Blue & Green Debug PS1s

Quick question to those here that have one. Do anti-mod chip games trigger their warnings/protection on these systems? If you don't know but could test some games that have protection are Spyro Year of the Dragon, Legend of Dragoon, Dino Crisis, and I'm sure there's a good bunch of others.

This isn't really an important question just a mild curiosity.

 

I'd guess not, because they don't have a modchip in them - but I'd be interested in hearing how the anti-modchip detection worked anyway.

 

No, they do not. I played the original games on the debug unit i used to own and no message was encountered. FF8 had it, and it didn't come up for me.

Correct me if I'm wrong, but believe that the way the chips worked is that they inserted the correct boot data necessary to trick the PSX a legit copy is inserted. Developers and Sony figured out ways to make their game work in a way (while it is still running) that it would make the PSX call up that boot code without having to open up the cd cover. Doing so a program from the game would check that boot code. If that boot code matched what was on the game, then it's ok, but if a different one came up then that means it detected a modchip.

Thats why they came out with the Stealth Mod Chips which simply turned itself off after the game booted up because that is only when the anti modchip program would never load up.

 

Final Fantasy 8 did not have Anti-mod in the US region. Only Japan I know for sure had it for FF8, maybe in Europe but perhaps not. The games I mentioned are all US anti-mod games. Did you play any of the games I mentioned on the debug unit?

I've heard many versions of how anti-mod stuff is supposed to work but none was very technical or convincing. All that I know for certain is that if a modchip is enabled doing its deeds while the game checks for it then you get the warning, but some people early on I believe hooked up the positive voltage going to the chip through a switch so they could easily enable and disable it.

I've heard that Stealth chips work in a way so they know when the disc is being validated and turn on for that period of time but turn off shortly after until needed again. But that's again not a very technically detailed explanation.

I do know that there was a protection called LibCrypt, never used in any US games but used in alot of PAL releases that put custom data into the subchannel track. When the game reads for this and it's not what it should be it trips the protection. I'm guessing earlier methods of copying CDs didn't reproduce the subchannel data like they do today.

I've also heard of some protected games (I think Spyro 3) had protection that when only partially cracked, later in the game it would fuck you over in gameplay somehow.

 

can't recall the title at the moment but many moons ago I played the legit copy refused to load on my then chip'd PS1 but fine on Green PS debug unit...

 

I know about this.

It's try to play in Dino Crisis (NTSC/J) on modded PSone (SCPH-102). But all fine on my DTL-H1100. I have two different editions of Dino Crisis (retail and GAME+BOOK - all NTSC/J) and all have this protection.



Sorry for bad photo.

 

Well, I'm not sure how the stealth chips work but the PSX' copy protection is pretty well documented. Basically, the 'wobble' of the data track lead-in(which, if I remember right is the deviation of the spiral's position from the "ideal" line) is used to RS232-modulate at a specific frequency. Depending on region this is SCEI, SCEA or SCEE or apparently SCEW for Yaroze discs (do they even exist?). The PSX' drive controller checks for the presence of this signal, it even allows the software to read the counter. This wobble can only be generated in pressed discs or using special CD writers as it is essentially "out-of-band" for normal drives.

All the info's out there on the cdfreaks forum, in a lot more detail too

 

I do believe there was a Sony external CD writer made specifically for the PSX. I'm not so sure if it did write a CDR with the correct error code that the PSX looks for in retail copies.

 

Very interesting. Here's another question I'll throw out there then, you talk about special CD writers. Now what I remember hearing way back was that the protection had to do with EDC and ECC sectors and the writer would correct these. So that is false then you say as it is in the lead-in where the protection is located.

But for the real question is could you take a modern CD writing drive and if you had its firmware could you modify it to write CDs with this wobble in place to burn bootable PS1 discs?

 

Well, yeah, Sony actually mastered the art of disguising their security... for a while people thought it was the black discs, then purely some ATIP data (in-band) and then the EDC/ECC rumour surfaced... which is just that. The error codes are NOT what makes up the copy protection.

The problem with the wobble is that it is already present on CD-Rs, and of course not in the right form. According to a forum member at CDfreaks, one could replace the premade wobble with a CD burner, if very precise control of the laser coils is possible. Well, usually it isn't. Of course pressed discs don't have this problem.

 

I just now bothered to read the source code to the original PS1 modchip and see exactly what you are talking about, it injects 3 groups of 4 bytes. SCEI, SCEA, SCEE. That's basically all it does too.

But the Stealth aspect is still a mystery to me. Atleast with this particular source code after power up there is a certain amount of time it takes and it sends each string (SCEI,SCEA,SCEE) and then just sits there doing nothing. So I don't know how you are supposed to detect it, but maybe this source is different than the original mods. But the source isn't supposed to be stealth either.

It's a shame no one ever decided to press their own PS1 bootable CD-Rs. Seems possible if you had access to the industrial equipment needed.

 

Sony would have put an end to that rather quickly. I doubt that they would be ok with someone pressing and selling bootable PSX cd-r's ( if thats indeed what you were getting at, it seems like it would be a lot for just one person to do to play some backups or homebrew)

 

There are a bizillion places that could press discs. You can't shut them all down. It gets tricky if a country doesn't give a shit about your company or favors the one paying them something versus threatening them.

