Hi, I hope this is safe to discuss here, as I couldn't find any rule against it. The PS2 schematics are floating around the net for months now, and the other manuals are readily available for download as well. I think I found some errors in the schematics from the PS2 Service Manual for the SCPH-30000 (6th edition, GH-010/GH-012 board) regarding the ROM chips, and would like to ask for your comments on this. Has anyone found something similar? Or am I simply misreading this whole thing? Here we go, take a look at this picture (interesting points marked inline): The board has two equipment options, as there is either a single 64Mbit ROM (IC505, BOOT+DVD ROM, named "GAP BIOS" among modders) or both 32MBit ROMs present (IC503+IC506, BOOT and DVD ROMs in separate chips). First error: the /CE pin of both 32MBit ROMs is indicated to be connected to /CS2, which doesn't make sense; they'd trash each other's data once activated. I think the DVD ROM should be connected to /CS1, as per the following picture (taken from the page detailing the IOP): IC505/pin50 is /CE1, which is connected to /CS1 on the IOP bus and the DVD ROM's /CS; on the other hand, /CS2 from the IOP connects to /CE2 (IC505/pin36) and the BOOT ROM's /CS, which is consistent with modchip installation diagrams. Second error (minor): /CS1 of the IOP is reported to be connected to IC503/pin1, but that one is listed as NC. Replacing "IC 503 1 pin" with "IC 506 12 pin" makes much more sense to me. Now for the more complicated part: the big ROM/IC505. I think the circuit around its pins 15+17 as well as IC518 (a simple bi-directional buffer with two channels) is used to allow inserting the big ROM (instead of the two smaller ones) without additional changes to the IOP's bus interface/ROM adressing mode. I couldn't find the datasheets for the exact same ROM chips, but I think I know how they work. You can find a description in the datasheet of the LH532000B-1, which, albeit smaller than the PS2 ROMs, seems to use the exactly same addressing mode. The 32MBit ROMs support both a byte and a word operating mode. In BYTE mode (set by pulling /BYTE to GND, as for the BOOT ROM), each byte is read individually via the lower 8 bits of the data bus (D0-D7 on chip, SD0-SD7 on the IOP bus); to select which byte to read, D15/A-1 is used as an additional address line (LSB of the address; the IOP's SA0 for the BOOT ROM). In WORD mode, all 16 bits of the data bus are used, and the lowest bit of the address is not needed anymore, thus freeing D15/A-1 to use as a regular data line (SD15 for the DVD ROM). Thus, the schematic indicates the BOOT ROM to use BYTE mode, whereas the DVD ROM uses WORD mode. Now, I assume the big ROM uses the same addressing modes as the single ROMs for its respective part; I think it operates in BYTE mode when accessing the BIOS part, but WORD mode when accessing the DVD player. This also seems to be consistent with modchip diagrams, as they connect their BIOS points to the same lines than for the small BIOS ROM (8+2 pins, instead of 16+2 as would be needed for a BIOS ROM part in WORD mode). Now for the question: which pin is used to switch IC505 into BYTE or WORD mode? I couldn't find an obvious candidate, so I think this is controlled internally; i.e., /CE2 activates the BOOT ROM part in BYTE mode (D15/A-1 set to A-1), whereas /CE1 activates the DVD ROM part in WORD mode (D15 is used as an output). This would also explain the odd buffer IC518. Here is its schematic (Google turns up the datasheet fairly quickly): IC518 is a simple bi-directional buffer with two channels. Thus I assume this circuit to work as follows: When accessing the BOOT ROM part of the big ROM, /CE2 is set to GND, thus enabling BYTE mode; D15/A-1 has to be set to the IOP's SA0 signal now. As its using 8 data bits only, I would expect the IOP to float SD8-SD15, so the pullup resistor R527 (near IC518) would kick in and set the (S)D15 line to 1; SA0 has to be propagated through IC518 to that line now. If SA0 is set to GND, the buffer pulls the entire line low, so 0 would appear correctly at A-1. If SA1 is 1, R527 is irrelevant and A-1 is 1, as expected. When accessing the DVD ROM part, the ROM is in WORD mode, SA0 is ignored and D15 outputs to SD15. Now for the Third Error: /OE1 and /OE2 of IC518 are connected to the wrong pins of the ROM! As per the schematic, SA0 could switch (S)D15 off through the buffer if /OE2 is asserted (which is /CE1 = DVD ROM :banghead; this doesn't make any sense. /OE1 and /OE2 have to be exchanged in the schematic (connect /OE1 to /CE1, /OE2 to /CE2). To back this up, look at the board layout (relevant tracks highlighted): IC518/pin1 (/OE1, red) connects to IC505/pin50 (/CE1), whereas IC518/pin7 (/OE2, blue) connects to IC505/pin36 (/CE2). The schematic says otherwise, though, but as I understand it the circuit could not work when wired as per the schematic. One last question, as I really have no idea about that part: what's IC518/channel1 good for? It seems just to connect SD15 to itself when accessing the DVD ROM, which seems really pointless (okay, its a very small capacitor, but anyway ;-)). Or is that just another error in the schematic, and IC518/pin2 (A1) is not connected to SD15? Unfortunately the board layout doesn't show any trace going to the corresponding via on the other side, so I can't check that (its probably in an inner layer). Any ideas, comments?
Perhaps the errors are intentional ? Maybe security by obscurity strategy. I aways wondered why the boot rom were read in byte mode. Also happens on the PS1 so no surprises. They even switched to 8 bit roms on PS1 back in 1996 at the third mainboard revision on the 100x series...
Might be possible, but I doubt it. I think the errors are too obvious not to be spotted when thinking about the circuit for a moment, let alone preventing someone from understanding it. Maybe byte mode really is for PS1 compatibility? I don't have any low-level information on the IOP, so I can only speculate. Is there any information on the IOP or associated peripherals available outside of SCEI? The only information I ever happened to find were in the SPU2 Overview Manual (the SPU2 is connected to the IOP bus) and the manuals on the LSI 1394 Lead Vehicle and 1394 Node Controller Core.
Sorry, forgot to reply... :banghead: Booting from MC works differently. The system simply reads a certain file, decrypts it (via the MC-specific MagicGate processor and the region-specific decryption algorithm implemented by the mechanics controller/mechacon), then executes it like a regular game ELF. Even the "kernel update" of the IOP doesn't need any special hacks to the BIOS ROM. The IOP exports a certain function to perform a kernel update from a so-called "IOP Replacement Image", which is normally stored on regular game discs in files like IOPRP*.IMG (or DNAS*.IMG). The same mechanism can be used with an image driver loaded onto the IOP, though, so the kernel update can even be performed for a dynamically-created replacement image stored in EE memory. This is used by the utility discs to boot special kernels, like the one containing the extended SECRMAN for installing files onto the HDD or MC. Replacing the EE kernel is even more simple: start a regular program, disable interrupts, overwrite kernel image in memory. If I remember correctly, that's what the RTE of PS2 Linux does. Like the IOP kernel update, this does not need any "redirection" of the BIOS ROM as well. Google for something like "service manual" followed by the base model number of your console.
