PSone BIOS modding project

Start a log and update it occasionally with your projects progress
Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

PSone BIOS modding project

Post by Dark-Show » May 5th, 2012, 8:52 am

Old Method was scrapped, as a simple scan and compare wont work for this BIOS. I'm now debugging the 101 BIOS in pSX, and tracing the ram and registers, and finding out how the BIOS rom writes to the ram, so I can hard code my changes into the BIOS. So far I was able to trace the loading of the cursor as runtime, by the BIOS. The memory was saved so you all can have a look at it. Its seemingly compressed in the BIOS itself them decompressed into RAM as runtime, it then stays there for the entirety of the program. The images is only redrawn from ram during screen changes, such as entering the cd or memcard menu.

Here is the encoding of the image format (in the bios file), it seems to be a sort of simple compression. If someone can help me understand it, ill be grateful :)
Image

Ram Image Addresses

Code: Select all

Purple Cursor: 0x0006c740 to 0x0006c97f
CD Player Icon: 0x0006c980 to 0x0006db21(?)
Memcard Icon: 0x0006db94 to 0x0006e87d (?)
CD Player Text: 0x001c4a00
BIOS Image Addresses

Code: Select all

Purple Cursor: 0x00038432 to 0x00038517(?~2)
Cursor Palette(partially compressed): 0x00038436 to 0x00038457
Just dicovered that the images are in TIM format and im missing pallette information with the images, which will just slightly change my addresses, this also means that once the compression done by the bios is found out, the images can be changed quite easily as long as they fit into the bios address. This is a huge advancement.
You do not have the required permissions to view the files attached to this post.
Last edited by Dark-Show on May 17th, 2012, 4:20 pm, edited 18 times in total.

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2296
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: PSone BIOS modding project

Post by Shadow » May 5th, 2012, 4:54 pm

Sony PlayStation BIOS from http://www.geocities.co.jp/playtown/2004/psx/
Possibly created by Bero for NOT YAROZE.

WARNING: Copy and paste this text into a text document. It is very long.
I reccomend that you use under Windows the Programmers Notepad. Set it to 'C / C++' mode.

Code: Select all

/* 0xbfc00000 */
start()
{
	_0x1f801010 = 0x0013243f;
	*ram_size = 0x00000b88;
	jmp_part0();
}

/* 0xbfc00150 */
part0()
{
	*com_delay = 0x00031125;
	_0x1f801000 = 0x1f000000;
	_0x1f801004 = 0x1f002000;
	_0x1f801008 = 0x0013243f;
	*spu_delay = 0x200931e1;
	*dv5_delay = 0x00020843;
	_0x1f80100c = 0x00003022;
	_0x1f80101c = 0x00070777;
	clear_all_registers(); /* inline */
	_0xfffe0130 = 0x00000804;
	/* Flushing Cache begin */
		/* details deleted */
	/* Flushing Cache end */
	tmp = _0xa0000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	tmp = _0x00000000;
	_0xfffe0130 = 0x0001e988;
	C0.DCIC = 0;
	C0.BPC = 0;
	C0.BDA = 0;
	C0.TAR = 0;
	C0.BDAM = 0;
	C0.BPCM = 0;
	C0.SR = 0;
	C0.CAUSE = 0;
	for (tmp = 0xa0009000 ; tmp != 0xa000c160 ; tmp++)
		*tmp=0;
	_stk = 0x801fff00;
	_gp_ = 0xa0010ff0;
	_fp_ = _stk;
	*ram_size = 0x00000b88;
	_0x00000060=2;
	_0x00000064=0;
	_0x00000068=0xff;
	zero_stuff();
	jump_part2();
}


SysInitKMem() /* 0xbfc00420 */
{
	long count , *src , *dst;

	src = 0xbfc10000;
	dst = 0xa0000500;
	for (count = 0x8fb0 ; count != 0 ; count -= 4)
		*dst++ = *src++;
	jmp_0xa0000500();
}


