PS2 Julian's various PS2 projects (Worklog)

The OSDSYS executable for System 147 and System 148 has references to "-m rom0:SIO2MAN", "-m rom0:MCMAN", and "-x mc0:boot.bin". However, it doesn't use/check them and just goes to "rom1:START".
 
How the S147/S148 boot process briefly works at a high level

rom0:OSDSYS
* If additional arguments, starts error loop, otherwise loads rom1:START
rom1:START
* Loads IOPRP image rom1:IOPRP300A
* Opens "ctrl1:" and does LED stuff (fail -> error loop)
* Load module "rom1:USBD" (fail -> error loop)
* Load module "rom1:S147USBM" (fail -> error loop)
* Load module "rom1:S147NETB" (fail -> error loop)
* Sets video mode info from "atfile9:videomode"
* To probe if USB memory exists, reads "atfile19:usb-probe" periodically
* If USB memory exists, probe USB ethernet (not a failure if doesn't exist)
* To probe if USB ethernet exists, reads "atfile29:http-probe" periodically
* Opens "atfile10:LOADDEF.TXT", if doesn't exist, NAND load
* If USB memory does not exist, NAND load
* Otherwise, USB load

NAND load:
* Open and read "atfile9:seccode" (fail -> error loop)
* Open "ctrl12:" and write above for unlock register (fail -> error loop)
* Open and close "atfile9:watchdog-enable" (enable watchdog auto clear NAND)
* Open and read "atfile0:LOADDEF.TXT" (fail -> error loop)
* Open file specified on first line of LOADDEF.TXT (fail -> error loop)
* If not ELF file path, file size over 0x1b00000 -> error loop
* If not ELF file path, read specified file whole to address specified on second line of LOADDEF.TXT
* If not ELF file path, jump to address specified on second line of LOADDEF.TXT
* Otherwise, reboot IOP to stock then LoadExecPS2 specified path

USB load:
* Read LOADDEF.TXT FD whole, then close
* If ELF file path, open "ctrl12:" and write 0xFFFF for unlock register (fail -> error loop)
* If ELF file path, if device "atfile10:", open and close "atfile19:watchdog-enable" (enable watchdog auto clear USB memory)
* If ELF file path, if device "atfile20:", open and close "atfile29:watchdog-enable" (enable watchdog auto clear USB HTTP)
* Open file specified on first line of LOADDEF.TXT (fail -> error loop)
* If not ELF file path, file size over 0x1b00000 -> error loop
* If not ELF file path, read specified file whole to address specified on second line of LOADDEF.TXT
* If not ELF file path, jump to address specified on second line of LOADDEF.TXT
* Otherwise, LoadExecPS2 specified path
 
MP3, AC3, MPEG2, H.263, AAC-LC, and MPEG4-Visual patents have expired in the US.

A lot of H.264 patents will expire this year, but it is currently unknown whether the rest of the patents are needed for AVC which is what a lot of video content uses.
https://meta.wikimedia.org/wiki/Have_the_patents_for_H.264_MPEG-4_AVC_expired_yet?

In any case, once patents expire this will open the door to more open development with those codecs, e.g. hardware optimization techniques.

With more development happening in the open space it should be easier to optimize decoders for PS2.
 
It seems like the scraping bots has been basically accelerating the killing off of older websites, especially ones that never got a chance to put a WAF e.g. Cloudflare in front.

A lot of old info on PS2 modding will be either hard to find or lost due to this.
 
I can confirm that older (2.0.0 and below) libsdr will send the function pointer of the callback to the sdrdrv (including the situation where it is NULL). So this change is backwards compatible.
 
So looks like the MBR from installed contents of SCPN-60160 is more complicated than I thought it would be.
Looks a lot like OSDSYS code base and it appears to include some resources for rendering the browser and clock.

Some notes:

For BootClock
sets boot module

For BootOpening
sets boot module

For BootWarning
sets boot module

For BootIllegal
sets boot module

For BootPs1Cd
it will perform the PS1DRV loading procedure (hdd or rom)

For BootPs2Cd, BootPs2Dvd
it will load rom0:PS2LOGO

For BootDvdVideo
it will perform the DVDPLAYER loading procedure (hdd, mc, or rom)

For BootHddApp
it will perform the hdd partition loading procedure

For DnasPs1Emu, DnasPs2Native, DnasPs2Hdd
it will perform the hdd dnasload loading procedure

For SkipFsck
it will skip fsck loading if it would otherwise load it

For Initialize
it is checked but nothing is done with the result

For BootBrowser, BootCdPlayer, arguments beginning with Opt
will boot osdboot

On disc loading error
will boot osdboot with arguments "BootError" "BOOT_DISC_MODULE"

Common boot module selection
0, opening
1, clock
2, warning; illegal

Common execute app methods
0, ps2 cd boot
1, ps2 dvd boot
2, ps1 cd boot
3, dvd player boot
4, dnasload ps2native
5, dnasload ps2emu
6, dnasload ps2hdd
7, partition boot
8, osdboot
9, fsck

Common execute app errors
0, should never be reached
2, ps2 can't open/read system.cnf; ps2hdd cannot parse patinfo or mount partition contain elf; key/value PLATFORM=BNLINUX in system.cnf
3, readkey failed; -> warning
4, ps1 system.cnf handling fail
5, unable to get module update info;-> boot osdboot with arguments "BootError" "DVDELF"

Hdd hardoded app boot paths
osdboot: hdd0:__system:pfs:/p2lboot/osdboot.elf
dnasload: hdd0:__system:pfs:/dnas100/dnasload.elf
fsck: hdd0:__system:pfs:/fsck/fsck.elf
fsck110: hdd0:__system:pfs:/fsck110/fsck.elf
 
Differing files between 2.20 retail (SCPH-) and debug (DTL-H)

EELOADCNF
LOGO
OSDCNF
OSDSYS
PS2LOGO
ROMVER
SECRMAN

Differing files between 2.00 retail (SCPH-) and debug (DTL-H)

LOGO
PS2LOGO
ROMVER
SECRMAN
 
Last edited:
BBSYS101 is a SIF RPC server (id=0x80000F02) for hdd sce ata identify.
When fno = 0x18E it sets 64 bytes of the return buffer to NULL.
When fno = 0x39B, first four bytes are return value of ata_device_sce_identify_drive,
The following have been obfuscated in some manner: next 8 bytes are sce identify buffer at offset 64 (serial number and padding), next 16 bytes are sce identify buffer at offset 80 (DNAS/encryption related), next 8 bytes are NULL.

BBSYS102 appears to set up random bytes (seeded from RTC) at 0x3C8, then allocates 0x4000 bytes, randomly at first or last depending on the least significant bit of 0x3C8. The address of this buffer xor the value of 0x3C8 is stored to 0x3CC, then some obfuscation related stuff is performed on the buffer.

BBSYS103 appears to use information from BBS102 set up at 0x3C8 / 0x3CC, then will periodically check disk type and set media mode and clock. If flag 1 is set it will read disk id and store it obfuscated. If flag 2 is set it will read system.cnf first line (to newline), extracting the file name (the contents after "BOOT2 = cdrom0:\" but before newline), then store it obfuscated.
 
Last edited:
For GCC 3.2-ee-040921 (Cygnus/RedHat GNUPro), it appears to be compiled on RedHat Linux 9 (not updated) with the following:
GCC 3.2.2-5
glibc glibc-2.3.2-20030313
GNU binutils 2.13.90.0.18
 
There are disassemblers that will stop when it encounters PPC440 Auxiliary Processor (AP) instructions. To work around this, I changed them to dcread instructions.

For example, if the offending bytes are 00 03 23 CC, turn it into a big endian 32 bit integer e.g. 0x000323CC, bitwise and it with 0x03fffc00, then bitwise or it with 0x7c0003cc. The result will then be 0x7c0323cc, and in bytes is 7c 03 23 cc.
 
SCSI command list: https://www.t10.org/lists/op-num.htm

MMC commands are used for CD/DVD/BD drives.
SPC commands might be interesting for networking.
OSD commands might be interesting for FS access. But it appears to be dead and stuff relating to it is removed from Linux.

SCSI commands can be tunneled over ATA/IDE with ATAPI.
SCSI commands can be tunneled over ethernet networking with iSCSI.
SCSI commands can be tunneled over USB with MSD.
SCSI commands can be tunneled over IEEE1394 with SBP-2.
 
One potential issue for >8MB memory cards is that newer mcman added some devctls to get free/used space.
0x5001 -> PDIOC_ZONESZ
0x5002 -> PDIOC_ZONEFREE

However, the potential issue is the PDIOC_ZONESZ implementation in mcman (checked SDK 3.1.0) returns hardcoded values instead of the actual cluster size: 0x400 for PS2 memory cards and 0x2000 for PS1 and PDA memory cards.

Not too sure if this is an actual issue or not.
 
The code for DNAS code decryption starts at _sce_dnas2_symbol105 and __sce_dnas2_symbol11002 (in DNAS 300 net checked only), and can be found by xref from FlushCache.
The logic appears to be similar to the one as used by DNAS for HDD found in XOSD 2.11, the PSML1 viewer found in XOSD 1.31, and bn at ver 0.32 (replacing the FlushCache stuff with mprotect/cacheflush).
 
Looks like Github is more heavily cracking down on the API rate limits for unauthenticated users (now 60 requests/hour). Probably due to the massive increase of bot crawlers.

It might be a good idea to set up personal access tokens and ssh keys for usage with Github to use the higher API limits when authenticated.

If Github becomes unusable for unauthenticated users I might consider setting up mirrors to sourcehut and gitee.
 
Last edited:
For some reason Github decided to bill $0.01 for Actions usage even though I use it on all public repositories. I didn't see any additional charges on my card however.

For May usage was $40.44 and it was discounted by the same amount.
The top five repositories billed on my account (and then later discounted):
ps2dev: $15.46
ps2toolchain: $11.34
ps2toolchain-ee: $6.47
ps2toolchain-iop: $4.86
ps2sdk: $0.76
 
The EZ-USB FX3 looks interesting. It has UART for connecting to e.g. modem, supports USB HS-OTG so can connect e.g. USB MSD device, can also act as device in USB SS mode so can connect to PC, has GPIF II (programmable parallel interface) with 32 bit transfers usable so likely can use it to interface with SSBUS with extra wide DMA support, has 200Mhz ARM processor, and has 512KB of SRAM.

It does have more peripherals than RP2350 but also it is more expensive. ESP32-C5 doesn't have USB SS and its PARLIO is less configurable (less than 32 bits supported).
 
You must log in or register to reply here.

Similar threads

Back
Top