How to dump your CDROM BIOS (Firmware)

Members research, findings and information that can be useful towards the PlayStation 1.
User avatar
nocash
PSX Aficionado
PSX Aficionado
Posts: 306
Joined: November 12th, 2012, 2:36 pm
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by nocash » May 31st, 2014, 5:21 am

cybdyn wrote:is any chance if you make in result some kind if macro or high level interpretation of how how sub-cpu works? something like: make from asm of Moto to "C", or any macro definition.
Ah, no, not me. I am an ASM programmer. I am not doing HLL stuff, never, no chance.
TriMesh wrote:Because I wanted a format with address information, and SREC seemed the natural choice because it was the one that the original Motorola tools used. Personally, I don't like the raw binary format because it has memory dumps from two different areas of ROM just concatenated together, so the loader has to be specially written to handle it.
Hmm, I haven't tried, but I guess .S19 requires some special loader, too. On the other hand, the address-info in .S19 might make it a bit more clear what goes where. Anyways, the dumping format doesn't matter too much, I just wanted to mention the no$psx can't deal with .S19 - and in case anybody wondered: .S19 isn't a native format related to the PSX chip dumps. Although, quite possible that Sony's developers did actually use that kind of S19 files when they were programming the chips.

Oh, and some days ago, Shadow mentioned that the DTL-H2000 sub-cpu is having chip markings 'P823' 'U01Q' (hidden underneath of the still-undumped 32pin EPROM). The P823 seems to stand for "CXP82300" (aka the ROM-less piggyback version of Sony's "CXP823xx" chips). So, DTL-H2000 seems to be using Sony SPC700 code (as used the by SNES APU), rather than Motorola HC05 code (as used by PSX retail consoles).
Last edited by nocash on May 31st, 2014, 8:00 pm, edited 1 time in total.

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2183
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: How to dump your CDROM BIOS (Firmware)

Post by Shadow » May 31st, 2014, 5:52 am

I'll get the CXP82000-U01Q dumped soon ;)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

Development Computer: Windows 98, Pentium 3 [400MHz], 128MB SDRAM, DTL-H2000, DTL-H201A, 21" Sony Trinitron CRT, CD-ROM burner, 3.25" and 5.25" Floppy Diskette Drives and a ZIP 100 Diskette Drive.

Charles MacDonald
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: May 30th, 2014, 3:55 pm
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by Charles MacDonald » May 31st, 2014, 10:38 am

If you are using a TTL RS-232 to USB converter (e.g. DLP-USB232R, FTDI UM232H, etc. which appears as a virtual COM port) to dump the CD BIOS, I've developed a command-line program that uploads the dumping program and saves the results. The source code and a Windows binary are available here:

http://cgfm2.emuviews.com/new/pcd-05302014.zip

I've tried to make it easy to use at every step, so troubleshooting problems should be simple.

For dumping I did some things slightly differently; I connected 7.5V to pin 31 and 3.5V to pin 17 using a 10K-ohm resistor in series to limit current into these pins, instead of a direct connection. It's not strictly necessary however. Also on this particular PU-8 board there is a 4.7K ohm pull-up resistor to 3.6V on pin 31 on the component side of the board that should be removed when dumping. On the solder side it can be seen as a via prior to the test point.

For the RS-232 to USB converters mentioned, what worked for me was to configure them as being bus-powered (using 5V from the USB cable), and connecting the VCCIO pin to the PSX 3.6V supply and the ground pins to the PSX ground. There are probably other ways to power the converters that work as well.

User avatar
TriMesh
PSX Aptitude
PSX Aptitude
Posts: 186
Joined: December 20th, 2013, 2:25 pm
PlayStation Model: DTL-H1202
Location: Hong Kong

Re: How to dump your CDROM BIOS (Firmware)

Post by TriMesh » June 1st, 2014, 2:58 pm

nocash wrote:Charles MacDonald dumped a DTL-H3001 (Yaroze) NTSC:U/C version Late-PU-8 board (1-658-467-23) with 52pin chip "W 2021, SC430926PB, G63C 185, JSAA9645A" and CRC32=DF333241.

Concerning the BCD date (18 Aug 1996), it's much newer than for normal Late-PU-8 boards, it's almost as new as the later PU-18 version (or concerning the chip number (SC430926), it's even newer than PU-18, despite of using a PU-8 board).
That makes sense - the Yaroze had to use a PU-8, even if the PU-18 was already out, because the (later) PU-8 is the only board that has the provision for installing both PAL and NTSC reference oscillators together. That's why a Yaroze can display both PAL and NTSC over composite and retail and debug units can't.
nocash wrote:One odd gimmick is that the GetID command returns "SCEA" for SCEA discs, but for SCEI/SCEE/SCEW discs it's returning only four ASCII spaces (20h).

The region test command returns "for NETNA" (instead of "for Europe" or "for U/C" etc.) and the Secret Unlock commands want "World wide" as region ID for unlocking unlicensed CDRs.

Does anybody know if there other Yaroze versions?
There were certainly other Yaroze models, one for each territory. I had a DTL-H3002 PAL yaroze, but I have to admit that I can't remember it ever displaying that 4-character string on the boot screen at all, no matter which disc you booted on it - it was always just 4 spaces, like a debug unit. Of course, this was a long time ago, so I might be forgetting.

The fact that the region string is "NETNA" is interesting - the only question is if the "NA" is "North America" or "Not Applicable" :)

And, to go back to the SREC stuff, that was an entirely arbitrary choice on my part - I wanted a format that made it clear which data went where, but using Intel Hex just seemed wrong on a Motorola part. So I used SREC with the .S19 extension that the old Motorola DOS IDE used, since that would have been about the right timescale for when the PSX was being developed.

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2183
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: How to dump your CDROM BIOS (Firmware)

Post by Shadow » June 1st, 2014, 5:48 pm

Where are all of your dumps nocash including the Yaroze one? We need them on this topic.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

Development Computer: Windows 98, Pentium 3 [400MHz], 128MB SDRAM, DTL-H2000, DTL-H201A, 21" Sony Trinitron CRT, CD-ROM burner, 3.25" and 5.25" Floppy Diskette Drives and a ZIP 100 Diskette Drive.

Jackal
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: May 19th, 2014, 7:44 pm

Re: How to dump your CDROM BIOS (Firmware)

Post by Jackal » June 2nd, 2014, 3:33 am

I think he's worried about copyrights. By the way, you listed a SCPH-5001 in the download thread as missing, but that model doesn't exist... Wikipedia's had this wrong for years (http://en.wikipedia.org/wiki/PlayStation_models and http://commons.wikimedia.org/wiki/File: ... rboard.jpg ).

User avatar
Orion_
Legendary Programmer
Legendary Programmer
Posts: 216
Joined: August 13th, 2012, 2:48 am
I am a: Programmer
PlayStation Model: Net Yaroze
Location: France
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by Orion_ » June 2nd, 2014, 5:55 am

I have a PAL Yaroze, but I doubt I will be able to solder wires in it without destroying the whole board :(
Following these dumps and discovery of the inner working of the cdrom bios, is there now any hope to discover a technique to play CD-R on a retail PS1 without modchip/boot disc ?
that would be sooo awesome for homebrew developers.
Retro game development on Playstation and other consoles http://orionsoft.free.fr/

User avatar
Shendo
C Programming Expert
C Programming Expert
Posts: 237
Joined: March 21st, 2012, 4:34 am
I am a: Programmer
Motto: Never settle
PlayStation Model: SCPH-9002
Location: Croatia, EU

Re: How to dump your CDROM BIOS (Firmware)

Post by Shendo » June 2nd, 2014, 7:42 am

Martin (Nocash) already discovered it. Secret unlock commands.

The problem now is to run a software which would execute those unlock commands.
Something like FMCB for PS1 would be neat.
My PS1 consoles: 2 x SCPH-1002, SCPH-5552, SCPH-7002, 4x SCPH-9002, 2 x SCPH-102.
Dev console: SCPH-9002, MM3 - 7 wire modchip, PAL color mod, CH340 serial cable addon.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: How to dump your CDROM BIOS (Firmware)

Post by cybdyn » June 2nd, 2014, 5:58 pm

no$cash: it's interesting, you always used ASM for you ps1 emulator?
as i thought first your "HLL" of cd dirver is what you may use for pc emu)))

anyway, under macro definition or HLL , i mean - make some kind information more close to how sub-cpu works.
because when we can read pdf's of cxd1199 (cxd2545, cxd2510) we can know only about registers,
but now you/we have bios code, it can make picture more clearly.
one of the way,is just emulate Moto w/ bios -code in EMU (pc). i think it what you made in your last ver. of emu? Will you explain more how you did it, any files? i can try emulate Moto in ARM. but there are many uncleared info for me, for example how to fake interaface sub-cpu and servo and etc.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: How to dump your CDROM BIOS (Firmware)

Post by cybdyn » June 2nd, 2014, 6:48 pm

btw, i found funny string in your last ver 1.9 "CD ROM HC05 BIOS" - "Nocash High-level Clone".

User avatar
Orion_
Legendary Programmer
Legendary Programmer
Posts: 216
Joined: August 13th, 2012, 2:48 am
I am a: Programmer
PlayStation Model: Net Yaroze
Location: France
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by Orion_ » June 2nd, 2014, 6:54 pm

ok so it is possible but only with a Action Replay cartridge with the unlock code in it.
will PSIO support this feature ? or is it possible to manufacture a small cheap AR device with a rom to unlock this ?
even if the unlock feature is supported on PSone, it is of no use since it don't have any external port to run custom code :(
Retro game development on Playstation and other consoles http://orionsoft.free.fr/

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2183
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: How to dump your CDROM BIOS (Firmware)

Post by Shadow » June 2nd, 2014, 7:03 pm

PSIO doesn't need a modchip to boot. What you're after is a replacement IC that can be re-soldered in place of the original mechacon. A member here is working on just that ;)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

Development Computer: Windows 98, Pentium 3 [400MHz], 128MB SDRAM, DTL-H2000, DTL-H201A, 21" Sony Trinitron CRT, CD-ROM burner, 3.25" and 5.25" Floppy Diskette Drives and a ZIP 100 Diskette Drive.

User avatar
Orion_
Legendary Programmer
Legendary Programmer
Posts: 216
Joined: August 13th, 2012, 2:48 am
I am a: Programmer
PlayStation Model: Net Yaroze
Location: France
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by Orion_ » June 3rd, 2014, 3:02 am

no I mean, can PSIO support booting homebrew CD-R using this feature ? (just as an option instead of using SD card)
I don't understand the IC re-soldering part (?)
Retro game development on Playstation and other consoles http://orionsoft.free.fr/

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2183
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: How to dump your CDROM BIOS (Firmware)

Post by Shadow » June 3rd, 2014, 3:28 am

Yeah, you will be able to do that :)
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

Development Computer: Windows 98, Pentium 3 [400MHz], 128MB SDRAM, DTL-H2000, DTL-H201A, 21" Sony Trinitron CRT, CD-ROM burner, 3.25" and 5.25" Floppy Diskette Drives and a ZIP 100 Diskette Drive.

User avatar
cybdyn
Cybdyn Systems
Cybdyn Systems
Posts: 405
Joined: January 13th, 2012, 1:56 am
I am a: Embedded Developer (MCU & FPGA)
PlayStation Model: 5502
Location: Belarus (Minsk)

Re: How to dump your CDROM BIOS (Firmware)

Post by cybdyn » June 3rd, 2014, 10:23 pm

no$cash , soory if i do pressure to you, the RESEARCH that you are making is incredible, i can only dream of it ....
just sad if it will disappear in "secret" folders))))

PSIO can acts like AR. but to make it close to original can take much work.
but basic things like - boot with custom menu or code - is possible.

what exactly we need for break secure code of native cd-rom drive? as i know, mod-chip is PIC controller. ARM can emulate signal sequences.
another way - use Unlock commands, of maybe load custom fw to sub-cpu?

"ARM and fpga" is powerful pair , but we need know idea, or algorithm.

Michele133
Interested PSXDEV User
Interested PSXDEV User
Posts: 5
Joined: May 26th, 2014, 4:08 am

Re: How to dump your CDROM BIOS (Firmware)

Post by Michele133 » June 12th, 2014, 4:38 am

http://cerrajeriamg.com/descargas/manua ... og_bmw.pdf
there is , the manual for a programmer for motorola frescale cpu but with all test point!!!

User avatar
nocash
PSX Aficionado
PSX Aficionado
Posts: 306
Joined: November 12th, 2012, 2:36 pm
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by nocash » June 15th, 2014, 11:23 pm

Orion_ wrote:I have a PAL Yaroze, but I doubt I will be able to solder wires in it without destroying the whole board :(
Well, you could try just looking at the mainboard (hopefully without destroying anything). Currently, the main question is if all Yaroze regions & revisions are using "W2021, SC430926PB, G63C 185" chips. If it turns out that they are all using the same chip, then it would be pointless to make separate dumps for them.

For PSone models, I've just noticed that the sticker at the bottom of PAL consoles can have some variations:
- SCPH-102 PSone Europe
- SCPH-102A PSone Europe (UK, with english manual, with A/V cable)
- SCPH-102B PSone Europe (UK, with english manual, with RFU adaptor)
- SCPH-102C PSone Europe (Continent, with multilanguage manual, with A/V cable)
My own two PSones (with old PM-41 boards) are just badged "SCPH-102". The A/B/C letters seem to have been invented on later revisions - so they might be also hinting that the consoles might contain those mysterious new PM-41(2) boards.
cybdyn wrote:no$cash: it's interesting, you always used ASM for you ps1 emulator?
btw, i found funny string in your last ver 1.9 "CD ROM HC05 BIOS" - "Nocash High-level Clone".
Yes, the emulator/gui/debugger/everything is plain 80x86 asm (or MIPS asm in case of the psx bios/kernel clone).
High-level cdrom emulation is 80x86 asm, too (it's just "high level", not "high level language"), high-level just refers to interpreting the cdrom commands/parameters directly; unlike the low-level emulation which forwards commands/parameters to the original cdrom firmware running on an emulated HC05 sub-cpu.
Whether you use high-level or low-level emulation doesn't matter too much. High-level can be faster/smoother. Low-level can be useful for reproducing hardware glitches.
Michele133 wrote:http://cerrajeriamg.com/descargas/manua ... og_bmw.pdf
there is , the manual for a programmer for motorola frescale cpu but with all test point!!!
Interesting! The chips in psx world seem to have different pinouts though (joypad/32pin, old cdrom/80pin, and new cdrom/52pin, but different as the 52pin diagrams in the carprog doc).

User avatar
Orion_
Legendary Programmer
Legendary Programmer
Posts: 216
Joined: August 13th, 2012, 2:48 am
I am a: Programmer
PlayStation Model: Net Yaroze
Location: France
Contact:

Re: How to dump your CDROM BIOS (Firmware)

Post by Orion_ » June 16th, 2014, 12:21 am

ok so, I have located the chip at the back of the board, here are the numbers on it:
W3021
SC430927PB
G63C 185
JSAB9705B

My Yaronet is a DTL-H3002 PAL
Retro game development on Playstation and other consoles http://orionsoft.free.fr/

Michele133
Interested PSXDEV User
Interested PSXDEV User
Posts: 5
Joined: May 26th, 2014, 4:08 am

Re: How to dump your CDROM BIOS (Firmware)

Post by Michele133 » June 16th, 2014, 3:16 am

http://www.freescale.com/webapp/sps/sit ... 4684498633
this is a list of hc05 legacy-product maybe there is the psx version of cpu-microcontroller?

Michele133
Interested PSXDEV User
Interested PSXDEV User
Posts: 5
Joined: May 26th, 2014, 4:08 am

Re: How to dump your CDROM BIOS (Firmware)

Post by Michele133 » June 16th, 2014, 3:32 am


Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest