Page 1 of 1

CD-decoder ROM dumped

Posted: September 11th, 2013, 12:46 am
by org
Hi everybody :)

Not long time ago we started PSX chip research project : http://psxdev.ru
Our primary project is PSX CPU (IC103)

We contacted some people and asked them to decap and image PSX chips, to further explore them.

One decapper successfully depackaged CD-decoder microcontroller (IC304), based on MC68HC05 CPU and dumped its ROM!

http://psxdev.ru/files/IC304/MC68HC05_ROM.rar
(actually this is whole 6805 memory dump and ROM start from 0x1000 (16 KB) + secondary TEST ROM at 0xFE00 )

We made friendly schematics of PSX CD/Audio system, here :
Image

We also have wiki (but currently on russian) : http://psxdev.ru/wiki

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 2:03 am
by legacy
could you help me to identify the chip on the PSX mobo ? do i understand right ? is there such a chip in the mobo ? where is the rom ? inside the MPU or external ? is it possible to boot different code in such a chip ?

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 2:42 am
by org
This is single custom chip, made by Motorola. It usually labeled as IC304 and it was never integrated in bigger chips.
On early MBs you can find it on side-B, its 42-pin IC. On modern MBs its usually located near SUB-IC (IC732).

Both ROMs are inside. He managed to dump it by wiring directly to the chip surface.

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 6:23 am
by legacy
interesting, could be documented this procedure ? and ... is it possible to inject a code in ram in order to execute ?

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 7:13 pm
by org
It has only 512 byte of RAM :) And its impossible to inject code into SUB-CPU since you can control it only by setting CD-registers, which is not allow to do stack overflow or something.

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 8:39 pm
by legacy
well, it is like 68hc11 E series, 512byte of ram, too, i am using it to interface the PAD, i have written an assembly driver =P

anyway, how was the dump done ? how could you dump it ?

Re: CD-decoder ROM dumped

Posted: September 11th, 2013, 10:16 pm
by org
He opened it and wired mircowires directly to the chip internal bus.

Re: CD-decoder ROM dumped

Posted: September 12th, 2013, 12:46 am
by legacy
i think you'd better translate in English, else way i can understand less than the 5% of the content.

Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.

Re: CD-decoder ROM dumped

Posted: December 21st, 2013, 2:20 pm
by TriMesh
legacy wrote:i think you'd better translate in English, else way i can understand less than the 5% of the content.

Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.
This is kind of an old thread, but the answer to your question is that you can't really do much with it - at least not from the point of view of the PSX boot ROM.

The only thing you can talk to from the BIOS is the host side of the CD-decoder chip (these are the memory mapped ports between 0x1f801800 and 0x1f801802 in the PSX memory map. This 'HC05 code is communicating with the other bus ("Sub CPU interface") on that chip, so all the behavior you see from the R3K is defined by this 'HC05 code - but you can't directly control this CPU, or alter the code running in it (since it's stored in mask ROM). What you can do is use it to gain a better insight into exactly how the CD drive commands are handled.

Re: CD-decoder ROM dumped

Posted: December 22nd, 2013, 6:04 am
by Yuri^Cybdyn
it's very interesting, as we can better understand how code works on sub-cpu.

Re: CD-decoder ROM dumped

Posted: September 7th, 2021, 5:04 am
by dimosz
Looks like it has been dumped from an american console because it has the 'SCEA' string check inside:

Code: Select all

ROM:48F5 loc_48F5:                               ; CODE XREF: ROM:4877?J
ROM:48F5                 lda     byte_1D4
ROM:48F8                 eor     #$FF
ROM:48FA                 ldx     byte_1D7
ROM:48FD                 sta     byte_1D0, x
ROM:4900                 cmp     szSCEA, x       ; "SCEA"
ROM:4903                 beq     scea_found_4908
ROM:4905                 jmp     scea_not_found_4983
ROM:4908 ; ---------------------------------------------------------------------------
ROM:4908
ROM:4908 scea_found_4908:                        ; CODE XREF: ROM:4903?j
ROM:4908                 incx
ROM:4909                 stx     byte_1D7
ROM:490C                 txa
ROM:490D                 cmp     #4
ROM:490F                 beq     loc_491C
ROM:4911                 lda     #5
ROM:4913                 sta     byte_1D5
ROM:4916                 lda     #1
ROM:4918                 sta     byte_1D6
ROM:491B                 rts