How to dump your CDROM BIOS (Firmware)

Members research, findings and information that can be useful towards the PlayStation 1.
User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » February 6th, 2015, 11:48 am

cybdyn wrote:you told about one of them, used as cmd-acknowledge flag. did you see something about it in dis-asm code?
No, that was my own conclusion after running tests on hardware.
But now that we do have the official chip datasheet... I am no longer sure if that conclusion was correct.
I don't know if any games are actually using that extra interrupts.

Yuri^Cybdyn
Verified
Cybdyn Systems
Cybdyn Systems
Posts: 406
Joined: Jan 13, 2012
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Post by Yuri^Cybdyn » February 6th, 2015, 8:30 pm

thanx for reply!)

i think if it writes int flag 0x18. it off firing INT line from dsp, and maybe chk for INT status manually. i found and dis-asm this code. as i see it uses no-standard cdlib code. maybe asm/C mix)) and direclty send commands and check INT cdreg.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » March 6th, 2015, 11:50 pm

Any news with the SCPH-2000 cdrom firmware eprom? As far as I know, Shadow has already built some adaptor for connecting it to a microprocessor, but still needed some software to do the actual data transfer.
I am sure that somebody could help on the software task - if we get told how exactly the adpator is wired up.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 7th, 2015, 12:26 pm

Sorry to correct you, but it's the DTL-H2000, not SCPH-2000 :)
The SCPH-2000 was the PSX Keyboard and Mouse adapter.

I will get it dumped eventually. I was going to send it through to Trimesh actually.
On a side note, Trimesh has an SCPH-5903 (PSX VCD) dump coming soon ;)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » March 8th, 2015, 6:29 am

Whoops, yes, DTL-H2000, of course. Good to know that dumping is still planned!

User avatar
TriMesh
Verified
PSX Aptitude
PSX Aptitude
Posts: 225
Joined: Dec 20, 2013
PlayStation Model: DTL-H1202
Location: Hong Kong

Post by TriMesh » March 9th, 2015, 12:56 am

OK, Here it is

SCPH-5903 NTSC:J

Board PU-16 1-665-191-11 w/sub board MP-45 1-665-192-11
Chip markings: C 4021 / SC430924PB / G63C 185 / JSAB9645C
You do not have the required permissions to view the files attached to this post.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » March 9th, 2015, 7:06 am

Cool. I've posted some findings in the VCD thread, here http://www.psxdev.net/forum/viewtopic.p ... 5772#p5772

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 9th, 2015, 9:49 am

Added to the "[DOWNLOAD] CD-ROM Firmware Dumps" page :)

By the way NO$CASH, in regards to your old question, "Is there a way to disable line-wrapping in above table? If not: Use copy/paste to view it in an external txt editor." I have just solved it.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » March 9th, 2015, 11:44 am

Oh, cool, without the line-wrapping, the firmware list http://www.psxdev.net/forum/viewtopic.p ... =557#p4284 is now looking much better, thanks!
Any chance you could also add thumbnails for large images? Those "(56K Warning!)" threads are loading soo slow, even at 2Mbit/s (56Kbit/s seems nearly impossible).

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » March 9th, 2015, 12:29 pm

nocash wrote:Any chance you could also add thumbnails for large images? Those "(56K Warning!)" threads are loading soo slow, even at 2Mbit/s (56Kbit/s seems nearly impossible).
I have already added auto-downsizing, but they are still loaded in at their full size.
I will make a link to a Imgur folder instead.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
sickle
Verified
C Programming Expert
C Programming Expert
Posts: 257
Joined: Jul 17, 2013
I am a: Chocolate-fueled pug fetish robot.
Location: Scotland

Post by sickle » April 18th, 2015, 4:03 pm

nocash wrote: Ah, no, not me. I am an ASM programmer. I am not doing HLL stuff, never, no chance.
I am now certain that you're a lovable eccentric.


Got me thinking about the differences between the PS1/PS2 though.
Every few revisions on the PS1, you'd have to use slightly different disk swap timing... (going somewhere with this) but there were always 2 main types of swap.
Type "A" = Do the first swap, let it spinup+slowdown twice, insert licensed game, let it boot into the game, then insert your CD to allow it to continue loading.
Type "B" = Do the first swap, let it spinup+slowdown twice, insert licensed game for a half second, put CDR back in and allow it to boot into game, then load.

This works from early to late PS1 models but curiously early to late PS2 models also.
Early PS2 required replacing the magnet while it was spinning (Kinda hard with your eyes closed), but all PS2's had roughly the same timing for performing a PS1 disk swap. (including TypeA/B variations.)

