PS2 [Tutorial/Research] Unlocking DVD and MagicGate regions in Mechacon's NVRAM with MechaPwn (75k+)

olokos

olokos

Member
Hey,

At first I have to begin with a classic disclaimer:
Code: 
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead MCs,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about modifications performed here
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/

This guide is meant for advanced users to experiment and test various possibilities of the hardware that PS2 has to offer, while it worked with my model, there's absolutely no way to tell for sure how it will work on others.

With that said, any 75000+ PS2 (but before 90K) should be able to do this, but I tested it only with SCPH-75004

Research What to edit Step by step Results on 75k4 Current bugs But why? TL;DR

  • Keep in mind, this is not a full unlock, as retail PS2's also have a PS2 logo check in DVD ROM, this is more of a semi-unlock or "as good as you can possibly unlock" the PS2 at this point, without any external devices for this to work afterwards.

    With help of @akuhak and @l_oliveira We have found out a way to freely change regions of various mechacon components, by changing the update in nvram, which is "patching" the original bootrom.

    Breakdown of String at 0x180 in NVM.bin:
    Code: 
    EEengEE (from PS2 75004 - Europe)
E - ROMVersion
Eeng - 4Byte lanuage
E - PS1 Version
E - DVD Player region
    atTfZyd.png


    Each letter in that string corresponds to a specific region.

    USA region does not have a PS2 Logo check in place, I think the same goes for PS1 logo, no check in USA region


  • In order to unlock a PAL PS2 75k4 (and probably more) you need to perform following hex edits:
    1. "HESOYAM" (I jokingly call it that as this code is really powerful) from @l_oliveira which allows to actually unlock the MagicGate region by setting the MG region to 0x0 and makes DVD Video work again, when combined with valid string at point 2 (Please correct me if I'm wrong here.)
    Replace! (CTRL+B on HXD, not CTRL+V!)
    0x1c6-0x1d9 with hex value:
    Code: 
    4D 65 63 68 61 50 77 6E 00 EC 05 0D 36 04 6F 69 B6 76 00 AF
    So it should look like so after the edit:
    AtfNgB2.png


    2. Editing the region string at offset 0x180 so it looks like so:
    In my case the console is originally PAL so second and last letter is E for me, so DVD Video works again aswell as original PAL games. I recommend editing the string directly on the right side in HXD instead of changing hex values here.

    If your console is NTSC/USA then Your string would be AAengAA
    If your console is JAP then Your string would be AJengAJ or AJjapAJ (not tested yet!)

    In case of an originally PAL console, the string is AEengAE:
    FE5bnZZ.png



    3. Correcting the checksum - so ethernet works again
    Offset 0x280-0x280F
    Code: 
    40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40
    FwwyOZO.png

    Above checksum fix is meant for SCPH-75004 - if this also fixes ethernet for you and you're on a different model, please report it below!

    Above 3 modifications allow to actually make a Deckard PS2 (75k+) region free, along with reading PS1 backups, playing DVD Video with copy protection.


  • So the course of action to perform this mod would be:
    1. Start PS2Ident and save a full dump of the console - just in case.
    2. Restart console
    3. Start MechaPwn available here.
    4. Make a backup
    5. Execute exploit
    6. Once completed it will says "Unplug" on the screen - so unplug the console from power supply.
    7. Get the pendrive with your original nvm.bin and make a copy called "nvm-original.bin" (backups are important)
    8. Open HXD and perform hex edits as explained in "What to edit" - replacing the HEX values and changing string
    9. Make sure that the file size is exactly the same as original
    10. If the file size of Your modification is larger than original, then you did not replace Hex values, but pasted them in - wrong!
    11. If the file size is the same, backup the nvm.bin files that you have to a safe place on your PC, along with PS2 Ident dumps.
    12. Put the pendrive back into the PS2 with your modded nvm.bin
    13. Select keep current backup
    14. Restore nvm backup
    15. Once completed it will says "Unplug" on the screen - so unplug the console from power supply.

  • PS1 Original PAL - Works with PAL PS1 logo perfectly
    PS1 Burned USA - Works With American PS1 Logo perfectly
    DVD Video PAL - Works perfectly with interactive menu
    PS2 Original PAL game - Works without PS2 logo and with glitched playstation splash, but it works! ❤️
    (All of the above is autobooting the disc everytime without any modifications or MCs inserted - from a regular OSDSYS)

    PS2 Burned PAL game - untested - most likely needs ESR patch or Masterboot disc conversion


    wegotthis-we.gif


  • - All media is being displayed in NTSC format, so Original PS1 PAL game is moved slightly to bottom right and other issues because of this may arise.

    NTSC Graphics mode Could be worked around by using GSM before booting the game from disc or PS1, but I haven't tested that myself yet.

    Most likely the graphics mode is set based on the console region string above, so experimentation is welcome.

    - If your original region is USA then it's most likely only being able to play NTSC DVDs.
    In case you still want to play other regions DVDs and Your console is NTSC, you will still need a MagicGate supported MC with a DVD player update available here.


  • The point of this is also to allow non-NTSC models to run their original region DVDs WITHOUT having to have a MG Supported MC inserted, which isn't possible by simply changing the model to DTL (testkit) as all DVDs stop working, unless DVD Player update from above link is installed to a Magic Gate supported MC, then the PS2 uses that DVD Player software from MC, allowing for even more DVD Video regions support.


  • What does this allow in the end?
    - Playing original PS1 and PS2 games from ANY region
    - Playing backup burned copies of PS1 games from ANY region
    - Probably also playing backups of PS2 games from ANY region (might need ESR patch or Masterdisc conversion)
    - Playing DVD Videos of the same region as the console

    All of the above is possible via normal OSDSYS - PS2 Browser and without any memory card inserted. The games/DVD Video will autoboot with console and will be read as usual in the PS2 built in regular Browser, where you can find the MCs.

    At this point, I think that there is literally no reason to install a modchip on a 75000 PS2 whatsoever.

    If you're a noob - don't do this yet - wait for somebody to release a tool, which will do all of the modifications above in a programatically controlled way, as this actually has the potential to leave your console permanently damaged.

    If you have consoles to burn or really know what you're doing and you have tried this yourself on some different model of console, please write your experiences and results in the posts below.
 
Last edited:
2023 update - The Playstation Dev Wiki now contains the most up-to-date technical details about the mechapwn, have a look there, if You want to see what some of the other bits are!

https://playstationdev.wiki/ps2devwiki/index.php/MechaCon

You can see on the wiki various variables with corresponding "Bits"
https://playstationdev.wiki/ps2devwiki/index.php/MechaCon#Bits

As previously explained, in the first post, You can change those bits Yourself, to try out a lot of different and potentially unsafe and unstable, brick causing features, some of them being really cool and epic!
Preparation The actual OOBE custom change Importance of fixing the checksum!

  • Keep in mind that when doing any of those custom changes, You should first try and boot Your modified nvm on pcsx2, it's considered a good first-place test, if it boots on pcsx2 then it shouldn't brick Your real PS2.

    In order for PCSX2 to use Your modified NVM for testing, You need to place Your modified NVM with the same filename as BIOS and have it in the same directory as the BIOS files of PCSX2, so:
    BIOS.bin
    BIOS.nvm

    I recommend to copy the bios and nvm files as another copy into pcsx2/bios folder, so You can easily change what You want to and test it out Yourself, before trying on real hardware. PCSX2 is 78mb extracted and bios is 4kb.

  • I'll take OOBE - Out Of The Box Experience mode flag as a good example of a flag that You can change, but isn't yet part of mechapwn release, with a simple change of a single bit, You can enable a special PS2 mode which is only available upon first boot of the console after being unboxed brand new. The coin cell battery has no difference on this flag, it's completely unrelated.

    Screenshot_2023-01-20_at_10.25.59.png

    1. Take a byte at address 2C2
    2. It should be more than 0x80: 0x92 in above case, substract 0x80 it will become 0x12
    3. write this byte back to the file using HXD
    4. Go to the 2CF byte and fix the checksum in HxD: 2CF VALUE+ 0x100 and then minus 0x80
    5. Then take last 2 bytes from above point calculation: in this case 0x9C + 0x100 - 0x80 = 0x11C so write 1C back.


  • Not fixing the checksum on point 4 and 5 will not brick the PS2, but instead the mechacon will take the default setting values instead, if the checksum is invalid.

    PS3 Syscon gets bricked with invalid checksum, while with ps2 it resets to defaults, which also means resetting to RGB mode which wont work on component AV cable, causing black screen on boot, it's highly recommended to always recalculate the checksum and fix it when making any single change.

    For hex calculator I've used this web based one:
    https://www.calculator.net/hex-calculator.html?number1=92&c2op=-&number2=80&calctype=op&x=62&y=26
    The windows built-in calculator is also a good choice, but needs switching its mode into HEX instead of DEC.

Following the same logic, You can try and change more of the variables listed on the wiki, but keep in mind while OOBE mode works on some consoles, it might brick others, so best to test with PCSX2 bios first, then You can just edit the nvm file with HXD straight in the PCSX directory for testing various things.
Keep in mind, even if the PCSX2 works, there's still a chance of bricking the actual console, it's not a 100% confirmation it will work perfectly, but more of a 90% chance of not-bricking! :)
 
Last edited:
olokos said:
I hope 2 reserved posts aren't an issue, if a lot of resources and information would be important to add to this thread.
Click to expand...
Moderation Note:
No worries for the time being but for the sake of clarity, using tabs in OP might have produced a more effective layout and made contents updates easier for you to manage than with multiple linear posts.
Just a thought...
 
Last edited:
Is it possible to skip or enable the PS2Logo & disc boot?

I've kind of done it with the PS2_Netemu bios by blanking out the XPARAM2 command but it's still autobooting disc via ExecutePS2Disc from the OSDSYS, if you blank out XPARAM2 in the ROMDIR the bios gets halted.

I used ps2bios_unpacker to unpack the bios but I can't find any tool to repack the bios again using the extracted ROMDIR file.

I also got the PS2_Netemu bios to run PS1 games by blanking out the SYSTEM.CNF command in the ps1 bios BOOTSTRAP an have it just use PSX.EXE so it doesn't conflict an use the SYSTEM.CNF from the PS2 path by loading the extracted PS2_Softemu PS1DRV from disc.

The decrypted FMCB ELF works on PS2_Softemu along with the configurator but won't run on PS2_Netemu because of OSDSYS, if I could repack it with the OSDSYS from PS2_Softemu it'd more than likely work along with the additional used OSD files.
 
You must log in or register to reply here.

Similar threads

Back
Top