PS2 Possibilities with MechaCon code execution

[uyjulian]

After many years, the ROM of the MechaCon has been dumped. (via https://twitter.com/balika011/status/1365719735254609920 )

It gives out a bit more keys than the ones embedded in the PS3 PS2 emulator (most notably, the arcade System 2x6 machines).

According to the documentation recently written on the PS2 Dev Wiki, the Mechacon has a method to load patches from EEPROM. (https://playstationdev.wiki/ps2devwiki/index.php?title=MechaCon)

Mechadump allows you to dump the ROM of the MechaCon. https://github.com/Myriachan/mechadump

MechaPwn allows you to change region or force all discs to be detected as PS2 discs. https://github.com/MechaResearch/MechaPwn

What are the possibilities for this?

• Primarily, it can override the disc checks (CD/DVD check, PS2 check, PS1 check, region check, master disc check, wobble check)… No more modchips.
• It can allow writes of the entire EEPROM, allowing to change the lens type (like with older models). No more PMAP or soldering required.
• EEPROM writes also allow changing of other parameters like region or model number (but this is mostly unnecessary if the region checks are patched out)
• It may be possible to fix the laser burnout issues (especially when using DVD-RW discs). No more "Disc Read Error"!
• On the other hand, it may be possible to increase the laser power and increase laser burnout. Repair shops might use this on unsuspecting customers to get repeat customers…
• It may be possible to override the fan speed. No more loud fan when using the network adapter+HDD!
• For older consoles, it may be possible to add the feature to use power off handling.
• For all consoles, it may be possible to use the power off handling feature even when a HDD is not connected (useful for USB, ethernet, memory card, or other storage device)
• It could be possible to run custom EE or IOP code at startup. However, there is not a lot of room in the EEPROM…
• It could be possible to bypass the DVD Player 1.00 blacklist and allow it to be decrypted.
• It could be possible to bypass MagicGate checks, allowing saving, FMCB, and DVD Player updates on unofficial memory cards.

It appears the Dragon Mechacon is a ARM processor, so basically there are 5 different processor architectures that can show up in a PS2:

• MIPS (EE and IOP)
• PowerPC (PPC-IOP/Deckard)
• ARM (newer Mechacon/Dragon)
• x86 (DTL-T/TOOL)
• SPC970 (older MechaCon)

The Dragon Mechacon has 16KB of RAM. I wonder about the processing speed of the Mechacon (compared to the other processors).

It may be possible to improve compatibility in Open PS2 Loader by running code on the Mechacon instead of the IOP. It may be possible to remove the custom CDVDMAN module and use the original one, and the Mechacon could handle the USB/HDD/ETH tasks instead. Since developer code wasn't meant to run on the Mechacon, it can be used for other purposes without affecting compatibility. It may also be possible to run PS1 games with the MechaCon based emulation method…
MechaCon can basically act as a "Optical Disk Emulator" at this point…

 

[mrjaredbeta]

Oh wow, this is insane news. I'm always happy to see stuff like this...seems like the possibilities are almost endless now.

100% PS1 compatibility confirmed?

 

[Agrippa]

It is a HUGE thing. The security of the PS2 is completely defeated then. At least publicly to us, not modchip makers only.

 

[gledson999]

"It may also be possible to run PS1 games with the MechaCon based emulation method…
MechaCon can basically act as a "Optical Disk Emulator" at this point… "

Awesome news, now let's imagine OPL running PS1 and PS2 native without emulator!

 

[Agrippa]

How can Mechacon act as a optical disk emulator since all it has to do (when it comes to the PS1 playback) is to authenticate the disc as a original PS1 pressed. Even if we could be able to authenticate every disk as a PS1CD-ROM, how could it lead to the playback of the PS1 games through the other media than CD? In the PS1 mode IOP is acting as a PS1 CPU and has got no access to the DEV9 or USB device, hasn't it?

 

[Berion]

I wasn't dream that I will ever live long enough to see CFW on PS2. Well, kind off.

I'm more positively surprised that Triszka didn't gave up on defeating DESR and maybe this is one of the approach he took; and Mechacon dump is the consequence of this for the rest of PS2 model users. So who knows, maybe this little piece handle i.e HDD checking in the first place? And/or encryption/decryption?

 

[Agrippa]

The PSX has got an additional processor called DVRP which solves an additional encryption on the PSX side of data.

 

[uyjulian]

How can Mechacon act as a optical disk emulator since all it has to do (when it comes to the PS1 playback) is to authenticate the disc as a original PS1 pressed. Even if we could be able to authenticate every disk as a PS1CD-ROM, how could it lead to the playback of the PS1 games through the other media than CD? In the PS1 mode IOP is acting as a PS1 CPU and has got no access to the DEV9 or USB device, hasn't it?

It is possible to code execute on the IOP in PS1 mode through the MechaCon. Before, this was only possible in DECKARD models.

There may be ways to work around the DEV9 or USB disabled issues. More research on this would be needed, and code execution on the IOP in PS1 mode without needing to burn a disk will make this much, much easier.

 

[psydefx]

maybe then anti-mod psx backups on v7 and older ps2s

 

[TnA]

I started a currently closed news in the closed section. I haven't finished it yet and hence it didn't get published, because most people wouldn't understand the more important part of the story.

Not the dump itself, but implications and what it might cause!

 

[EvenSpoonier]

Congratulations! This is wonderful news. Keeping my fingers crossed that you folks can figure out a way around the DEV9 problem.

 

[sp193]

I've been out of the loop. How do we know that the ROM was actually dumped and that all those things mentioned can be done? The link provided by the OP, only links to a rather cryptic tweet.

 

[BernoO]

Check the wiki. There's code for decryption of "Region" and "ROM patch".

Also if you check Triszka tweets, (he/she?)'s working with @zecoxao and @M4j0r

 

[sp193]

Check the wiki. There's code for decryption of "Region" and "ROM patch".

If you mean the Wiki (and specifically that page) which is linked to above, I did read the page. but I don't personally think it's necessarily an indicator that the ROM has been dumped. I mean, reverse-engineering of that ROM probably isn't strictly the only way that this sort of information can be obtained.

Also if you check Triszka tweets, (he/she?)'s working with @zecoxao and @M4j0r

Honestly, I don't know them well. I exchanged some messages with Triszka and M4j0r before, but I don't actually know much about them, other than knowing that both have interests in the inner workings of the console and Triszka can certainly do programming.

So are you telling me that because it is these individuals that we're talking about, it's likely that the MECHACON's ROM was dumped?

What about the other things that OP mentioned?

 

[zecoxao]

it was dumped via patch method

 

[BBsan]

Is there any place where it is explained how exactly the patches are applied and how they work?
Are they applied to some internal mechacon RAM or somewhere else?

 

[Dariush Aghaee]

I've been out of the loop. How do we know that the ROM was actually dumped and that all those things mentioned can be done? The link provided by the OP, only links to a rather cryptic tweet.

Glad to see you here. You are one of the best PS2 developers and you can help the other guys make those mentioned things happen

 

[Java Brasil ps3]

Top Very good PS2 is imortal

 

[mcshooter]

Does it mean we will be able to install fmcb without modchip on newer ps2 bios ??!!!

 

[sp193]

it was dumped via patch method

So it's the truth? Great job!

Is there any place where it is explained how exactly the patches are applied and how they work?

Long ago in 2015, I found that under specific conditions, the Sony elect tool would write some data to the region at offset +0x320 of the EEPROM. The action involved a label, "PCEA1240". "PCEA1240" may be some internal memo.
If it's a CEX H-chassis with MECHACON version 5.4, there seems to be data written. If it's a DEX H-chassis with v5.5 and with some additional checks (that I did not understand), it would write data with mostly 0xFFs to the region.

+0x320=800, 800/2=word 400, which seems to line up with the "Rom patches ciphertext" region described in the wiki.
In conclusion, at least the Sony Elect service tool would update these patches.

But, I had and still have no idea what all these do.

Glad to see you here. You are one of the best PS2 developers and you can help the other guys make those mentioned things happen

That's the misunderstanding that I would like to clear up. I didn't see where any of those things were claimed, by the individuals involved. So if the MECHACON cannot be flashed and/or is not in the right position to do all that, no amount of software engineering less than the level of magic will help you achieve those.

It's not that I will contribute much, so I didn't meant to unconstructive. But if you are wondering why I have doubts:

• Writing to the EEPROM was always possible, which is how Lenschanger worked. It's just that we cannot change the "fixed data" regions of the EEPROM, which contain things like IDs and regional data. PMAP is a replacement for the Sony Elect, EEPROM and Mechanism adjustment tools, not Lenschanger; to replace the role of PMAP would mean that we need to have API to do tuning, not just manipulate the EEPROM. For example, you can't get runtime information like the jitter level from the EEPROM or to get the PS2 to perform auto gain adjustment...
• I'm not sure what OP meant by "power off handling", but I guess he meant the function for notifying the software of the RESET button getting pressed. The only model to not have this feature, were the SCPH-10000, SCPH-15000 and SCPH-18000. If you press the RESET button on those models, the PS2 is immediately reset - but how do we know that it's not a hardware design?
• The fan speed is increased to keep your HDD cool. It's why I recommend that people don't just blindly replace/mod their fans without considering the possible consequences. It's also not necessarily a given that the fan speed can be adjusted from software, since it could have also been a hardware function. The old PS2 models (mainly those that had the noisier fans) also had a SYSCON, so how do we know that it can be controlled from the MECHACON?
• MagicGate authentication of a memory card is done by MCMAN with the MECHACON, not initiated by the MECHACON itself. There was no such restriction implemented by the MECHACON, but we're limited by the software in ROM instead. I believe it is just a data bus, due to @wisi's project that allowed microSD cards to be interfaced with it - which is a non-Sony device.
  
• Without further facts, how do we know that these patches can influence EE and IOP memory? Given that they're in the MECHACON's internal EEPROM, they could be fixes for the MECHACON's functions.

I believe that the OP has the spirit and the passion though.

I stopped working on PS2 software development since 2018, to move on in life. I still come back now and then, but I don't have plans to do more PS2-related things.