/* 0xbfc00460 */
ColorBars()
{
	SendGPU(0);		/* Some kind of reset ? */
	Clear_();
	SendGPU(0x03000000);	/* Display Mask (enable display) */
	Clear_();
	SendGPU(0x06c60260);	/* Screen horizontal start/end */
	Clear_();
	SendGPU(0x07040010);	/* Screen vertical start/end */
	Clear_();
	GPU_cw(0xe1000400);	/* Draw on display area */
	Clear_();
	GPU_cw(0xe3000000);	/* Draw Area x, y */
	Clear_();
	GPU_cw(0xe407ffff);	/* Draw Area w, h */
	Clear_();
	GPU_cw(0xe5000000);	/* Draw Offset */
	Clear_();
	SendGPU(0x08000000);	/* Display mode, 256x240/NTSC/noninterlaced */
	Clear_();
	SendGPU(0x08000000);	/* Display mode, 256x240/NTSC/noninterlaced */
	Clear_();
	DrawBackground();
	SendGPU(0x08000000);	/* Display mode, 256x240/NTSC/noninterlaced */
	Clear_();
	DrawBackground();
	Rectangle(  0,   0,  32, 241, 255, 255, 255);
	Rectangle( 32,   0,  32, 241, 255, 255,   0);
	Rectangle( 64,   0,  32, 241,   0, 255, 255);
	Rectangle( 96,   0,  32, 241,   0, 255,   0);
	Rectangle(128,   0,  32, 241, 255,   0, 255);
	Rectangle(160,   0,  32, 241, 255,   0,   0);
	Rectangle(192,   0,  32, 241,   0,   0, 255);
	Rectangle(224,   0,  32, 241,   0,   0,   0);

	return 0;
}

/* 0xbfc00778 */
DrawBackground()
{
	Rectangle(  0 ,   0 , 513 , 257 ,   0 ,   0 ,   0);
	Rectangle(  0 , 256 , 513 , 257 ,   0 ,   0 ,   0);
	Rectangle(512 ,   0 , 513 , 257 ,   0 ,   0 ,   0);
	Rectangle(512 , 256 , 513 , 257 ,   0 ,   0 ,   0);
}


/* 0xbfc00810 */
Rectangle(int x , int y , int w , int h , int R , int G , int B)
{
	long local[5];

	local[0] = ((B << 16) | 0x28000000) | (G << 8) | (R);
	local[1] = (y << 16) | (x);
	local[2] = (y << 16) | (x + w);
	local[3] = ((y + h) << 16) | (x);
	local[4] = ((y + h) << 16) | (x + w);
	GPU_cwb(local , 5);
}

ParseSetupFile(char *buf,TCBEV *a,char *boot)
{
	long tmp,*z;

	z=a;
	for (tmp=0 ; tmp !=3 ; ++tmp) {
		*z++=0;
	}
	*boot="\0";
	_0x00000180=(char)0;
	GetValue(buf , &a->Tcb , "TCB");
	GetValue(buf , &a->Event , "EVENT");
	GetValue(buf , &a->Stack , "STACK");
	GetString(buf , boot , 384 , "BOOT");
}
	
__trace(char value)
{
	_1f802041 = value;
	Clear0XA001B068();
}


/* sys_a0_42 0xbfc03a18 */
int Load(char *name,struct EXEC *header)
{
	int fd;
	
	if ((fd = open(name,1)) <0) {
		return 0;
	}
	if (ReadExeHeader(fd , header)="=" 0) {
		close(fd); return 0;
	}
	read(fd , header->t_addr , header->t_size);
	close(fd);
	FlushCache();
	
	return 1;
}


/* 0xbfc03aa4 */
LoadExec(char *name , int argc , char **argv)
{
	char *src,*dst;
	char tmp[32];

	src = name;
	dst = tmp;
	while (*src && *src != ':') {
		*dst++ = *src++;
	}
	while (*dst++ = toupper(*src++)) ;
	dst = tmp;
	while (*dst && *dst != ';') {
		dst++;
	}
	if (!*dst) {
		strcat(tmp,";1");
	}
	_0xa0009144 = _0xa000b890;
	_0xa0009148 = _0xa000b894;
	ExitCriticalSection();
	if (Load(tmp , ExeHeader) == 1) {
		_0xa000b890 = argc;
		_0xa000b894 = argv;
		Exec(ExeHeader , tmp , 0);
	} else {
		printf("No EXE-file !\n");
	}
	printf("Execute the boot file %s.\n" , BootFile);
	ExitCriticalSection();
	if (Load(BootFile,ExeHeader) == 1) {
		_0xa000b890 = _0xa0009144;
		_0xa000b894 = _0xa0009148;
		Exec(ExeHeader,1,0);
	}
	printf("No boot file !\n");
	while (1) ;
}
	
/* 0xbfc03c90 */
int ReadExeHeader(int fd,void *buf)
{
	if (read(fd , Buffer , 2048) <2048) {
		return 0;
	}
	memcpy(buf , &Buffer[0x10] , 0x3c);
	return 1;
}


/* sys_a0_43 0xbfc03cf0 */
int Exec(struct EXEC *exe , int argc , char **argv)
{
	int i;
	long *p;

	exe->SavedS0 = _s0_;
	exe->SavedRA = _ra_;
	exe->SavedSP = _sp_;
	exe->SavedS8 = _s8_;
	exe->SavedGP = _gp_;
	if (exe->b_size) {
		p = exe->b_addr;
		for (i = exe->b_size ; i > 0 ; i -= 4) {
			*p++ = 0;
		}
	}
	if (exe->s_addr) {
		_stk_ = exe->s_addr + exe->s_size;
		_fp_ = _stk_;
	}
	_gp_ = exe->gp0;
	(exe->pc0)(argc , argv);
	_ra_ = exe->SavedRA;
	_sp_ = exe->SavedSP;
	_s8_ = exe->SavedS8;
	_gp_ = exe->SavedGP;
	_s0_ = exe->SavedS0;

	return 1;
}


/* 0xbfc03d80 */
GPU_dw(x,y,w,h,*data)
{
	int count;

	count = 16;
	while (!(*gp1 & 0x04000000)) {
		if (! count--) {
			printGPUtimeout("GPU_dw");
		}
	}
	*gp0 = 0xa0000000;
	*gp0 = (y<<16)|(x&0xffff);
	*gp0 = (h<<16)|(y&0xffff);

	count = (w*h)/2-1;
	if (count==-1) return;
	do {
		*gp0 = *data++;
	} while(count--);
}

printGPUtimeout(char* str) // bfc04260
{
	printf("%s timeout: gp1=%08x",str,*gp1);
}


GPU_cw(u_long c)
{
	GPU_sync();
	*gp0=c;
}


bfunc40ec()
{
	*d2_chcr=0x0401;
	*gp1=0x04000000;
	*gp1=0x02000000;
	*gp1=0x01000000;
}

// download from gp0
bfunc3fe0(u_long a0, u_long a1)
{
	GPU_sync();
}


SendPrimitives(void* ptr) // bfc0403c
{
	printf("0x01(%08x)\n",ptr);
	GPU_sync();

	*gp1=0x04000002;

	*d_icr=0;
	*d_pcr|=0x0800;

	*d2_madr=ptr;
	*d2_bcr=0;
	printf("0x02\n");

	*d2_chcr=0x01000401;
	printf("0x03\n");
}

/* 0xbfc04610 */
InitIntr(int count)
{
	u_char *p;
	u_long size;
	size=count * 8;
	if ((p=_SysMalloc(size))==NULL) {
		return 0;
	}
	bclear(p, size);
	*(u_long *)0xa0000100=p;
	*(u_long *)0xa0000104=size;
	return size;
}

