MechaCon

From PS2 Dev Wiki
Jump to navigation Jump to search

MechaCon is short for Mechanics Controller. This chip is the security ic of the PlayStation 2 that implements game disk security, Magic Gate and KELF file decryption.

There are two known main variants of it.

The earlier one is based on SPC 9700 and used till GH-016.

The newer one is ARM based, codenamed "Dragon".

The chip includes an 512 word eeprom. The content is different between the two main reversions.

SPC[edit]

TODO

Dragon[edit]

EEPROM layout[edit]

Start (word) End (word) Size (byte) Description
0 48 96
48 90 84
96 128 64
128 150 44
160 190 60
192 198 12 Region params (only slim)
204 208 8 MAC address
211 216 10 wake up time
216 225 18 model number
227 232 10 Region code key seed
232 237 10 Region code ciphertext
240 245 10 iLink id
245 248 6 (used by scmd 3, subcmd 48 and 49)
248 253 10 Console id
253 256 6 (used by scmd 3, subcmd 48 and 49)
256 312 112 config 2
312 344 64 config 0
344 400 112 config 1
400 512 224 Rom patches ciphertext

Region code[edit]

Decryption[edit]

int getRegionFlags()
{
	// read kek
	uint8_t key508[8];
	ksGetKey(key508, 508);
	
	// read saved seed from eeprom
	uint8_t keyseed[10];
	eepromRead(227, sizeof(keyseed), keyseed);
	
	// read encrypted region from eeprom
	uint8_t ciphertext[10];
	eepromRead(232, sizeof(ciphertext), ciphertext);
	
	// generate key
	uint8_t key[8];
	desEncrypt(key508, keyseed, key);
	
	// decrypt ciphertext
	uint8_t plaintext[8];
	desDecrypt(key, ciphertext, plaintext);
	
	uint16_t crc = *(uint16_t *) plaintext;
	crc += *(uint16_t *) &plaintext[2];
	crc += *(uint16_t *) &plaintext[4];
	
	// check checksum
	if (crc  == *(uint16_t *) &plaintext[6])
		return *(uint32_t *) plaintext;
	
	retrun 0;
}

Bits[edit]

Bit Description
0 Japan
1 USA
2 Europe
3 Oceania
4 Asia
5 Russia
6 China
7 Mexico
16 Development (changes MagicGate keys)
17 Retail MagicGate keys on Development, bypass BootCertify
18 Arcade (changes MagicGate keys)
19 Prototype? (changes MagicGate keys)
20 ? (dvd related)

Rom patch[edit]

Decryption[edit]

bool readAndDecryptRomPatch()
{
	// read the patch's first half
	uint8_t patches[0xDE];
	eepromRead(400, 0x70, patches);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0x6E])
		return false;

	// read the patch's second half
	eepromRead(456, 0x70, &patches[0x6E]);
	
	// check if the -1th byte is 0 (sum is not checked)
	if (patches[0xDC])
		return false;

	// read encryption key
	uint8_t key504[8];
	ksGetKey(key504, 504);
	
	// decrypt the patch using DES-ECB
	for (int i = 0; i < 0xD8; i += 8)
		desDecrypt(key504, &patches[i], &patches[i]);

	// check sum
	uint32_t sum = *(uint32_t *)patches;
	sum += *(uint32_t *)&patches[4];
	sum += *(uint32_t *)&patches[8];
	sum += *(uint32_t *)&patches[12];

	if (*(uint32_t *) &patches[0xD8] == ~sum)
		return false;
		
	return true;
}

Content[edit]

The patch can contain up to 4 patches.

addressX = The address where to apply the patch

valueX = The data that's written there

svc_addressX = The address where SVC X instruction jumps to.

payload = Arbitrary, could be code or data as well.

Offset Size Name
0x00 0x04 address0
0x04 0x04 address1
0x08 0x04 address2
0x0C 0x04 address3
0x10 0x04 value0
0x14 0x04 value1
0x18 0x04 value2
0x1C 0x04 value3
0x20 0x04 svc_address0
0x24 0x04 svc_address1
0x28 0x04 svc_address2
0x2C 0x04 svc_address3
0x30 0xA8 payload
0xD8 0x04 crc