I've been thinking about the Stealth chips. I'm not really sure on all the details but this is my current theory. The modchip connects to 1 signal which is a serial data stream and sends the SCEX codes when the system powers on after a specific time delay from when the system is powered on. This is where it gets fuzzy, I'm not sure how exactly the original mods behave after the initial bootup, if they continue to send the SCEX codes but from what I've heard I think they do. So that would be how a game could detect a modchip as it clearly is sending the authentication when it shouldn't be anymore.

Then after bootup I imagine the Stealth modchips wait in a loop for the CD lid switch to change to the open state, then it's in another loop waiting for it to be closed, send SCEX, back to the waiting state.

I can support this theory because I know one of the stealth mod signals you solder to is the CD Lid switch signal.

---------

Edit: I'm doing some tests with the modchip I have on hand that I also have the source code to. It works as I described before and will describe again. At PowerUp to the system and therefore to the chip, there is a timed delay and then SCEI, SCEA, SCEE is sent from the chip to validate the disc for any region of console. After this, this particular chip just spins on a branch instruction. This means your disc must be put it at power up, no other time will a import or copy register.

I've found this particular code also means it essentially has Stealth capability as I tested Legend of Dragoon and it booted fine. This makes me think that whatever channel the serial data for SCEX is sent on is not the same as regular disc data and that most classic modchips would continiously send out SCEI, SCEA, SCEE all the time and that you can detect this. As I mentioned before a Stealth chip should send the authentication on power up and then wait until the CD lid is opened, then wait for it to be closed, send authentication and return to waiting state.

Can anyone confirm that the SCEX authentication is on its own channel of sorts? And that Anti-Mod games trip when the SCEX codes are being sent constantly rather than on regular disc insertion.

----

Edit: Hm, Spyro 3 trips the protection still though.

Edit: Figured out that Legend of Dragoon didn't trip protection on my system the first time because of the laser being fucked up and taking too long to launch the game that the modchip was off by then or something. The laser is too screwy right now for me to do any other tests but I think I understand how this all works now thanks to some more facts I found on this subject.

 

As for the SCEX signal, I'm pretty sure it *eventually* becomes its own channel. I did some RE'ing of the PU8 CD block a few years ago and there's several chips between the RF output and the SPU, if memory serves it happens somewhere before the motorola MCU but this being some years ago I can't remember all too clearly. Of course, later units integrated most of these chips so I'm not sure how it goes there. It never got moved entirely internally, or else modchips would of course no longer be possible.

Anyway, the CD controller allows software to read the amount of SCEx codes received from the drive, perhaps protection uses this? I've always wondered what it was for really.

 

You're right. There was a not very well known command for the drive that allows you to reset an internal counter that tells you the amount of SCEx codes received. Games such as the japanese FF8 would detect a modchip by playing an audio track (basically just a random part of the data track) with the volume at zero. It would reset the counter during this time, and then it would check if the count was still zero. Modchips of the day removed the need for tricky timing or sensing the CD lid being closed by constantly sending all three SCEx codes which made them easy to detect.

So for stealth you need to detect the CD cover's status. When it is closed you send the SCEx codes, three of them, and then stop. After this you wait in that loop checking the status of the Lid Switch. If it changes to the open state, you wait for it to go back to the closed state and go back to the beginning of all this.

Some people just installed a switch to the voltage of their chip and toggling it manually. It's probably easier to use a "gate" wire which they mean the CD lid status. So that would bring you to 5 wires but I'm not really sure why I have seen chips that have 6 and 7 wires. I can't imagine what the points of them are unless they use an external clock signal.

Also, I've read that and evidence supports that you can have a modchip send the codes all the time and it will not interfere with regular disc access/reading.

 

mottzilla, i think you would find fascinating cdfreaks topic about the sega saturn copy protection... also i would consider bootable SS discs a far bigger achievement since the chances to play saturn games are getting slimmer as the hardware starts to fail due to age...

psx can be played on psx (everybody have a chipped one ), ps2 and even ps3...

in any case a success would be a wonderful news!

 

I like the Sega Saturn too, but I'm alot less aware of any good information on its protection. All I know is you can disable it completely with the System Disk. Makes you wonder if with a chip you could just tell it to disable the security checks from power up. It would also be interesting if someone could dump/copy the design of Sega Saturn modchips so they could be reproduced. But I believe Saturn chips are a bit more complex than the PS1.

Also I don't think "everyone" has a chipped PS1 or a chipped PS2. I have a chipped PS1 (3 of them actually) but no chipped PS2s. But other than myself I know of no one outside of friends on the internet that have a modded anything. But I see your point about the Sega Saturn and I share your love for the system as it really is a fantastic system. Glad I have mine modded.

Edit: I overlooked something and found this modchip I have sends SCEI,SCEA,SCEE 40 times and then loops. I think this is too long for it to effectively be steath since on a normal system it would load the game up before then and allow the game to catch it in the act.

 

I have a new question for those with Blue and Green debug units.

On the Wiki page, they say that the Green PSX will only display NTSC or PAL video mode but not both. Is this true or just BS?

Another question is that they say Blue PSX are based on the older Rev A or Rev B hardware which is similar to the SCPH-1001 retail, and the Green PSX are based on the SCPH-5001 retail. Is this true? Forinstance do the Green PSX have the laser on the right side of the system opposed to the left side?

Edit: One more for you, which if any of these debug units had external PSUs and anyone have a picture?

 

From memory blue PSX will display both NTSC/PAL in their respective formats.

One of my blue has an external PSU, one has an internal (but it may have been swapped). One is a DTL-H1001, the other is a DTL-H1101 IIRC, not sure which is which.