PS1/2 PS2* defeated - MechaPwn

[torrent_get]

https://github.com/MechaResearch/MechaPwn

*Patch the mechacon on scph5000x to scph 9000x and the gates open.

Congrats to all involved.

 

[FAST6191]

At least quote the readme

MechaPwn

Disclaimer: DO NOT USE A ON A REAL DTL/DEX; This sets the QA flag which forces the use of the retail keystore, this would break memory card compatibility.

Real DEX (non QA) flags have not been added to the public version of mechapwn for your own safety.

The authors hold no responsibility should you break/damage your Playstation 2 console using this software

This tool can be used to change the region and configuration flags from Dragon based mechacon consoles

This means Playstation 2 consoles from the SCPH-5000X systems all the way to the SCPH-90000X are supported (with the exception of the DESR (PSX) consoles which are not supported at this time, a future update is planned to address this)

Older Playstation 2 units do NOT use a Dragon based mechacon and therefore are not supported, no support is planned for those in the future.

How to use?

Run Mechapwn once to install the exploit patch/payload an initial backup of your mechacon eeprom will be made to the usb mass storage device (keep it safe!),then power off the console by disconnecting it from the mains when asked (mechacon is on even when the ps2 cpu is off, so you really need to disconnect the power chord!)

Run Mechapwn again to choose which region you want and to restore the original patch set (and uninstall the exploit patch) from your mechacon backup (you will need to reinstall the exploit patch to change your region again).

Explanations of the menu options:

CEX (Retail) will just set the region flag and machine ID of your chosing (it is not advised to mix and match different machine ID types, for example setting an SCPH-75001 ID to an SCPH-50004 console.

Retail-DEX (Debug) will let you set a QA Flagged DEX configuration/region with a DEX machine ID of your chosing, this allows mechacon to read discs from all regions as well as masterdiscs (the retail option does not).

How does it work?

The Dragon based MechaCon (SCPH-500xx and newer) store configuration flags and patches encrypted in their eeprom, the patch DES key was eventually bruteforced which allowed code execution on those units and for the full keystore to be dumped.

Normally the patch area is write protected and cannot be written to at runtime except while using PMAP in TEST mode (this requires soldering) furthermore the configuration area can only be written to when it is empty.

This is done to prevent an attacker or anyone outside of Sony's own factory to overwrite mechacon configuration.

However an exploitable bug was found in the writeconfig function which allows to write arbitrary data to the patch area,

this allows to write a mechacon patch which disables the write protection on mechacon configuration bits and thus set specific regions and flags to mechacon.

This allows the following:

On SCPH-500xx and SCPH-700xx:

Disable disc region checks (ps1 and ps2 discs from all region as well as masterdiscs mount with data accessible)

Change the region the console reports as, as well as change the disc/kelf region that mechacon allows

BOOT original PS2 discs from NTSC-J and NTSC-U regions directly from the OSD (NTSC-J units only)

BOOT original PS2 discs all regions directly from the OSD (NTSC-U and ASIA (non NTSC-J) units only)

BOOT original PS2 discs all regions as well as PS2 Masterdiscs from all region by skipping the logo check (for example by loading a disc using ulaunchelf)

BOOT PS1 disc originals and backups from the console's original region (NTSC-J and PAL consoles)

BOOT PS1 disc originals and backups from all regions (NTSC-U and ASIA (non NTSC-J) units only)

On SCPH-7500X and later models (also known as Deckard consoles)

Disable disc region checks (ps1 and ps2 discs from all region as well as masterdiscs mount with data accessible)

Change the IOP ROM region (the ROM sets a specific bank according to the mechacon region flags)

Change the region the console reports as, as well as change the disc/kelf region that mechacon allows

BOOT original PS2 discs all regions directly from the OSD

BOOT original PS2 discs all regions as well as PS2 Masterdiscs from all region by skipping the logo check (for example by loading a disc using ulaunchelf)

BOOT PS1 disc originals and backups from all regions

FAQ:

Why do PAL/NTSC-J consoles do not play NTSC/PAL discs (on scph-70000 and earlier) ?

The IOP ROM on those consoles have enforced strict logo decryption checks both in the PS1 and PS2 BIOS which the NTSC-U (also used in ASIA consoles) BIOS does not have.

Why do consoles not run masterdiscs directly from the OSD?

An additional protection exists on the DSP, which is different in retail and debug consoles, the debug one allows mechacon to store the masterdisc xor key in its registers, the retail one does not. Bypassing the logo check bypasses this protection (this can be done using ule or a future cdvdman patch using a ps2 homebrew)

Most important part for most around here

This allows the following:

On SCPH-500xx and SCPH-700xx:

Disable disc region checks (ps1 and ps2 discs from all region as well as masterdiscs mount with data accessible)

Change the region the console reports as, as well as change the disc/kelf region that mechacon allows

BOOT original PS2 discs from NTSC-J and NTSC-U regions directly from the OSD (NTSC-J units only)

BOOT original PS2 discs all regions directly from the OSD (NTSC-U and ASIA (non NTSC-J) units only)

BOOT original PS2 discs all regions as well as PS2 Masterdiscs from all region by skipping the logo check (for example by loading a disc using ulaunchelf)

BOOT PS1 disc originals and backups from the console's original region (NTSC-J and PAL consoles)

BOOT PS1 disc originals and backups from all regions (NTSC-U and ASIA (non NTSC-J) units only)

On SCPH-7500X and later models (also known as Deckard consoles)

Disable disc region checks (ps1 and ps2 discs from all region as well as masterdiscs mount with data accessible)

Change the IOP ROM region (the ROM sets a specific bank according to the mechacon region flags)

Change the region the console reports as, as well as change the disc/kelf region that mechacon allows

BOOT original PS2 discs all regions directly from the OSD

BOOT original PS2 discs all regions as well as PS2 Masterdiscs from all region by skipping the logo check (for example by loading a disc using ulaunchelf)

BOOT PS1 disc originals and backups from all regions

Pretty nice mod option. I can't say I expected to see what amounts to a kind of softmod on the PS2 but these are increasingly interesting times.

 

[KleinesSinchen]

https://github.com/MechaResearch/MechaPwn

*Patch the mechacon on scph5000x to scph 9000x and the gates open.

Congrats to all involved.

Awesome! Thanks for sharing this. I think this should be on the front page. Really cool. Loading PS1 backups without a modchip. Worked for me like a charm. Just run MechaPwn.efl once, power cycle and PS1 backup loads like legit disc instead of the red (You are a pirate!!) "Insert PlayStation or PlayStation 2 format CD/DVD" screen.

PS2 DVD games worked before with ESR patcher. I guess this leaves PS2 CD games.

Would have been even cooler to have this earlier, before the lasers were that old.

And as always: Huge Thank you!! to the developers!

 

[kid sampson]

This is great news! Do PS1 discs offer any advantages over Popstarter other than increased compatibility? Any improvements to accuracy or graphic options / smoothing as compared to Popstarter?

 

[N7Kopper]

This is great news! Do PS1 discs offer any advantages over Popstarter other than increased compatibility? Any improvements to accuracy or graphic options / smoothing as compared to Popstarter

It will be exactly like retail, barring physical disc quality differences, because the DRM in a PS1 disc is all in the regional lockout. Factory-pressed discs have a region code encoded in the groove by a physical wobble that CD-Rs don't have.

Mechapwn region-frees your PS2, not by looking for all valid grooves, but by ignoring the groove, rendering the PS1 DRM useless (and beating all copy protection too, because that relies on finding the region code when you're not supposed to, because games can't read the wobble - therefore only a modchip could give it to you!)

Notice that the PS2 DRM still exists, but we can use the Master region intended for burning development builds now, so we can bypass it easily. All those paragraphs were educated guesses, mind. I'm no expert on this.

Unless you're a non-Deckard PAL or J user... then you get less. *laughs in Deckard*

 

[cvskid]

Would this also work for PS2 CD/DVD backups as well? Last time i checked there were some DVD games that did not work with ESR patcher like PaRappa the Rapper 2.

 

[N7Kopper]

Would this also work for PS2 CD/DVD backups as well? Last time i checked there were some DVD games that did not work with ESR patcher like PaRappa the Rapper 2.

If you patch them to be Master region and then use wLaunchElf to bypass the logo DRM, it'll work if your PS2 is compatible.

 

[Imancol]

At least quote the readme



Most important part for most around here



Pretty nice mod option. I can't say I expected to see what amounts to a kind of softmod on the PS2 but there are increasingly interesting times.

So you can run the game directly from ulaunch? Is it valid only for PS2 or can it also be Ps1?

 

[RobertX]

Is this still experimental?

 

[ploder]

This is awesome. I never thought I'd be able to run PS1 NTSC backups natively on a PAL PS2. I changed mine from SCPH-77003 (CEX) to SCPH-77001 (DEX). Now I can run my Valkyrie Profile backup like it was a retail disc on a retail NTSC console. The screen position is also centered, which is an added bonus because with the various swap tricks up until now the screen was too low.

 

[asper]

Great new ! Is there someone able to explain me what exactly a "master disc" for PS2 is ? A backup disc ? A developer disc ?

 

[metroid maniac]

Great new ! Is there someone able to explain me what exactly a "master disc" for PS2 is ? A backup disc ? A developer disc ?

A master disc is a burned disc which a developer would use on a development console. This hack basically sets the configuration in your mechacon to think it is such a development console, allowing you to use such discs.
It's possible to patch retail disc images to be master discs by using DiscPatcher.

 

[asper]

A master disc is a burned disc which a developer would use on a development console. This hack basically sets the configuration in your mechacon to think it is such a development console, allowing you to use such discs.
It's possible to patch retail disc images to be master discs by using DiscPatcher.

Thank you for your answer ! Last question just to see if I got it: a retail disc patched in that way and burned in a common blank disc will be recognized by a retail console using MechaPwn ?

 

[AlexeySinitsyn]

Thank you for your answer ! Last uestion just to see if I got it: a retail disc patched in that way and burned in a common blank disc will be recognized by a retail console using MechaPwn ?

You can run any burned ps2 game by running game executable with uLE, cause mechapwn mounts disc file system

 

[metroid maniac]

Thank you for your answer ! Last uestion just to see if I got it: a retail disc patched in that way and burned in a common blank disc will be recognized by a retail console using MechaPwn ?

It will be recognised by the console, and the disc will show up in the OSD's browser. However a retail console won't be able to boot it directly because it will be unable to decrypt the PS2 logo. You can skip the PS2 logo and boot the disc by using a homebrew disc booter. wLaunchELF has such an option.

 

[asper]

Precious answers, thank you !

 

[metroid maniac]

Two additional notes that may be useful for people trying to play PS1 games with this hack. I haven't tested thoroughly so some details may be inaccurate.

PS1 games launched through the OSD will always boot up in the video mode of your console region. For 50xxx and 70xxx consoles, that will be its original region unchanged by mechapwn. For >= 75xxx consoles, that will be whatever region was set using mechapwn. If there is a mismatch between this video mode and the one the game expects, it won't display correctly.
PS1VModeNeg will autoselect the correct video mode for whatever disc you want to play by reading the SYSTEM.CNF file from it.

50xxx and 70xxx consoles will check the region string in a PS1 disc to decide whether or not to allow the game to boot. There is a tool called SetRegion which can be used to patch this string to match your console and allow imports to boot. This will not alter the video mode setting for the game and will not modify SYSTEM.CNF, which is what PS1VModeNeg uses to decide what video mode to launch with.
>= 75xxx consoles will boot any region PS1 game.

 

[AlexeySinitsyn]

>= 75xxx consoles will boot any region PS1 game.

Also note: PAL region set boots only PAL disks, setting to ntsc (75001) boots all regions & backups

 

[enarky]

This is awesome. I never thought I'd be able to run PS1 NTSC backups natively on a PAL PS2. I changed mine from SCPH-77003 (CEX) to SCPH-77001 (DEX). Now I can run my Valkyrie Profile backup like it was a retail disc on a retail NTSC console. The screen position is also centered, which is an added bonus because with the various swap tricks up until now the screen was too low.

This is a bit of a stretch, but does anyone have an OSSC and can comment if a PAL to NTSC region changed PS2 running a PS1 game outputs a proper 59.94 Hz signal or if it's still the slower PAL 59.20 Hz signal, like on modded PAL PS1 without DFO mod?

 

[Elbart]

Also note: PAL region set boots only PAL disks, setting to ntsc (75001) boots all regions & backups

From the FAQ (abridged):

On SCPH-500xx and SCPH-700xx:
NTSC-J and PAL consoles: BOOT PS1 disc originals from the console's original region

On SCPH-7500X and later models (also known as Deckard consoles)
BOOT PS1 disc originals from all regions

750xx is golden.

This is a bit of a stretch, but does anyone have an OSSC and can comment if a PAL to NTSC region changed PS2 running a PS1 game outputs a proper 59.94 Hz signal or if it's still the slower PAL 59.20 Hz signal, like on modded PAL PS1 without DFO mod?

On a Un-MechaPwn'd console you can use PS1VModeNeg to fix that.
No idea if it works with MechaPwn, or if it's even necessary.