750x for 12F629 & 12F683

I think I was able to patch Dino Crisis V1.1(USA). It works in psxfin which gets stuck at the gore message with an unpatched game.

These are the locations for V1.1 NTSC(U), in hex editor:
Address 1127BC will read 5886 change to 208F
Address 58C0CC will read 5886 change to 208F

Gonna test it on a CD and get back to you guys.

V1.0 can be patched with Kalisto's ppf but for V1.1 there is no ppf that I know of.

EDIT

It worked...

EDIT2
For Coolboarders 2001 in hex editor go to:
Address 0A62FE54 will read EC11 change to B41A

This will boot games as normal without patch or trainer music (I don't know if CB2001 has more than one check point but so far so good)
.
Ok got off topic LOL...

I was able to boot both protected games (DC and CB2001) without patching but like I said timing is console and media dependent so patching would be the best option after all it is a 4 wire modchip slapped on the usb port using one jumper LOL.

I am now sending the code 45 seconds then sending the chip to sleep so that the "SCEX" point is free of unnecessary load and still boot everything (even the slow ones). I think I'll leave it like that, after all I'm having fun learning to patch the games now I'll give medievil a shot LOL... I'm patching myself basically because I don't like the intros in some patches, that way the game looks like an original...

 

Here's the code that sends the string for 40-42 seconds then stops. Just in case anybody wants it, it is fair for those who want the chip to stop sending the code. There's no need to send it infinitely...
*Copy to notepad and save as .hex*
SCEA 12F629/12F675:

Code:

:020000040000FA
:1000000099008316FF2390009F01831241345034DE
:10001000453458342A34323430343134363482075B
:1000200053344334453441343230A600C730A7003E
:1000300000006400A70B18280000A60B1628033444
:10020000C2306200FF30AA0065000230A200142054
:10021000A20B07290630A2001420A20B0C290E30D5
:100220001520851920292830A2008519202914209D
:10023000A20B15291B29851D1B293F3065001F298D
:100240008510AA102A086500AA142A08650028301B
:10025000A2001420851D2029A20B29297D30A2008F
:10026000A9014421851D2029A20B37212421A901A0
:100270004421851D2029A20B37213E21AA142A08DA
:1002800065002830A2006300053015202D30650080
:10029000123085004A3015200430A30029080F20B1
:1002A000A800A8090830A400AA142A086500043090
:1002B0001520A80CF83085000318AA14031CAA10F6
:1002C0002A08650004301520A40B5929AA102A0811
:0E02D000650008301520A90AA30B4E2908006E
:02400E00D43F9D
:00000001FF

SCEA 12F683:

Code:

:020000040000FA
:10000000990083169F01831241345034453458348B
:100010002A34323430343134363482075334433462
:10002000453441343230A600C730A70000006400D8
:0C003000A70B16280000A60B14280334B0
:10020000C2306200FF30AA0065000230A200122056
:10021000A20B07290630A2001220A20B0C290E30D7
:100220001320851920292830A200851920291220A1
:10023000A20B15291B29851D1B293F3065001F298D
:100240008510AA102A086500AA142A08650028301B
:10025000A2001220851D2029A20B29297D30A20091
:10026000A9014421851D2029A20B37212421A901A0
:100270004421851D2029A20B37213E21AA142A08DA
:1002800065002830A2006300053013202D30650082
:10029000123085004A3013200430A30029080D20B5
:1002A000A800A8090830A400AA142A086500043090
:1002B0001320A80CF83085000318AA14031CAA10F8
:1002C0002A08650004301320A40B5929AA102A0813
:0E02D000650008301320A90AA30B4E29080070
:02400E00D43F9D
:00000001FF

SCEE 12F629/12F675:

Code:

:020000040000FA
:1000000099008316FF2390009F01831241345034DE
:10001000453458342A34323430343134363482075B
:1000200053344334453445343230A600C730A7003A
:1000300000006400A70B18280000A60B1628033444
:10020000C2306200FF30AA0065000230A200142054
:10021000A20B07290630A2001420A20B0C290E30D5
:100220001520851920292830A2008519202914209D
:10023000A20B15291B29851D1B293F3065001F298D
:100240008510AA102A086500AA142A08650028301B
:10025000A2001420851D2029A20B29297D30A2008F
:10026000A9014421851D2029A20B37212421A901A0
:100270004421851D2029A20B37213E21AA142A08DA
:1002800065002830A2006300053015202D30650080
:10029000123085004A3015200430A30029080F20B1
:1002A000A800A8090830A400AA142A086500043090
:1002B0001520A80CF83085000318AA14031CAA10F6
:1002C0002A08650004301520A40B5929AA102A0811
:0E02D000650008301520A90AA30B4E2908006E
:02400E00D43F9D
:00000001FF

SCEE 12F683:

Code:

:020000040000FA
:10000000990083169F01831241345034453458348B
:100010002A34323430343134363482075334433462
:10002000453445343230A600C730A70000006400D4
:0C003000A70B16280000A60B14280334B0
:10020000C2306200FF30AA0065000230A200122056
:10021000A20B07290630A2001220A20B0C290E30D7
:100220001320851920292830A200851920291220A1
:10023000A20B15291B29851D1B293F3065001F298D
:100240008510AA102A086500AA142A08650028301B
:10025000A2001220851D2029A20B29297D30A20091
:10026000A9014421851D2029A20B37212421A901A0
:100270004421851D2029A20B37213E21AA142A08DA
:1002800065002830A2006300053013202D30650082
:10029000123085004A3013200430A30029080D20B5
:1002A000A800A8090830A400AA142A086500043090
:1002B0001320A80CF83085000318AA14031CAA10F8
:1002C0002A08650004301320A40B5929AA102A0813
:0E02D000650008301320A90AA30B4E29080070
:02400E00D43F9D
:00000001FF

BTW this is how mine looks like LOL (made from scraps)





Not pretty on the bottom but works perfectly with that tiny led (220ohm resistor to pin 3, led+ to resistor , led- to ground) which helped me see the chip going to sleep and count how many times the string was sent LOL...

 

anyway im gona give a new link. since the downloads are splited. the full pack of region specific for picks 12C508-12F508 12F629-12F675 and12F683 i also incude the original 750x hex and the apexseal mod exclude the timer ones they look betas and incomplete. i also corect your read me apexseal you said in the read me that - goes to leg 6 and + to sx but the first diagram you post was the opposite i also use the + to leg 6 and - to sx. exept its the same thing, dont know
link
http://frd.li/7ab9bfd9c95631b556f2b72ac8b96418

 

It is + to leg6 that was a mistake on my part but still works LOL (fixed above)... The timer ones are not betas, they work and do turn off (they were never meant to be stealth just turn off and save the laser). I did make it boot Dino Crisis by letting it send the code 5 extra seconds after the PS logo apears but that was just a test to see if it could be done (patching is a lot easier LOL). Stealth cannot be achieved on the USB since it would require more wires and that would eliminate the USB option and single jumper which is the main purpose (ease of installation). I am currently using the one posted above that turns off after 42 secs approx... Protected games? A patch takes 1 second to apply before burning and you can test it on psxfin to see if it worked. Psxfin does give the software terminated when the game needs the patch. Perfect emulator, that way no wasted cd's...

 

Turns out Old Crow's MODC508 also works on the PS2 and boots Dino Crisis (it worked for me 5 out of 5 on my USA NTSC PS2), found the source code and ported to 12F629/12F675/12F683. It can be done 4 wire internal or USB choose your venom it's the same setup... This code sends the string twice within 2 seconds of power up and keeps on sending it every 6 seconds can't tell if it is multi region or USA only, I would assume it is multi region since all other versions of it are multi region, I can't tell because it is not in plaintext in the asm file... I have no idea if it will work on any other games...

EDIT: Yup that was it... Now booting every game including Dino Crisis unpatched still using USB port and led so I can monitor the changes I make when the string is sent. Gonna give it a good test and will be posting a link to the SCEE and SCEA of my modded versions of this file.

Update: After a couple of tweaks it's taking the cd's a bit faster. Still booting everything and DC unpatched. I wish I knew a whole lot of asm to get to where I want it to.

Update2: Booting every game including Dino Crisis and Coolboarders 2001 both unpatched with USB, still testing... I doubt I can beat Spyro YOTD but might as well test it...

Update3: Spyro YOTD boots!!!

Ok so I was able to boot NTSC/USA anti-modchip Dino Crisis, Spyro YOTD and Coolboarders 2001 (all unpatched) along with the regular games. Still want to add the disable at startup feature for loading originals. Not bad, I guess this is the first 4 wire internal or 1 jumper USB to play those titles unpatched... Correct me if I'm wrong.... Had to change whole lot of stuff getting ideas from all the sorces I have. So stealth or whatever it is called that I achieved is not an 8 wire thing after all... Geez it's not even a 5 wire thing LOL... I guess we got a Spyro-Crisis-Cool Chip LOL... Gonna do some more testing.

Update4: Added the ability to turn off modchip by holding reset more than 3 seconds at power up. Anybody up for testing? Got 629/675/683 SCEE/SCEA/SCEI versions.

