linux
linux copied to clipboard
frno7
Enable the optical disc drive
It is not a standard ATAPI device and there is no functional homebrew equivalent to the Sony CDVDMAN module, so there is a need to reverse-engineer it. Even if it can be accessed, it can only be used to access discs that the PS2 can access.
I sent some PS2 boards over to @whitequark; she's offered to decap and delayer them, so we can reverse engineer from the die shots of things like the MECHACON.
I'm not sure if die shots are the best way to figure out the ODD's interface...
If the firmware of the MECHACON is dumped, there is a potential to unlock reading of non-PS2/non-DVD-Video discs by finding of an exploit/backdoor.
I personally think that fuzzing would have an easier time than reading out the ROM from die shots.
The interface of the optical disc drive is non-standard and there are some restrictions on it.
Fuzzing is difficult because it's not always obvious what internal affects it has. I think dumping the ROM is a better approach.
We have service manuals for the 39k series, so we know what the wires do, just not what goes across them (yet).
On Fri, 19 Apr 2019, 16:14 Julian Uy, [email protected] wrote:
If the firmware of the MECHACON is dumped, there is a potential to unlock reading of non-PS2/non-DVD-Video discs by finding of an exploit/backdoor.
I personally think that fuzzing would have an easier time than reading out the ROM from die shots.
The interface of the optical disc drive is non-standard and there are some restrictions on it.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/frno7/linux/issues/23#issuecomment-484926921, or mute the thread https://github.com/notifications/unsubscribe-auth/AALPDW4KFNB5ZUFWDFZAMWTPRHOVJANCNFSM4G7BQXGA .
Thanks @mirh for the notification :) I fear I can't help much, besides some trivial stuff maybe.
The Mechacon is a big chip that does house keeping tasks, such as drive calibration, besides the copy protection and device access itself. It won't be easy to decode even a good ROM dump, since it'll be huge.
If the goal is to simply read files from a disk, then security may not have to by bypassed at all. It it is necessary, then a trick (DVD Video media flag) will probably do fine.
Just to mention, that mechapwn exists. It has an option Force unlock that allows for unlimited access to the optical drive. MechaPWN patches EEPROM so Dragon Mechacon (which is ARM processor in fact) is patched on boot.
Thanks, @AKuHAK! Sounds somewhat risky, and too bad SCPH-3xxxx isn’t supported. Progress regardless! :grin:
Sounds somewhat risky
Yes, the current version is a bit risky, I am working on a more safe version of it probably will be released soon.
Anyway, there exist a so-called "burn coils" hardware bug: any console made before SCPH-750xx are affected by this bug. Each time you put a bad quality disk in the console's drive you have a chance that if the laser meets a sector with bad ECC data then DSP may crash and send constant current to the lens. It is super easy to meet that bug, you can just put any bad disk into the console (modded or not - doesn't matter) and you are playing Russian roulette. This bug can be resolved only by soldering an additional protection mechanism inside ps2.