/* 0xbfc04678 */
InitEvent(int n) {
	int i;
	unsigned long *h, *p;
	printf("\nConfiguration : EvCB\0100x%02x\010\010", n);
	i=n;
	n *=28;
	if ((h=_SysMalloc(n))== NULL) {
		return 0;
	}
	*(u_long *)0xa0000124=n;
	*(u_long *)0xa0000120=h;
	for (p=h ; p < (EvCB *)(h + n) ; p++) {
		*p=0;
	}
	return n;
}


/* sys_a0_9f 0xbfc06680 */
SetMem(size)
{
	int *mem,new;
	mem=*ram_size;
	new=*mem & 0xfffff8ff;
	switch(size) {
	case 2:
		*mem=new;
		*(long *)(0x00000060)=size;
		printf("Change effective memory : %d MBytes\n",size);
		break;
	case 8:
		*mem=new | 0x300;
		*(long *)(0x00000060)=size;
		printf("Change effective memory : %d MBytes\n",size);
	default:
		printf("Effective memory must be 2/8 MBytes\n");
		break;
	}
}


/* 0xbfc06700 */
do_a_long_jump(int value) {
	longjmp(&context,value);
}


/* sys_a0_9d 0xbfc06728 */
GetConf(long *Event,long *TCB,long *Stack)
{
	*Stack=sys_conf.Stack;
	*Event=sys_conf.Event;
	*TCB=sys_conf.TCB;
}


/* sys_a0_9c 0xbfc06750 */
SetConf(long Event,long TCB,long Stack)
{
	sys_conf.Stack=Stack;
	sys_conf.Event=Event;
	sys_conf.TCB=TCB;
	_kernel_setup();
}

/* 0xbfc06784 */
part3() {
	char s1[80],s2[80];

	strcpy(s2,"cdrom:");
	strcat(s2,"SYSTEM.CNF;1");
	strcpy(s1,"cdrom:");
	strcat(s1,"PSX.EXE;1");
	bootstrap(s2,s1);
}

/* 0xbfc067e8 */
bootstrap(char *config,char *executable)
{
	int fd,readen;

	__trace(1);
	setSTATUS(getSTATUS() & 0xfffffbfe);
	zero_stuff();
	__trace(2);
	SysInitKMem();
	__trace(3);
	InstallInterruptTables();
	InstallInterruptDispatch();
	PatchA0Table();
	InstallExceptionHandler();
	ResetEntryInt();
	__trace(4);
	zero_stuff();
	IntrMask=0;
	*i_reg=0;
	InstallDevices(_0xa000b9b0);
	__trace(5);
	printf("\nPS-X Realtime Kernel Ver.2.5\n \ Copyright 1993,1994 (C) Sony Computer Entertainment Inc. \n");
	__trace(6);
	zero_stuff();
	memcpy(&sys_conf , &default_sys_conf , 12);
	printf("KERNEL SETUP!\n");
	SysInitMemory(0xa000e000 , 0x2000);
	InitIntr(4);
	InitException(0);
	InitDefInt(3);
	InitEvent(sys_conf.Event);
	InitSchr(1,sys_conf.TCB);
	InitRCnt(1);
	zero_stuff();
	if (setjmp(&context))
		sys_err(0x0385);
	__trace(7);
	ExecuteShell();
	/* this is where the country lockout is located */
	__trace(8);
	IntrMask=0;
	*i_reg=0;
	_96_init();
	if (setjmp(&context))
		sys_err(0x0399);
	if (CheckForDevice1()== 1)
		InitDevice1();
	printf("\nBOOTSTRAP LOADER Type C Ver 2.1 03-JUL-1994\n\ Copyright 1993,1994 (C) Sony Computer Entertainment Inc.\n");
	if (setjmp(&context))
		sys_err(0x0386);
	__trace(9);
	if (setjmp(&context))
		sys_err(0x387);
	if ((fd=open(config , 1))>= 0) {
		printf("setup file    : %s\n",config);
		if (setjmp(&context))
			sys_err(0x038f);
		if ( (readen = read(fd , Buffer , 2048)) == 0) {
			memcpy(&sys_conf , &default_sys_conf , 12);
			strcpy(BootFile , executable);
		} else {
		    	Buffer[readen] = (char) 0;
			close(fd);
			if (setjmp(&context))
				sys_err(0x0390);
			ParseSetupFile(Buffer , sys_conf , BootFile);
		}
	} else {
		if (setjmp(&context))
			sys_err(0x0391);
		_0x00000180 = (char)0;
		memcpy(&sys_conf , &default_sys_conf , 12);
		strcpy(BootFile , executable);
	}
	if (setjmp(&context))
		sys_err(0x0388);
	kernel_setup();
	printf("boot file     : %s\n",BootFile);
	if (setjmp(&context))
		sys_err(0x0389);
	ClearRam();
	if (Load(BootFile,ExeHeader))
		sys_err(0x038a);
	printf("EXEC:PC0(%08x)  T_ADDR(%08x)  T_SIZE(%08x)\n",
		ExeHeader.pc0 , ExeHeader.t_addr , ExeHeader.t_size);
	printf("boot address  : %08x %08x\nExecute !\n\n",
		ExeHeader.pc0 , sys_conf.Stack);
	_0xa000b890 = sys_conf.Stack;
	_0xa000b894 = 0;
	printf("                S_ADDR(%08x)  S_SIZE(%08x)\n",
		sys_conf.Stack , 0);
	EnterCriticalSection();
	if (setjmp(&context))
		sys_err(0x038b);
	doExec(ExeHeader,1,0);
	printf("End of Main\n");
	sys_err(0x038c);
}

