;
85h,01h,03h,.. ;return 01h=AUTH_STARTING ;
85h,01h,04h,.. ;return 03h=GW_CONNECTING ; state
85h,01h,07h,.. ;return 04h=GW_CONNECTED ;
F1h,00h,03h,xxh,xxh,...,xxh ;return 05h=CONNECTING and do stuff ;
F2h,02h,02h,xxh,xxh,...,xxh ;return 0Bh or 0Dh and do stuff ;
F2h,00h,03h,.. ;return 0Ch=DISCONNECTED ;/
80h,.. ;#
81h,.. ;
8Ah,.. ;
8Bh,.. ; ?
A4h,.. ;
A5h,.. ;
A6h,.. ;
A7h,.. ;
AAh,.. ;
E0h,.. ;
E6h,.. ;/
C0h..CFh ;ignored ;#
D1h,... ;data packet maybe? ; data?
00h..0Fh ;data bytes? ;/
At some point after the AUTH/CONNECT stuff, the software should somehow happen
to send HTTP messages in ASCII (eg. GET http, POST http).
I-Mode PSX Library
This is some info from the above .pdf, related to the inner workings of the PSX library (it isn't directly related to the hardware, but it's useful for disassembling the executable).
In particular, one does does apparently need to get through the AUTH and GW stuff before seeing any actual HTTP data transfers.
Code: Select all
sceImode_Param Context Structure
00h short fCommandType; Command type (00h..07h)
02h short fPortNo; iMODE cable connection port (0:port1, 1:port2)
04h short fSlotNo; iMODE cable connection slot (A~D:0~3) (unused)
06h - padding -
08h char* fSendBuff; Send data buffer address ;#
0Ch short fSendBuffSize; Send data buffer size ; TX
0Eh short fSendDataSize; Actual size of send data ;/
10h char* fRcvBuff; Receive data buffer address ;#
14h short fRcvBuffSize; Size of receive data buffer ; RX
16h short fRcvDataSize; Size of receive data buffer ;/
18h char* fInfoBuff; Info data receive buffer address ;#
1Ch short fInfoBuffSize; Info data receive buffer size ; Info ?
1Eh short fInfoDataSize; Actual size of info data received ;/
20h short fStatus; State variable (00h..10h)
22h short fLastError; Error class (signed, -63h..+00h)
Commands:
0=IMODE_CMD_RCV Check receive data (default)
1=IMODE_CMD_SND Send request
2=IMODE_CMD_STS Get state
3=IMODE_CMD_ABORT Abort send/receive
4=IMODE_CMD_AUTH_START Begin authentication
5=IMODE_CMD_AUTH_END End authentication
6=IMODE_CMD_GW_CONNECT Connect gateway
7=IMODE_CMD_GW_DISCONNECT Disconnect gateway
States:
-1 =UNINITIALIZED Pre-Init / Post-Finalize
00h=DORMANT Initial State ;-
01h=AUTH_STARTING Authenticating ;#CND_AUTH_START
02h=AUTH_STARTED Authenticated ;/
03h=GW_CONNECTING Gateway connecting ;#
04h=GW_CONNECTED Gateway connected ; CMD_GW_CONNECT
? 05h=CONNECTING Connecting ;/
? 06h=CONNECTED Connected
?? 07h=SENDING Sending ;#IMODE_CMD_SND
?? 08h=SENDCOMPLETE Send completed ;/
?? 09h=RECEIVING Receiving ;#IMODE_CMD_RCV
?? 0Ah=RECEIVECOMPLETE Receive completed ;/
? 0Bh=DISCONNECTING Disconnecting ;# CMD_ABORT?
? 0Ch=DISCONNECTED Disconnected ; CMD_GW_DISCONNECT
0Dh=GW_DISCONNECTING Gateway disconnecting ;
0Eh=GW_DISCONNECTED Gateway disconnected ;/
0Fh=AUTH_ENDING Authentication ending ;#CMD_AUTH_END
10h=AUTH_ENDED Authentication ended ;/
ASCII Strings
And here's an overview of ASCII strings found in the I-Mode games.
Code: Select all
The games don't contain detailed debug messages. However, some games do contain
ASCII strings related to networking:
Hamster Club-I:
has several ASCII strings:
800108BC " HTTP/1.0",0Dh,0Ah,"User-Agent: ",00h
800108D4 0Dh,0Ah,"Content-type: text/plain",0Dh,0Ah,"Content-Length: ",00h
80010904 "Content-Length: ",00h
80013C18 "uid=NULLGWDOCOMO&val=",00h
80013C30 "http://ne-net.com/hc/i/ps/",00h
80013C30 "HTTP/1.0",0Dh,0Ah,"User-Agent: ",00h
80013C64 "DoCoMo/1.0/ex_ps1302",00h
80013C7C 0Dh,0Ah,"Content-type: application/x-www-form-urlencoded",0Dh,0Ah,
"Content-Length: ",00h
80014040 "Ranking.cgi"
800141DC "Regist.cgi"
800145E0 "HamList.cgi"
80014668 "HamSet.cgi"
800148C0 "ArenaParty.cgi"
80014948 "ArenaBattle.cgi"
80014958 "ArenaResult.cgi"
80014AEC "Stroll.cgi"
80018B88 "-- autholize pass -2",0Ah,0
80018DD0 "User-Agent:DoCoMo/1.0/ex_ps",00h
80018DEC "User-Agent: DoCoMo/1.0/ex_ps",00h
80018E0C "TL_Disconnect Invalid TL handle = %d ",0Ah,00h
80018E34 "TL_Disconnect TLCF2_ERR_OTHERS",0Ah,00h
8001910C "Ayame.log",00h
80019118 "com1:"
800D8C60 25h --> "%"
800E1648 48h,54h,... ---> "HTTP/1.0",0Dh,0Ah,00h
800E16C8 55h,73h,... ---> "User-Agent: DoCoMo/1.0/",00h
801018F0 "Access TLm Version 3.0 (Ayame)",00h
80101910 "Copyright 1997 - 2000 Access Co., Ltd.",00h
80101938 "Gamma Release 1.3 (Apr. 18, 2000),00h
801024E8 "GET",00h
80102500 "POST",00h
80102728 "POST",00h
and some known code/data locations:
800CA80C code: send joy byte
800D94BC code: send imode byte 41h
800D9F3C code: send NOT(-42h) aka NOT(FFFFFFBEh) aka 41h
To get I-Mode transfers: In main menu, select "iE-K" then select "NETWORK
BATTLE" (or the other option; other than the two RANKING options).
i-mode mo Issho - Doko Demo Issho Tsuika Disc:
has similar ASCII strings:
GET http, POST http://dkd.to/p/, User-Agent, com1:, Access TLm, ..
Motto Trump Shiyou yo! i-Mode de Grand Prix:
has a few ASCII strings:
8006AB6C-and-up maybe compare 5Ah for replies?
80072144 80014548h "-- autholize pass -2",0Ah,0
80072CB8 80014790h "User-Agent:DoCoMo/..."
80072D34 800147ACh "User-Agent:DoCoMo/..."
80073498 800147CCh "TL_Disconnect Invalid TL handle = %d ",0Ah,0
8007A9E4 80014ACCh "Ayame.log"
8007A9F0 80014AD8h "com1:"
800852C0 48h,54h,... "HTTP/1.0",0Dh,0Ah,00h
80085340 55h,73h,... "User-Agent:"
One Piece Mansion:
has ASCII strings (only in memory when selecting 3rd main menu option).
Mobile Tomodachi:
no ASCII strings (and merely accesses phone address book, without internet?).
requires entering a 4-digit PIN (that part is similar as in Keitai Eddy)
And some general stuff...
I-Mode today
Reportedly I-Mode is still supported in japan, until march 2026. So it might be still possible to transfer data through the I-mode cable... which could be useful to see which commands will receive which replies (for the generic data transfers, the URLs in the above ASCII strings are all down, so there's little chance to receive PSX game-specific replies).
Supported phones (SCPH-10180)
From the pdf:
"Compatible only with the iMODE mobile phone that supports "iNavilink". Currently, the [DoCoMo] P502i, F502it and N502it are the only compatible equipment. The 503 series will be sold after this [which?] winter and all units will be compatible."
Whatever that means.
There appears to be little info about "iNavilink".
The connector did apparently exist in the above phone models... and maybe also newer models from other manufacturers... or maybe it was quickly discontinued and didn't make it into other/newer/modern phones?
Maybe the game manuals or other documents or reviews contain more info about supported models...?