Swapping PS2 games was never really possible during bootup, but on fat models you could switch out a disc with the same TOC to run homebrew/install an exploit, if your original game loaded a specific .ELF file (for menus/minigames or whatever). In later models though, it always rechecked the disk before loading .ELF files - that obviously went through a few revisions.

So really, I've always wondered how similar the PS1/2 are in terms of the BIOS/CDROM Controller when the PS2 is in PS1 mode. Doesn't seem like there were any hefty revisions in PS1 mode, but I could be way off there. I just don't have the hardware to check :
Either way, would be pretty awesome to see what if any conclusions you come to when you get a PS2 dumped.

Is it possible to drop the chip into test mode via software, and read it into PS memory btw?
(Then say save it to the MC or something)
Might be a good way to convince folks to participate with some of the rarer models without modifying them.

Yuri^Cybdyn
Verified
Cybdyn Systems
Cybdyn Systems
Posts: 406
Joined: Jan 13, 2012
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Post by Yuri^Cybdyn » April 23rd, 2015, 6:44 pm

no$ : i found game like "Felony 11-79", whant it plays interleved xa stream from cd , it doesnt send any SetFilter command (to setup file/channel), and to play cdxa stream it uses mode = 0x40 (adpcm enable),
the xa stream consist of 4 interlived files, not channels! ususally games use file =1 and channel numbers(0..F).
this games uses different file , and channell is =1. I am intersting how hc05 firmware handle such situation? i see pc emu "v1.9" plays well such stream. can you tell more, give any advice?

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » April 27th, 2015, 6:35 pm

I'm trying to get my hands on a brand new MC68HC705L16. Even if it's not blank, in theory since it's not masked, it should be able to be decapped, exposed to UV (erased), reprogrammed and then sealed in epoxy. If this succeeds, that means any SCPH-100x with an 80-pin HC05 can be turned into a "debugger" system.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Jackal
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: May 19, 2014

Post by Jackal » May 2nd, 2015, 6:45 pm

I have 3 undumped boards here:

3 x SCPH-1002 (PU-8 1-658-467-11):
E35D
424686 185
SSBP9539D, SSBJ9536B, SSBP9539B

SCPH-1001 (PU-8 1-658-467-11):
E35D
424659 185
SSAC9539A

SCPH-7002 (PU-20 1-668-413-32):
C 340
SC430935PB
G63C 185
SSBC9813D

Would have happy to lend them to a dumper and pay for shipping (if costs are reasonable). I'm in Europe. Already contacted nocash, who dumped some of my boards before, but guess he's no longer interested.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » May 2nd, 2015, 8:24 pm

I'm not sure if they would be worth the time sending to get dumped. The only real interesting ones would be development kit dumps.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » July 4th, 2016, 9:56 pm

Dumped four more cdrom firmwares:
80pin 424686, SSBP9539B CRC32=BB134697 95-05-16,C1 SCPH-1002 PAL, Early PU-8, 1-658-467-11
80pin 424659, SSAC9539A CRC32=426C05E7 95-07-24,C1 SCPH-1001 NTSC:U/C Early PU-8, 1-658-467-11
52pin C 3040, SC430935PB, SSBC9813D CRC32=33899F2A 97-08-14,C2 SCPH-7002 PAL, PU-20, 1-668-413-32
52pin C 3070, SC430948PB, SSAE0138D CRC32=0E8AD915 A1-03-06,C3 SCPH-102 PAL, PM-41(2), P-161125S-31-71

SC430935PB (PAL, PU-20) is just the same version as SC430934PB (NTSC-J, PU-20), and
424659 (NTSC-U/C, Early PU8) is just the same version as 424684 (PAL, Early PU-8),
ie. both are same as already dumped chips (apart from the usual region specifc changes).

