Title: Reverse Engineering and Behavioral Analysis of the SCPH-5502 (v3.0 Europe) PlayStation BIOS Document ID: PSX-BIOS-5502-ANL File Hash (Common): MD5: B05DEF971D8EC1F346E2A18B14C0F6BF (v3.0) Region: PAL-E (Europe, Australia, New Zealand) Console Model: SCPH-5502
1. Introduction & Historical Context The SCPH-5502 was the European variant of the third major hardware revision of the original Sony PlayStation (PU-18 motherboard). Its BIOS (Basic Input/Output System), version 3.0 (released mid-1996), represents a critical midpoint in PlayStation’s lifecycle:
Predecessor: SCPH-100x/3000 series (v1.x, v2.x) – contained the “LibCrypt” anti-modchip checks. Successor: SCPH-700x/750x (v4.x, v5.x) – removed parallel I/O port, changed CD controller. Significance of 3.0: First version to introduce enhanced region enforcement (PAL locking) and refine the CD-ROM cache routines, while still retaining the parallel I/O port (usable for cheat devices like GameShark).
The scph5502.bin is exactly 512 KB (524,288 bytes), comprised of MIPS R3000A instruction code, data tables (exception vectors, font glyphs, CD-ROM lookup tables), and a 64-byte system control block at the end. playstation scph-5502 (v3.0 europe) bios scph5502.bin
2. Memory Map & Boot Sequence The BIOS is mapped to $1FC00000 – $1FC7FFFF (KSEG1 region, uncached) on the R3000A. 2.1 Reset Vector
Physical address: $1FC00000 (mapped to MIPS reset vector at $BFC00000). First instruction: j 0x1fc00210 – skip the exception table.
2.2 Boot Flow (High-Level)
CPU initialization: Disable cache, set status register (COP0), initialize stack pointer at $8001FF00 . RAM test: Write/read verify first 2 MB of main RAM ( $80000000 ). CD-ROM controller init: Send 0x20 (set mode) to CD-ROM DSP (Sony CXD1815Q). MDEC check: Verify macroblock decoder (CXD8514Q) responds. Region check (critical for SCPH-5502):
Read console’s ROM region byte at $1FC7FF20 (value = 0xE for Europe). Compare with CD-ROM’s disc region code (sector 4, offset 0x1F). If mismatch → freeze or boot to CD player (no game).
Boot CD-ROM: Load sector 16 ( SYSTEM.CNF ) from CD, parse executable path, load PSX.EXE into RAM at $80010000 , jump. Title: Reverse Engineering and Behavioral Analysis of the
3. Cryptographic & Security Features Unlike later consoles (PS2, PS3), the PS1 BIOS has no RSA or AES. Its “security” is obfuscation and region checks. 3.1 LibCrypt (v3.0 implementation)
Not a true encryption; a checksum routine called during CD-ROM reads. Uses a custom linear feedback shift register (LFSR) seeded from CD subchannel Q data. scph5502.bin contains the LFSR table at offsets 0x33C00 – 0x33FFF . Failure to return the correct 16-bit LFSR state causes the BIOS to intentionally misread subsequent sectors (data scrambling).