суббота, 18 марта 2017 г.

So I've mod chipped a PS2...

I may be a decade late with this (and maybe not the first one to stumble upon solution I describe here, but googling didn't turn up anything of the sort), but I recently bought myself a real Playstation 2 to check out some games that I've experienced previously only through (glitchy at times) emulation, and to remember some old PC games I used to play as a kid (that were released on a PSone too).

Long story short, I had to install a modchip in it, since its DVD drive was almost blind and I have no way to obtain game DVDs at this point either, so I could load games off a network share by the means of OpenPS2Loader and POPStarter.

If you're not afraid of SMD rework and flash programming, you might just fix your Modbo you've bought from China that won't save, if you read on :)

The story

My first thought about obtaining the modchip was to jump on eBay (infact, seeing prices for PS2 modchips on eBay was that impulsive thing that pushed me over to get a real console). So I've ordererd myself a Modbo 5.0, not being sure yet what I'm getting myself into.

I ended up impatiently getting another Modbo, this time it's 4.0 that I've bought locally. Besides my impatience, I've also decided that it would be good to have a spare option if one of them doesn't work or I mess something up, or something.

It took me an evening to install my modchip, only to find that it sorta works, but it won't save its configuration (things like DVD region, screen mode, compatibility patches, etc).
Apparently, it's a common fault with a lot of those modchips - not sure why, something about them being cheap clones of a clones (of a clones... ?) of Matrix Infinity modchips.

While I'm still waiting for my Modbo 5.0 to arrive a month later, I decided to investigate and see if I can, maybe, make my 4.0 save its settings.

Those Modbo chips seem to have only a single kind of memory, thus the only place to store their firmware and (probably) configuration - and that is SPI flash ROM, a little 8-pin chip sitting in the corner of the board.

First, assuming that settings are stored in that chip, I went to check if something obvious is blocking writes to the memory. Since I've read that some of those clone modchips brick themselves upon saving settings (I have zero knowledge of history of those modchips and their software, nor do I care much about it), I thought that there's a possibility of some sort of anti-cloning protection - that firmware might somehow detect that it's working with a 'clone' modchip and then brick it. So to prevent this, maybe the clone maker made flash write-protected so it would atleast work to some degree. It turned out that there's no write-protection on that flash chip - its /WP line is pulled high (inactive).

So then I thought, that the clone maker might have modified the firmware to not to write to the flash for some reason - maybe they couldn't figure out how to clone a particular part of the modchip and left some kind of incompatibility. That pushed me to attach my logic analyzer to that flash and attempt to see if there's something fishy going on in the communication between the modchip's main ASIC and the flash while it's saving stuff. It turned out it is!
The beginning of what's supposed to be configuration write.

First thing that kinda confused me, is that some commands wiggle not the DO, but multiple pins in response, but I haven't given much thought to it (who knows, tristated bus noise or something, right?). Then I thought that this huge low pause on DI pin was kinda weird, but couldn't make any sense of it. With the help of the datasheet for my flash chip, I decoded the thing and bascially, write command never happens, there's only a bit, where before saving it gives flash a status request, and then takes off write-protection flag. After that, it proceeds to sit there with DI pulled low for a while, and finally says "Configuration saved, press reset".

So I'm sitting there looking at the board, thinking what else could possibly be wrong, or maybe I should just give up at that point. I look at the flash chip and think that it looks dodgy - it's branded WINBOND, but without a 'D' (it's a W25X40 part, by the way). Turned out that it's not a dodgy/fake chip, it's just the flux that makers never bothered to clean off :)
But it did gave me the push to look a bit more into the datasheet. So I'm going back to the title page and read "1M-BIT, 2M-BIT, 4M-BIT AND 8M-BIT SERIAL FLASH MEMORY WITH 4KB SECTORS AND DUAL OUTPUT SPI". Hmm, that dual output business explains a lot, actually. So it's almost, but-not-really a standard SPI flash chip. 
I then just figured that makers, having been unable to find the correct part on Shenzhen market that week, maybe soldered in the wrong part which they thought was compatible, but turned out it wasn't.

Conclusion (TL;DR)

A few hours, a solder job and a flash chip later I've got my Modbo 4.0 saving its settings as it should.
I ended up replacing the flash chip for a standard one (some random Macronix 25L400 desoldered from a motherboard/video card that I programmed with the contents from the original flash chip). My new flash chip was slightly wider than the original one, so I had to bend its pins a bit to fit them onto the footprint.
So, in a nutshell, the recipe for fixing a Modbo 4.0 that won't save its configs, seems to be:
  1. Check the datasheet for the flash chip of your Modbo for any weird incompatibilities;
  2. If it is some kind of weird chip, desolder it and read out the firmware with a programmer;
  3. Get a normal, standard, 'single SPI' 25L40 chip of some sort (higher capacities MAY work too), and flash the firmware onto it;
  4. Put a new one it back into original's place.
I have to point out, though, that I have no clue if that's applicable to other versions of Modbo (although I think it might work for 5.0, but physically it looks exactly like 4.0), and it probably won't help those Modbos that are already bricked (unless you find the firmware to flash).

Do it at your own risk!

P.S. I wonder if those modchips that brick themselves have a flash ROM of smaller capacity, thus overwriting a piece of firmware with configs. Can anyone confirm?

P.P.S. If you want to take a look at my findings in logic analyzer for some reason, you can check them out here. You'll need Saleae Logic analyzer software to open those...

Комментариев нет:

Отправить комментарий