/* 0xbfc06f28 */
kernel_setup()
{
	printf("KERNEL SETUP!\n");
	SysInitMemory(0xa000e000 , 0x2000);
	InitIntr(4);
	InitException(0);
	InitDefInt(3);
	InitEvent(sys_conf.Event);
	InitSchr(1,sys_conf.TCB);
	InitRCnt(1);
	_96_init();
}

part2()
{
	__trace(0x0f);
	zero_stuff();
	if (CheckForDevice2() == 1)
		InitDevice2();
	__trace(0x0e);
	_0xa000b9b0 = 0;
	part3();
}

/* 0xbfc06ff0 */
ExecuteShell(long arg)
{
	memcpy(0x80030000 , 0xbfc18000 , 0x67ff0);
	FlushCache();
	(char *)(0x80030000)(arg);
}

/* 0xbfc0703c */
CheckForDevice2()
{
	char *src,*dst;

	src = License;
	dst = 0x1f000084;
	
	if (License[0]) {
		while (src) {
			if (*src++ != *dst++) break;
		}
	}
	if (*src)
		return 0;
	else
		return 1;
}

/* 0xbfc070ac */
CheckForDevice1()
{
	char *src,*dst;

	src = License;
	dst = 0x1f000004;
	
	if (License[0]) {
		while (src) {
			if (*src++ != *dst++) break;
		}
	}
	if (*src)
		return 0;
	else
		return 1;
}

/* 0xbfc0711c */
InitDevice2()
{
	(char *)(0x1f000080)();
}

0xbfc07148() /* */
{
	printf("PIO SHELL for PlayStation(tm)\n");
	printf("%s\n",0x1f000004);
	(char *)(0x1f000000)();
}

/* 0xbfc071a0 */
OpenCDEvents()
{
	sys_a0_a2();
	event_cd_ack   = OpenEvent(0xf0000003 , 0x10 , 0x2000 , 0);
	event_cd_comp  = OpenEvent(0xf0000003 , 0x20 , 0x2000 , 0);
	event_cd_dr    = OpenEvent(0xf0000003 , 0x40 , 0x2000 , 0);
	event_cd_de    = OpenEvent(0xf0000003 , 0x80 , 0x2000 , 0);
	event_cd_error = OpenEvent(0xf0000003 , 0x8000 , 0x2000 , 0);
	EnableEvent(event_cd_ack);
	EnableEvent(event_cd_comp);
	EnableEvent(event_cd_dr);
	EnableEvent(event_cd_de);
	EnableEvent(event_cd_error);
	ExitCriticalSection();
	_0xa0009d80 = (char)0;
}

