CD-decoder ROM dumped

Start a work log and update it occasionally with your projects progress
Post Reply
org
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: Sep 11, 2013

CD-decoder ROM dumped

Post by org » September 11th, 2013, 12:46 am

Hi everybody :)

Not long time ago we started PSX chip research project : http://psxdev.ru
Our primary project is PSX CPU (IC103)

We contacted some people and asked them to decap and image PSX chips, to further explore them.

One decapper successfully depackaged CD-decoder microcontroller (IC304), based on MC68HC05 CPU and dumped its ROM!

http://psxdev.ru/files/IC304/MC68HC05_ROM.rar
(actually this is whole 6805 memory dump and ROM start from 0x1000 (16 KB) + secondary TEST ROM at 0xFE00 )

We made friendly schematics of PSX CD/Audio system, here :
Image

We also have wiki (but currently on russian) : http://psxdev.ru/wiki

legacy
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Sep 04, 2013

Post by legacy » September 11th, 2013, 2:03 am

could you help me to identify the chip on the PSX mobo ? do i understand right ? is there such a chip in the mobo ? where is the rom ? inside the MPU or external ? is it possible to boot different code in such a chip ?

org
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: Sep 11, 2013

Post by org » September 11th, 2013, 2:42 am

This is single custom chip, made by Motorola. It usually labeled as IC304 and it was never integrated in bigger chips.
On early MBs you can find it on side-B, its 42-pin IC. On modern MBs its usually located near SUB-IC (IC732).

Both ROMs are inside. He managed to dump it by wiring directly to the chip surface.

legacy
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Sep 04, 2013

Post by legacy » September 11th, 2013, 6:23 am

interesting, could be documented this procedure ? and ... is it possible to inject a code in ram in order to execute ?

org
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: Sep 11, 2013

Post by org » September 11th, 2013, 7:13 pm

It has only 512 byte of RAM :) And its impossible to inject code into SUB-CPU since you can control it only by setting CD-registers, which is not allow to do stack overflow or something.

legacy
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Sep 04, 2013

Post by legacy » September 11th, 2013, 8:39 pm

well, it is like 68hc11 E series, 512byte of ram, too, i am using it to interface the PAD, i have written an assembly driver =P

anyway, how was the dump done ? how could you dump it ?

org
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: Sep 11, 2013

Post by org » September 11th, 2013, 10:16 pm

He opened it and wired mircowires directly to the chip internal bus.

legacy
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: Sep 04, 2013

Post by legacy » September 12th, 2013, 12:46 am

i think you'd better translate in English, else way i can understand less than the 5% of the content.

Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.

User avatar
TriMesh
Verified
PSX Aptitude
PSX Aptitude
Posts: 225
Joined: Dec 20, 2013
PlayStation Model: DTL-H1202
Location: Hong Kong

Post by TriMesh » December 21st, 2013, 2:20 pm

legacy wrote:i think you'd better translate in English, else way i can understand less than the 5% of the content.

Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.
This is kind of an old thread, but the answer to your question is that you can't really do much with it - at least not from the point of view of the PSX boot ROM.

The only thing you can talk to from the BIOS is the host side of the CD-decoder chip (these are the memory mapped ports between 0x1f801800 and 0x1f801802 in the PSX memory map. This 'HC05 code is communicating with the other bus ("Sub CPU interface") on that chip, so all the behavior you see from the R3K is defined by this 'HC05 code - but you can't directly control this CPU, or alter the code running in it (since it's stored in mask ROM). What you can do is use it to gain a better insight into exactly how the CD drive commands are handled.

Yuri^Cybdyn
Verified
Cybdyn Systems
Cybdyn Systems
Posts: 406
Joined: Jan 13, 2012
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Post by Yuri^Cybdyn » December 22nd, 2013, 6:04 am

it's very interesting, as we can better understand how code works on sub-cpu.

dimosz
What is PSXDEV?
What is PSXDEV?
Posts: 2
Joined: Aug 08, 2021
I am a: Programmer
PlayStation Model: SCPH-1002
Location: Republic of Moldova (Balti)

Post by dimosz » September 7th, 2021, 5:04 am

Looks like it has been dumped from an american console because it has the 'SCEA' string check inside:

Code: Select all

ROM:48F5 loc_48F5:                               ; CODE XREF: ROM:4877?J
ROM:48F5                 lda     byte_1D4
ROM:48F8                 eor     #$FF
ROM:48FA                 ldx     byte_1D7
ROM:48FD                 sta     byte_1D0, x
ROM:4900                 cmp     szSCEA, x       ; "SCEA"
ROM:4903                 beq     scea_found_4908
ROM:4905                 jmp     scea_not_found_4983
ROM:4908 ; ---------------------------------------------------------------------------
ROM:4908
ROM:4908 scea_found_4908:                        ; CODE XREF: ROM:4903?j
ROM:4908                 incx
ROM:4909                 stx     byte_1D7
ROM:490C                 txa
ROM:490D                 cmp     #4
ROM:490F                 beq     loc_491C
ROM:4911                 lda     #5
ROM:4913                 sta     byte_1D5
ROM:4916                 lda     #1
ROM:4918                 sta     byte_1D6
ROM:491B                 rts

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest