CD-decoder ROM dumped
CD-decoder ROM dumped
Hi everybody
Not long time ago we started PSX chip research project : http://psxdev.ru
Our primary project is PSX CPU (IC103)
We contacted some people and asked them to decap and image PSX chips, to further explore them.
One decapper successfully depackaged CD-decoder microcontroller (IC304), based on MC68HC05 CPU and dumped its ROM!
http://psxdev.ru/files/IC304/MC68HC05_ROM.rar
(actually this is whole 6805 memory dump and ROM start from 0x1000 (16 KB) + secondary TEST ROM at 0xFE00 )
We made friendly schematics of PSX CD/Audio system, here :
We also have wiki (but currently on russian) : http://psxdev.ru/wiki
Not long time ago we started PSX chip research project : http://psxdev.ru
Our primary project is PSX CPU (IC103)
We contacted some people and asked them to decap and image PSX chips, to further explore them.
One decapper successfully depackaged CD-decoder microcontroller (IC304), based on MC68HC05 CPU and dumped its ROM!
http://psxdev.ru/files/IC304/MC68HC05_ROM.rar
(actually this is whole 6805 memory dump and ROM start from 0x1000 (16 KB) + secondary TEST ROM at 0xFE00 )
We made friendly schematics of PSX CD/Audio system, here :
We also have wiki (but currently on russian) : http://psxdev.ru/wiki
could you help me to identify the chip on the PSX mobo ? do i understand right ? is there such a chip in the mobo ? where is the rom ? inside the MPU or external ? is it possible to boot different code in such a chip ?
This is single custom chip, made by Motorola. It usually labeled as IC304 and it was never integrated in bigger chips.
On early MBs you can find it on side-B, its 42-pin IC. On modern MBs its usually located near SUB-IC (IC732).
Both ROMs are inside. He managed to dump it by wiring directly to the chip surface.
On early MBs you can find it on side-B, its 42-pin IC. On modern MBs its usually located near SUB-IC (IC732).
Both ROMs are inside. He managed to dump it by wiring directly to the chip surface.
interesting, could be documented this procedure ? and ... is it possible to inject a code in ram in order to execute ?
It has only 512 byte of RAM And its impossible to inject code into SUB-CPU since you can control it only by setting CD-registers, which is not allow to do stack overflow or something.
well, it is like 68hc11 E series, 512byte of ram, too, i am using it to interface the PAD, i have written an assembly driver =P
anyway, how was the dump done ? how could you dump it ?
anyway, how was the dump done ? how could you dump it ?
He opened it and wired mircowires directly to the chip internal bus.
i think you'd better translate in English, else way i can understand less than the 5% of the content.
Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.
Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.
-
TriMesh Verified
- PSX Aptitude
- Posts: 226
- Joined: Dec 20, 2013
- PlayStation Model: DTL-H1202
- Location: Hong Kong
This is kind of an old thread, but the answer to your question is that you can't really do much with it - at least not from the point of view of the PSX boot ROM.legacy wrote:i think you'd better translate in English, else way i can understand less than the 5% of the content.
Anyway, i am replacing the PSX bios with a piece of custom firmware, it should be interesting to use the CD-decoder 68hc05 in such a way, what do you suggest ? In my firmware i have the full control of the hardware.
The only thing you can talk to from the BIOS is the host side of the CD-decoder chip (these are the memory mapped ports between 0x1f801800 and 0x1f801802 in the PSX memory map. This 'HC05 code is communicating with the other bus ("Sub CPU interface") on that chip, so all the behavior you see from the R3K is defined by this 'HC05 code - but you can't directly control this CPU, or alter the code running in it (since it's stored in mask ROM). What you can do is use it to gain a better insight into exactly how the CD drive commands are handled.
-
Verified
- Cybdyn Systems
- Posts: 406
- Joined: Jan 13, 2012
- I am a: Embedded Developer (MCU & FPGA)
- PlayStation Model: 5502
- Location: Belarus (Minsk)
it's very interesting, as we can better understand how code works on sub-cpu.
-
- What is PSXDEV?
- Posts: 2
- Joined: Aug 08, 2021
- I am a: Programmer
- PlayStation Model: SCPH-1002
- Location: Republic of Moldova (Balti)
Looks like it has been dumped from an american console because it has the 'SCEA' string check inside:
Code: Select all
ROM:48F5 loc_48F5: ; CODE XREF: ROM:4877?J
ROM:48F5 lda byte_1D4
ROM:48F8 eor #$FF
ROM:48FA ldx byte_1D7
ROM:48FD sta byte_1D0, x
ROM:4900 cmp szSCEA, x ; "SCEA"
ROM:4903 beq scea_found_4908
ROM:4905 jmp scea_not_found_4983
ROM:4908 ; ---------------------------------------------------------------------------
ROM:4908
ROM:4908 scea_found_4908: ; CODE XREF: ROM:4903?j
ROM:4908 incx
ROM:4909 stx byte_1D7
ROM:490C txa
ROM:490D cmp #4
ROM:490F beq loc_491C
ROM:4911 lda #5
ROM:4913 sta byte_1D5
ROM:4916 lda #1
ROM:4918 sta byte_1D6
ROM:491B rts
Who is online
Users browsing this forum: No registered users and 10 guests