I've dumped the SPI flash from a Modbo 4.0 chip with the infamous v1.99 firmware (It still says "Infinity v1.93" in the header, which is expected since it's a modification of v1.93). It's encrypted just like the regular Matrix firmware, but it's longer and contains different bytes in a few areas. Because there are some sections that are near identical with the exception of a few changed bytes, it must be encrypted with a sort of stream cipher rather than a block cipher. Also, there's a chunk of unencrypted code at the end that is used to communicate with the chip at 0xFF00. There's similar code in the official Matrix update tool, but this chip is supposedly non-upgradable so I'm not sure when it would be used. Communication begins by pulling the DVD controller (0x1F801800 on the PS1-based updaters) and then writing "M" to the BOOTROM address (0xBFC00000 on PS1, x1FC00000 on PS2). Hopefully someone will find this useful, or at least interesting. I've included the firmware files for v1.28, v1.30, v1.82, and v1.93 that I extracted from their respective updater ELFs for comparison to v1.99. The firmware is only 64KB, but the Modbo 4.0 dump is 512KB with the same 64KB chunk repeated 8 times. Maybe someone can dump a Modbo 5 chip? I wonder if it's encrypted with the same method as this chip used. Edit: The flash had to be removed from the chip so I figured I sactifice the main CPLD as well to find any helpful markings. The bottom of the chip reads "1432M6-1" and then "02 G03" in a circle inscribed on the bottom. On the PCB it reads "M5-4.0/9A A.0" where the chip was sitting.