SC430948PB (PAL, PM-41(2), aka costdown PSone) is almost same as SC430943PB (PAL, PM-41, aka normal PSone), there isn't any newly added/removed code, and only 15 bytes have changed:

Code: Select all

  104D 80 00  ;-cx(898000) changed to cx(890000)
  10A0 99 A1  ;  10A1 02 03  ; bcd date A1h,03h,06h (06 Mar 2001)
  10A2 01 06  ;/
  3622 30 31  ;  3623 51 52  ;
  362A 30 31  ; chip names ("CXD2940Q" changed to "CXD2941R")
  362B 51 52  ;
  3632 30 31  ;
  3633 51 52  ;/
  3F44 04 00  ;-cx(890408) changed to cx(890008)
  3F88 04 00  ;-cx(810408) changed to cx(810008)
  46BA 24 20  ;-cx(812400) changed back to cx(812000) (as before 1999)
  FFDA B9 0A  ;-checksum
  FFDF 43 48  ;-chip id (SC430943 changed to SC430948)
Ie. some bits changed in the "cx(8xxxxx)" commands, plus some changes to the chip ID strings/numbers and to the BCD date (with an uncommon "BCD" year value of A1h for 2001). Anyways, it's nice to have got that one dumped - theoretically the costdown PSone's could have contained a complete firmware redesign - but now it's confirmed to be fairly well compatible with the older PSone firmware.

424686 is quite beasty. There have been hundreds of changes between already dumped chips from Nov 1994 and Jul 1995 - and this newly dumped one is dated from May 1995, ie. it's containing a mixup of the already dumped versions. Took me about a whole night to figure out which of the Jul 1995 changes were already/notyet present in the May 1995 version.
Essentially, most of the new features from Jul 1995 are also supported in the May 1995 version: The Secret Unlock command is implemented, and the new GetQ and ReadTOC commands are also implemented (so that three features seem to exist in all PAL firmwares, unless some older PAL firmware shows up someday).
But there are also loads of small differences between May and July: Some new flags added in the later version, or flags checked in different order, different functions used for motor-off in some cases - it's hard to figure out what those differences are doing practice, some of them might have no effect during normal operation (but might have important effects in error handling of certain operations).
Bottom-line is that the chip from May 1995 is probably more unstable than the later revision from Jul 1995.

PS. as there is a PAL version from May 1995, it's quite likely that a NTSC-U/C (and maybe also NTSC-J) version should exist with the same date - so there are apparently still some chips that we don't even know that they exist (plus lots of chips that are known to exist, but still aren't dumped yet).

PPS: Many thanks to Squaresoft74 for donating the PM-41(2) board, and to Jackal for borrowing the other three boards.

Myria
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Nov 05, 2014

Post by Myria » July 12th, 2016, 2:43 pm

I have an SCPH-7000W (Midnight Blue region-free) and an SCPH-5903 (video CD). Do you think that I could send you these to have you dump them?

I also have a DTL-H3000 (Japanese Yaroze), but I figure that you would've gotten to those already.

User avatar
nocash
Verified
PSX Aficionado
PSX Aficionado
Posts: 534
Joined: Nov 12, 2012
Contact:

Post by nocash » July 13th, 2016, 5:31 am

Cool, would be interesting. Japanese (and PAL) Yaroze's aren't dumped yet. SCPH-7000W isn't dumped, too. SCPH-5903 (video cd) was already dumped by TriMesh (a few posts above). And a couple of other consoles are still missing, even totally standard off-the-shelves retail ones.
The complete list of all dumped chips (and probably incomplete list of undumped ones) is here: http://www.psxdev.net/forum/viewtopic.p ... =557#p4284
In some cases undumped chips could be identified only by actually looking at chips part number. For example, SCPH-100x did use a lot of firmware revisions, so there probably still at least 1-2 undumped SCPH-100x's.
And, aside from looking at the mainboard, some undumped chips could be also found by running a utility that displays the firmware's date/version number, or, for PSones, by checking if it's containing smaller/costdown mainboard (visible through the left/right ventilation holes on bottom side).

Myria
Curious PSXDEV User
Curious PSXDEV User
Posts: 17
Joined: Nov 05, 2014

Post by Myria » July 13th, 2016, 12:05 pm

nocash wrote:Cool, would be interesting. Japanese (and PAL) Yaroze's aren't dumped yet.
So the American Yaroze (DTL-H3001) has been dumped? I'm curious what's different in the Yaroze firmware.

My guess is that the SCPH-7000W is functionally a Yaroze, but I don't have a legitimate Yaroze boot disk in order to test this.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2670
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » July 13th, 2016, 4:52 pm

Myria wrote:
nocash wrote:Cool, would be interesting. Japanese (and PAL) Yaroze's aren't dumped yet.
So the American Yaroze (DTL-H3001) has been dumped? I'm curious what's different in the Yaroze firmware.

My guess is that the SCPH-7000W is functionally a Yaroze, but I don't have a legitimate Yaroze boot disk in order to test this.
I haven't looked at the Yaroze FW, but it should have the SCEW license security check.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest