PlayStation Development Network

cybdyn wrote:is any chance if you make in result some kind if macro or high level interpretation of how how sub-cpu works? something like: make from asm of Moto to "C", or any macro definition.

Ah, no, not me. I am an ASM programmer. I am not doing HLL stuff, never, no chance.

TriMesh wrote:Because I wanted a format with address information, and SREC seemed the natural choice because it was the one that the original Motorola tools used. Personally, I don't like the raw binary format because it has memory dumps from two different areas of ROM just concatenated together, so the loader has to be specially written to handle it.

Hmm, I haven't tried, but I guess .S19 requires some special loader, too. On the other hand, the address-info in .S19 might make it a bit more clear what goes where. Anyways, the dumping format doesn't matter too much, I just wanted to mention the no$psx can't deal with .S19 - and in case anybody wondered: .S19 isn't a native format related to the PSX chip dumps. Although, quite possible that Sony's developers did actually use that kind of S19 files when they were programming the chips.

Oh, and some days ago, Shadow mentioned that the DTL-H2000 sub-cpu is having chip markings 'P823' 'U01Q' (hidden underneath of the still-undumped 32pin EPROM). The P823 seems to stand for "CXP82300" (aka the ROM-less piggyback version of Sony's "CXP823xx" chips). So, DTL-H2000 seems to be using Sony SPC700 code (as used the by SNES APU), rather than Motorola HC05 code (as used by PSX retail consoles).

I'll get the CXP82000-U01Q dumped soon

If you are using a TTL RS-232 to USB converter (e.g. DLP-USB232R, FTDI UM232H, etc. which appears as a virtual COM port) to dump the CD BIOS, I've developed a command-line program that uploads the dumping program and saves the results. The source code and a Windows binary are available here:

http://cgfm2.emuviews.com/new/pcd-05302014.zip

I've tried to make it easy to use at every step, so troubleshooting problems should be simple.

For dumping I did some things slightly differently; I connected 7.5V to pin 31 and 3.5V to pin 17 using a 10K-ohm resistor in series to limit current into these pins, instead of a direct connection. It's not strictly necessary however. Also on this particular PU-8 board there is a 4.7K ohm pull-up resistor to 3.6V on pin 31 on the component side of the board that should be removed when dumping. On the solder side it can be seen as a via prior to the test point.

For the RS-232 to USB converters mentioned, what worked for me was to configure them as being bus-powered (using 5V from the USB cable), and connecting the VCCIO pin to the PSX 3.6V supply and the ground pins to the PSX ground. There are probably other ways to power the converters that work as well.

nocash wrote:Charles MacDonald dumped a DTL-H3001 (Yaroze) NTSC:U/C version Late-PU-8 board (1-658-467-23) with 52pin chip "W 2021, SC430926PB, G63C 185, JSAA9645A" and CRC32=DF333241.

Concerning the BCD date (18 Aug 1996), it's much newer than for normal Late-PU-8 boards, it's almost as new as the later PU-18 version (or concerning the chip number (SC430926), it's even newer than PU-18, despite of using a PU-8 board).

That makes sense - the Yaroze had to use a PU-8, even if the PU-18 was already out, because the (later) PU-8 is the only board that has the provision for installing both PAL and NTSC reference oscillators together. That's why a Yaroze can display both PAL and NTSC over composite and retail and debug units can't.

nocash wrote:One odd gimmick is that the GetID command returns "SCEA" for SCEA discs, but for SCEI/SCEE/SCEW discs it's returning only four ASCII spaces (20h).

The region test command returns "for NETNA" (instead of "for Europe" or "for U/C" etc.) and the Secret Unlock commands want "World wide" as region ID for unlocking unlicensed CDRs.

Does anybody know if there other Yaroze versions?

There were certainly other Yaroze models, one for each territory. I had a DTL-H3002 PAL yaroze, but I have to admit that I can't remember it ever displaying that 4-character string on the boot screen at all, no matter which disc you booted on it - it was always just 4 spaces, like a debug unit. Of course, this was a long time ago, so I might be forgetting.

The fact that the region string is "NETNA" is interesting - the only question is if the "NA" is "North America" or "Not Applicable"

And, to go back to the SREC stuff, that was an entirely arbitrary choice on my part - I wanted a format that made it clear which data went where, but using Intel Hex just seemed wrong on a Motorola part. So I used SREC with the .S19 extension that the old Motorola DOS IDE used, since that would have been about the right timescale for when the PSX was being developed.

Where are all of your dumps nocash including the Yaroze one? We need them on this topic.

I think he's worried about copyrights. By the way, you listed a SCPH-5001 in the download thread as missing, but that model doesn't exist... Wikipedia's had this wrong for years (http://en.wikipedia.org/wiki/PlayStation_models and http://commons.wikimedia.org/wiki/File: ... rboard.jpg ).

I have a PAL Yaroze, but I doubt I will be able to solder wires in it without destroying the whole board
Following these dumps and discovery of the inner working of the cdrom bios, is there now any hope to discover a technique to play CD-R on a retail PS1 without modchip/boot disc ?
that would be sooo awesome for homebrew developers.

Martin (Nocash) already discovered it. Secret unlock commands.

The problem now is to run a software which would execute those unlock commands.
Something like FMCB for PS1 would be neat.

no$cash: it's interesting, you always used ASM for you ps1 emulator?
as i thought first your "HLL" of cd dirver is what you may use for pc emu)))

anyway, under macro definition or HLL , i mean - make some kind information more close to how sub-cpu works.
because when we can read pdf's of cxd1199 (cxd2545, cxd2510) we can know only about registers,
but now you/we have bios code, it can make picture more clearly.
one of the way,is just emulate Moto w/ bios -code in EMU (pc). i think it what you made in your last ver. of emu? Will you explain more how you did it, any files? i can try emulate Moto in ARM. but there are many uncleared info for me, for example how to fake interaface sub-cpu and servo and etc.

btw, i found funny string in your last ver 1.9 "CD ROM HC05 BIOS" - "Nocash High-level Clone".

ok so it is possible but only with a Action Replay cartridge with the unlock code in it.
will PSIO support this feature ? or is it possible to manufacture a small cheap AR device with a rom to unlock this ?
even if the unlock feature is supported on PSone, it is of no use since it don't have any external port to run custom code

PSIO doesn't need a modchip to boot. What you're after is a replacement IC that can be re-soldered in place of the original mechacon. A member here is working on just that

no I mean, can PSIO support booting homebrew CD-R using this feature ? (just as an option instead of using SD card)
I don't understand the IC re-soldering part (?)

Yeah, you will be able to do that

no$cash , soory if i do pressure to you, the RESEARCH that you are making is incredible, i can only dream of it ....
just sad if it will disappear in "secret" folders))))

PSIO can acts like AR. but to make it close to original can take much work.
but basic things like - boot with custom menu or code - is possible.

what exactly we need for break secure code of native cd-rom drive? as i know, mod-chip is PIC controller. ARM can emulate signal sequences.
another way - use Unlock commands, of maybe load custom fw to sub-cpu?

"ARM and fpga" is powerful pair , but we need know idea, or algorithm.

http://cerrajeriamg.com/descargas/manua ... og_bmw.pdf
there is , the manual for a programmer for motorola frescale cpu but with all test point!!!

Orion_ wrote:I have a PAL Yaroze, but I doubt I will be able to solder wires in it without destroying the whole board

Well, you could try just looking at the mainboard (hopefully without destroying anything). Currently, the main question is if all Yaroze regions & revisions are using "W2021, SC430926PB, G63C 185" chips. If it turns out that they are all using the same chip, then it would be pointless to make separate dumps for them.

For PSone models, I've just noticed that the sticker at the bottom of PAL consoles can have some variations:
- SCPH-102 PSone Europe
- SCPH-102A PSone Europe (UK, with english manual, with A/V cable)
- SCPH-102B PSone Europe (UK, with english manual, with RFU adaptor)
- SCPH-102C PSone Europe (Continent, with multilanguage manual, with A/V cable)
My own two PSones (with old PM-41 boards) are just badged "SCPH-102". The A/B/C letters seem to have been invented on later revisions - so they might be also hinting that the consoles might contain those mysterious new PM-41(2) boards.

cybdyn wrote:no$cash: it's interesting, you always used ASM for you ps1 emulator?
btw, i found funny string in your last ver 1.9 "CD ROM HC05 BIOS" - "Nocash High-level Clone".

Yes, the emulator/gui/debugger/everything is plain 80x86 asm (or MIPS asm in case of the psx bios/kernel clone).
High-level cdrom emulation is 80x86 asm, too (it's just "high level", not "high level language"), high-level just refers to interpreting the cdrom commands/parameters directly; unlike the low-level emulation which forwards commands/parameters to the original cdrom firmware running on an emulated HC05 sub-cpu.
Whether you use high-level or low-level emulation doesn't matter too much. High-level can be faster/smoother. Low-level can be useful for reproducing hardware glitches.

Michele133 wrote:http://cerrajeriamg.com/descargas/manua ... og_bmw.pdf
there is , the manual for a programmer for motorola frescale cpu but with all test point!!!

Interesting! The chips in psx world seem to have different pinouts though (joypad/32pin, old cdrom/80pin, and new cdrom/52pin, but different as the 52pin diagrams in the carprog doc).

ok so, I have located the chip at the back of the board, here are the numbers on it:
W3021
SC430927PB
G63C 185
JSAB9705B

My Yaronet is a DTL-H3002 PAL

http://www.freescale.com/webapp/sps/sit ... 4684498633
this is a list of hc05 legacy-product maybe there is the psx version of cpu-microcontroller?

or this?
http://www.datasheetarchive.com/MC68HC0 ... sheet.html