 

Here it is... Booted all normal games and booted antimod, tested with Dino Crisis, Spyro Year of the dragon and Coolboarders 2001... Coolboarders 2001 booted skipping intro and waiting for the intro to end both ways it booted, antimod detection is at the loading screen so it will boot wether you skip the intro or if you watch it and wait. Chip should disable itself if you leave the reset button pressed longer than 3 seconds at power up. You will notice this code is a bit bigger and you will not see the SCEX strings in hex editor because the string was not coded in ascii. Versions included: 12F629/675/683 both SCEE and SCEA.
https://www.mediafire.com/?zd05dvy944mfw9z

 

you re like me once the mind think an idea we dont give up until victory so its region specific and had also a timer??

 

It's a curse I guess... LOL For an update, also booted Strider 2... It does have a timer to go to sleep and stop sending the string, if you have the switch all you have to do do play the 2nd disc of a game is simply turn off the chip for about 3 seconds, turn back on and immediately close the tray/hit eject to close/close the lid. It should boot I have no time to finish one disc to try the second one LOL... I can make it send it forever it is not as brutal as the 750x or the USBMOD2. This is very smooth and less stressing on the laser. If all the games had the protection in the same place I could boot them all with just 8 times the string is sent. the big thing here was finding out another way to send the strings (thanks to Old Crow and a nice read I did about the subject).

Protected games tested successfully so far:
Coolboarders 2001
Dino Crisis
Spyro Year Of The Dragon
Strider 2

Good thing i'm using pSX 1.13 emulator to verify that thegames are in fact copy protected. Gonna try Grind Session next time...

 

Grind Session busted me... LOL... I'll adjust and see... It checked for the string 4 mins approx into the game, corrected then it checked again about 4 minutes after the first one. The thing is I could leave the chip sending the string and the other games already tested still would work. I'll test tomorrow some more.

 

Update on tested working NTSC/USA antimod backed up from original games from my 200+ game PSX collection:

Coolboarders 2001
Crash Bash
Dino Crisis
Emperor's New Groove
Grind Session
NFL Gameday 2001
Resident Evil: Survivor
Spyro Year Of The Dragon
Strider 2
Tomba! 2
Vandal Hearts 2

I left all the games running for about 1/2 hour each and did not get the "Software Terminated" message. All the games are protected, verified with pSX 1.13 and the 750x and USBMOD2 codes do get the message on all of them. Will post link for new code after I do a few more tests. I don't know if I'm testing them correctly but Grind Session looks for the string throughout the whole game at specific times. I left that one running for hours and it did not fail, before it would fail after 10 or 15 minutes, by then the chip was in sleep mode.

It seems some versions of some games are protected and others are not. NBA Shootout 2001 did not fail in pSX 1.13 nor in the PS2 so I don't know if it is protected or not so I did not put it on the list.
I do not have Legend of Dragoon so I cannot test it.

 

Great work. Was there still an issue with old crow code being multi region? Do u have any install notes for the 5 and 6 wire installs, I noticed your readme didn't specify points on mobo. Is there anyway to implement tray detect for multidisc games. Would be easy to install ext switch but would be nicer to have a more sophisticated solution

 

this modchip can installed as external usb or internal depent on what you like more. its needs 3 wires only or a jumper betwen pin 1 and 4. depents on what hex you will flash it. the hexes are region specific. for internal standar mode pin 1 +5v pin 8 gnd pin 6 to +leg of 1μf (1 microfarad) capacitor, and -leg of the capacitor to sx point of your motherboard. (see modchip diagrams to locate the sx point of your version)for the 5V use the solder points of your usb. usb installation is the following photo (note you dont have to put a led exept you want it.) also you have to open your console and do this remove the resistor shown on the left corner with the yellow 1. (maybe this will be different on your console version) but with a multimeter you can find which one, and jumper the point yellow point 1 of my exaple to your sx point (the picture with the red number 2 of my example again it maybe diferent on your console version)

 

Thank you Truemaster1, for your succinct response. I was asking about the Old Crow code because it was originally multi region. Apexseal also mentioned a 5 or 6 wire install for internal chips which I was curious about the benefits. I'm especially interested in the possibility of a tray detect function for multi disc games but my knowledge of Asm is very limited.

I have installed a pic 12f629, with MM3 code, inside my psx so internal installation is not an issue for me. I would probably run an LED between pins 2 and 3 for 'Activity' indication.

I suppose I could just install a modbo 4, but this has a good balance of ease of install to effectiveness. And it compliments my FMCB setup.

 

The MODC508 does have the 4-5-6 wire versions. I would assume the extra wires do hook up to the door, reset, sx, 5v, Gnd and memory card access I would guess. Right now using it USB mode I have been able to load a few unpatched anti-mod games. The toughest one was grind session. I have left grind session running over 3 hours to come back to working game. I don't think I can do anything else, we basically have the functionality of a stealth chip with only one internal jumper. The chip does need a jumper between legs 1 and 4 for reset button detection (hold 3 seconds at booting and it will turn off) I also added the led for testing purposes and counting... A lot of counting!!! LOL.

The main purpose of my quest to compliment FMCB... Then I noticed that the 750x just gave a beating to the sx point. Then the second finding came out and the chip turns off after a few minutes but games need to be patched. This version keeps on sending the code at specific times but believe me, a few times per minute is nothing compared to what it used to be before (over 150 in less than 1 minute).

 

a complete modchip like modbo is simply dont needed, you have freemcboot that takes care about ps2 backups. mm3 for ps2?? ther is not a diagram for that ( at least i dont know). so best solution for you is the oldcrow moded version apexseal made. make sure you flash your chip with the corect version for your console.

 

The code that booted all the games mentioned above still not uploaded (been busy at work). BUT the last one uploaded will work if you don't mind patching a few games (After all it's not like patching PS2 400mb or less CD-r Games for ESR and converting them to dvd with a dummy file to make up space for the correct TOC). Remember I tested it on my NTSC/USA games, the one uploaded will go to sleep and still will boot Spyro, Dino Crisis, Coolboarders 2001 and Crash Bash I think. The one I'm testing now never turns off but still is easy on the laser. Grind Session like I said looks for the code about every 8 minutes. Tested easy, chip sleeps after 8 mins it gets the error after 8 or so after. If chip is still running at specific delays it will keep playing just fine. I could have stopped there since I don't mind patching but I just wanted to see how far I could take it.

This Old Crow MOD508C version still catches my eye, it send the strings in raw mode plus some more code. It almost resembles a read I did about disc wiggle and jitter at the time of manufacture. I have tried replicating this code using the exact same timings with ascii strings instead and it boots some but still gets busted. I passed by Old Crow's site and read the whole story on the chips, also read a thread at another forum from back in 2002 (waybackmachine is great) and it explained the wiggle, noise and jitter mimick using raw code. This code is actually earlier code than stealth and others. Sometimes they don't boot the first try but I just hold reset, power off and back on within 2 seconds and the second time never fails (literally never fails the second time) might be my old laser who knows. Not bad considering this old fart did not understand pic asm 78 posts ago LOL...

 

about if the chip stress laser if stays always enabled. im just asking on some sites. so we can clear if the old rumor i was heard is true or not

 

I am not certain... But if we have lived all these years with a laser banger on our psx's and ps2's I figured this one would be next to nothing compared to the amount of times per minute the other chips send it. I did not modify much of the code it just took me a lot of time because I still barely understand pic asm. I thought that any old chip that worked on 550x or 750x psx would work on the ps2 but to my surprize it is not that way. To sum it all up 750x works but sends the string a zillion times per minute and requires patching all protected games, USBMOD is about the same thing but has the turn off option and goes to sleep after a minute or two. The first mod I posted of MODC508 goes to sleep after a while and boots some anti-mod games. The latest version I've been fiddling with has booted all anti-mod games so far, it does not go to sleep but it sends the string more than 90% less times than the others and will let you play multi-disc games..

 

Nice work. After reading the Old Crow notes on mod chip theory and variant chips (not sure why I haven't done already) it seems the extra wires cover

1 vdd, 3 osc, 4 rst, 5 gate, 6 data, 7 eject, 8 gnd respectively.

The 750x, neo seem to just use 1, 6 & 8, while your version uses 1, 6, 8 and 4 for rst. This is great for a simple internal mod or a usb mod. The 750x seems like a brute force approach while your modified code seems more subtle, well done. I'm suprised this hasn't been refined before.

With the addition of a rst and eject detect wire, the chip could retain its sleep function. I'm sure the modbo 4 points contain these signals but I can't find any details as to which letters correspond to these points.

It maybe a future project for me to port the old crow and mm3 codes for use on ps2 but your solution is far more accessible at the moment.

 

Modbo "RE" is reset point, "SX" is Data, "CX" is CLK...Did not find anything on eject but that one should be easy...
Found this on the web:

• 3 Volt + power - self explanatory
• ground -self explanatory
• RST - reset point so modchip can detect reset button press to change the boot configuration
• SX - SCEA, SCEE, SCEI, injected data for PS1 game
• M N O P Q R U V W - all going to Bios chip to alter firmware by injecting data while the system boots, removes part of the copy protection (logo patch) and allows region free booting, 3rd party menu system, booting homebrew files etc
• A B G H I - cd/dvd controller chip - removes 2nd part of hardware copy protection and region free booting - allows modchip to control the cd/dvd subsystem controller and sync with bios data injection
• CX - PS2 internal clock oscillator - when modchip has onboard clock crystal its used to sync modchip data to PS2
• Y - Region Free playback