0xbfc07330()
{
	OpenCDEvents();
	while (!sys_a0_95()) ;
}


/* 0xbfc073a0 */
_96_init()
{
	long tmp;

	0xbfc07330();
	tmp = 0;
	while (tmp <50000) {	/* this loop might be stupid, but its */
		tmp=tmp;	/* what it does */
		tmp++;
	}
	dev_cd_initfs();
}

/* 0xbfc0c720 */
Test6ButtonPad()
{
	/* Would u believe me if i told u that */
	u_long tmp; /* this and a lot more routines are */
	u_long paddata; /* NEVER called ? */
	printf("test 6 button PAD (NEW)\n");
	if (!PAD_init(0x20000001 , &paddata)) return;
	while (1) {
		tmp=0x000186a0;
		for (i=0 ; i < tmp; i++ ) {
			i=i; /* burn some cycles */
		}
		tmp=PAD_dr();
		EnterCriticalSection();
		printf("ret:%08x stock:",tmp); printf(" %08x",paddata);
		printf("\n");
		ExitCriticalSection();
	}
}

/* 0xbfc0d4cc */
EnableIORedirection()
{
	AddDrv(&tty_redir);	/* 0xbfc0e59c */
}

/* 0xbfc0d570 */
doExec(struct EXEC *exeheader,long arg1,long arg2)
{
	ExitCriticalSection();
	if (_0xa000dffc) {
		/* THIS LOOP IS COPYPROTECTION RELATED */
		if (0xbfc0d72c() < 0) {
			/* This routine and the next one, */
			SystemError(0x44 , 0x038b);
		}
		/* does some kind of black or country */
		if (0xbfc0d7bc() < 0) {
			/* check. These are used in the shell */
			SystemError(0x44 , 0x038b);
		} /* also, if they fail, byebye */
	} /* Noping them here or in the shell, wont solve a thing */
	EnterCriticalSection();		/* I hope to have the time someday */
	Exec(exeheader , arg1 , arg2);	/* to write about protections, since */
	/* i know some stuff about. I guided a friend with a DDX, in tracing */
	/* executing some code. He came to the conclusion that these routines */
	/* return different values whether a CD is audio, psx original, psx */
	/* foreign, or gold/HK. Hope to write about it soon */
}

/* 0xbfc0d600 */
0xbfc0d600()
{
	*reg0=1;
	*reg3=0x1f;
	for (i=0 ; i !=4 ; i++) {
		*(long *)(0)=i & 3;
	}
}

/* 0xbfc0d640 */
0xbfc0d640()
{
	*reg0=1;
	*reg2=0x1f;
}

/* 0xbfc0d664 */
0xbfc0d664()
{
	*reg0=1;
	*reg2=0x18;
}

/* 0xbfc0d72c */
0xbfc0d72c()
{
	0xbfc0d600();
	0xbfc0d664();
	*reg0=0;
	*reg1=0x1e;
	tmp=0xbfc0d688();
	if (tmp < 0) {
		0xbfc0d640();
		return 1;
	}
	if (tmp & 0x1d) {
		0xbfc0d640();
		return 1;
	}
	0xbfc0d600();
	0xbfc0d640();
	return 0;
}

/* 0xbfc0d850 */
ClearRam() {
	u_long *p,top;

	top=_stk_ | 0xa0000000;
	for (p=0xa0010000 ; p !=top ; p++) {
		*p=0;
	}
}

static char License[]="Licensed by Sony Computer Entertainment Inc." ;
static struct default_sys_conf={ 4, 16, 0x801fff00 }; /* 0xbfc0e14c */
static struct EXEC ExeHeader; /* 0xa000b870 */
static char *BootFile; /* 0xa000b8b0 */
static struct sys_conf { /* 0xa000b940 */
	u_long TCB;
	u_long Event;
	u_long Stack;
};
static jmp_buf context; /* 0xa000b980 */
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 5th, 2012, 11:23 pm

the code in the bios calls SHELL and it loading and execiting at point ExecuteShell();

so shell code is located in bfc18000 in bios and then copy to ram 0x8003000.
in some sites i saw grabbed shell as ps-wxw file.

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 6th, 2012, 12:42 am

cybdyn, what I'm trying to do is learn how the gfx are loaded into ram and from what locations in the BIOS file, I got them almost figured out, just gotta find out where the locations are in the BIOS file are.

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 6th, 2012, 2:07 am

here is a small edit I've done using the data discovered. It doesn't look nice but its progress :D
You do not have the required permissions to view the files attached to this post.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 6th, 2012, 7:03 am

if you know where is this location in ram, it can be calculated to bios .
as i said bios code copy shell data to ram from bfc18000 -> 80030000

x - address you got (in ram)
y - address you need (in bios)

ofs = x - 0x30000
y = 0x18000 + ofs

or just : y = x - 0x18000

this is what you need, isn't it?

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 6th, 2012, 4:13 pm

yup, I ended up finding the mirror of the bios at a different address than what you told me using the debugger and calculated the bios address using a hex editor and finding the appropriate hex data. So one down and a few more to go, ill end up posting a simple address list for sprites and hopefully posting how the gpu data is compressed, i have the asm but for learning purposes i am still trying to figure out how the FF (transparencies) are calculated for the actual ram data.

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 7th, 2012, 10:48 am

with my recent findings, its quite possible that when i find the local bios address for the cd player, i can remove this whole part of the bios and replace it with a customized program written in assembly. When the time comes ill cut the cdplayer portion of the bios out and see if it can be executed as a stand alone program. (depending on if i can get it in the right format) Along with changing the image, a customized bios could have more tools than just a memcard manager.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 7th, 2012, 5:45 pm

why y need update original bios , searching and disasming are wasting your of time...
my point is: you can make your own menu (psx-exe like) with the same pics (ripped) of background or even better!, then compile it from 80030000 start addres, and put it to 18000 to the new bios (without header 0x800).
bios shell is justa code - nothing special)))

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 7th, 2012, 11:30 pm

So is the beginning 18k just all the api calls available to the system? or is their more after 18000 that is needed?
Honestly doing all this work made me feel good, now the feeling is gone ;(, and im saying more because after 00064000, in the pops bios, its the same as the original schp101 bios again. maybe this is the playstation logo boot screen?

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 8th, 2012, 2:58 am

ye, 18k is syscalls and kernel.

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 8th, 2012, 4:38 am

Should the syscalls not be left intact? Wouldnt this affect compatibility with games.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 8th, 2012, 5:51 pm

better keep them up. kernel code init system and HW in correct way and setup default exeption handling mechanism.

i,m not sure - but with changing code of the orig bios we can hurt check sum. and AR-like method is better way for update logo/intro/managers.

Dark-Show
Curious PSXDEV User
Curious PSXDEV User
Posts: 31
Joined: May 2nd, 2012, 3:33 pm

Re: PSone BIOS modding project

Post by Dark-Show » May 9th, 2012, 9:01 am

Lol but i wana program and eprom chip thats why im doing this project make a fully customized psone

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2296
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: PSone BIOS modding project

Post by Shadow » May 15th, 2012, 7:57 pm

The PlayStation 1 BIOS ROM is an 8-bit 20 address IC.

