In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Hardware/Disc Drive

From WiiBrew
< Hardware
Jump to navigation Jump to search

MN102 Serial Writer

If you Google on "MN102 Datasheet" for long enough you will find references to a debug interface called a "Serial Writer". This is the interface used by 9 & 6 wire mod chips to patch the drives firmware.

It looks as though Matsushita tried to disable this interface in the D2C and newer drive controllers. A clock glitch allowed mod chip vendors to defeat this protection and use the "Serial Writer" to inject firmware.

Here is a description of the "Serial Writer" protocol commands used by most modchips. The modchip sends commands (and optionally data) to the drive controller which responds with its status

Command Packet Format:

XX,YY,YY,YY,YY,YY,YY,YY,YY,YY,YY,CC

Where

XX is the Command YY is 10 bytes of data CC is the 8 bit checksum (add first 11 bytes modulo 256)

Response

Command Byte OR'ed with result

01 = OK 02 = Bad Checksum 04 = Failed

Commands

Complete list is 10,20,30,40,50,60,70,90

20 SecretKey Send Secret Key to unlock drive. This is the first command to be sent and enables all the others. The Secret Key is located at 0x80800 in the DVD controllers memory, if it is set to FFFFFFFFFFFFFFFF in the DVD controllers memory then no check is made

20, KK, KK, KK, KK, KK, KK, KK, KK, 00, 00, CC

KK is 8 bytes of secret key CC is the 8 bit checksum

Response: 2X

30 Download Data Downloads data to the DVD controllers RAM

30, 00, PP, PP, PP, LL, LL, 00, 00, 00, 00, CC

PP is a 24 bit ptr (MSB first) LL is 1 16 bit length (MSB first) CC is the 8 bit checksum

Response: 3X

The DVD controller then expects to receive length bytes of data followed by an eight bit checksum

[Length bytes], CC

Response: 3X

NOTE: It is not important if the second checksum (for the data) since it has been downloaded to RAM anyway, seems ARGON/D2Pro uses checksum = 0

40 Execute Downloaded Data This always follows a 30 command and causes the DVD controller to jump to the download address

40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, CC

CC is the 8 bit checksum

Response: 4X

70 Upload Data Uploads data from the DVD controllers memory

70, 00, PP, PP, PP, LL, LL, 00, 00, 00, 00, CC

PP is a 24 bit ptr (MSB first) LL is a 16 bit length (MSB first) CC is the 8 bit checksum

Response: 7X

The DVD controller then sends length bytes of data from ptr followed by an eight bit checksum

[Length bytes], CC

Example

Modchips do the following with my D2C drive:

1) Send SecretKey 20 2BFCDE02F3FECA60 0000 42

2) Read 1 byte from memory location 0x08838E (I am guessing, drive type?) 70 40 08838E 0001 838E0000 DB 71 DF DF (1st DF is data byte, 2nd DF is checksum)

3) Writes 0x49 bytes to 0x008032 30 00 008032 0049 00000000 2B 31

4) Executes the code at 0x008032 (& maybe resets drive) 40 00000000000000000000 40 41

5) Send SecretKey 20 2BFCDE02F3FECA60 0000 42

6) Download 0x1312 bytes to 0x40C000 30 00 40C000 1312 00000000 55 31

7) Executes the code at 0x40C000 40 00000000000000000000 40 41

Retrieved from "https://wiibrew.org/w/index.php?title=Hardware/Disc_Drive&oldid=104290"