I do not know the voltage because I have not checked it with my multimeter, but my guess is it would be 5 volts.
A0-A19, D0-D7, /OE, /CE, VSS and VCC.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: PSone BIOS modding project

Post by cybdyn » May 18th, 2012, 1:13 am

bios is sourced by 3.3v. )) but in some cases AR used 5v flash IC. it gets from 7.5v from parralel-io through down dc/dc converter

ITL-Computation
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: December 5th, 2012, 11:47 pm

Re: PSone BIOS modding project

Post by ITL-Computation » December 6th, 2012, 12:20 am

Hi,

I was wondering what disassembler was used on the BIOS on page 1 of this post.
Also according to the kernel functions as described in the C source provided by Shadow, they shouldn't be effected if you arent moddifying data in the first 18k of the BIOS, but if removed could cause problems because as I was explaining eariler this evening to Shadow they are more than likely used or called by the PS-X SDK C-library.

Oh and can I ask one more thing, is there a specific offset to the raw MIPS-I instructions from the start of a BIOS .BIN image that I should observe when disassembling?

P.S. Technically it should be possible to keep the R3052 chip executing instructions from a PS-X EXE on the CD-ROM, with the SD-RAM refreshing and the rest of the system 'live', while using it to sequentially flash data to the ROM, with the EPROM in write mode. But if you have a EPROM writer I would just be using that, as Sony didn't disclose everything about the ROM addresses, ofcourse!

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2296
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: PSone BIOS modding project

Post by Shadow » December 9th, 2012, 6:56 pm

Dark-Show used the emulator, pSX (PSXFIN), to debug the BIOS :)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

legacy
Curious PSXDEV User
Curious PSXDEV User
Posts: 25
Joined: September 4th, 2013, 9:11 pm

Re: PSone BIOS modding project

Post by legacy » September 5th, 2013, 3:50 am

hi
does anybody has the Sony Playstation1's bios pinout ?

User avatar
Shendo
C Programming Expert
C Programming Expert
Posts: 238
Joined: March 21st, 2012, 4:34 am
I am a: Programmer
Motto: Never settle
PlayStation Model: SCPH-9002
Location: Croatia, EU

Re: PSone BIOS modding project

Post by Shendo » September 5th, 2013, 4:30 am

Code: Select all

IC102 - BIOS (32pin)

  1-A19  5-A7  9-A3   13-D0   17-D3  21-D7   25-A11  29-A14
  2-A16  6-A6  10-A2  14-D1   18-D4  22-/CE  26-A9   30-A17     ;/CE=/BIOS
  3-A15  7-A5  11-A1  15-D2   19-D5  23-A10  27-A8   31-A18
  4-A12  8-A4  12-A0  16-GND  20-D6  24-/OE  28-A13  32-3.5V    ;/OE=/RD

Uses standard EPROM pinouts, VCC is 3.5V though, when replacing the ROM by an EPROM, it may be required to replace the supply by 5V. Note that, on PM-41 boards at least, Pin 1 is connected to A19 (allowing to install a 1MB BIOS chip on that board, however, normally, a 512KB BIOS chip is installed, and, the CPU is generating an exception when trying to access more than 512KB, but that 512K limit can be disabled via memory control registers).

IC102? - BIOS ROM? (40pin?)
The 40pin stuff was found in a ROM-replacement circuit in the internet, not sure if the data is correct... the PSone definetly uses 32pin BIOSes... although maybe some PSX boards actually used 40pins...?

  1-A18   6-A4   11-GND  16-    21-VCC  26-D6  31-     36-A13
  2-A8    7-A3   12-/OE  17-D2  22-D4   27-    32-A17  37-A12
  3-A7    8-A2   13-D0   18-    23-     28-D7  33-A16  38-A11
  4-A6    9-A1   14-     19-D3  24-D5   29-A0  34-A15  39-A10
  5-A5    10-/CS 15-D1   20-    25-     30-    35-A14  40-A9
From the Martin's awesome PSX document.

The 40 pin chip is found in older units. I had a SCPH-1002 with the 40 pin chip. Newer boards come with 32 pin variant.
My PS1 consoles: 2 x SCPH-1002, SCPH-5552, SCPH-7002, 4x SCPH-9002, 2 x SCPH-102.
Dev console: SCPH-9002, MM3 - 7 wire modchip, PAL color mod, CH340 serial cable addon.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest