CD based console backups without modding?

I read (think it was on here) someone had managed to get stock PS1 consoles to boot burnt games as legit disks (much like the Dreamcast on disc boot loader thing).

Does anyone have any info on this or am I crazy and seeing things haha

Also what other CD consoles have a similar scenario?

As in what consoles will play CD backups with either no console side mods or purely one disc CD exploits.

Dreamcast
Sega CD Has no copy protection at all IIRC

 

PC Engine CD and PC-FX can play burned discs without modification

 

NEO GEO CD system.

 

I've read before that with some of the very earliest PS1 systems (maybe only J ones) could boot burned games, and it was quickly fixed with newer revisions.

I can't find where I read that but I've read something about that before, but take it with a grain of salt.

Edit: The PS2 kind of fits the category of being able to play burned discs without actual modification if you include the FMCB exploit.

 

The SCPH-1000 models, maybe only those with the earliest BIOS, had a vulnerability in the CD Player. By fooling the lid sensor you could put a licensed PS CD-ROM into the system while in the CD Player. The hardware would authenticate the disc and set flags saying the disc was a licensed PS CD-ROM. Then you could use the CD Player to stop the disc and swap in a CD-R and then exit the CD Player. Upon exiting the CD Player the Shell program at the menu where you could select Memory Card or CD Player would see the flags that the disc inserted was a licensed PS CD-ROM and load the game from the CD-R.

Apparently this was quickly fixed, probably adding in another check when exiting the CD Player. Chances are that the issue in Asia at the time was not CD-Rs but "HK Silvers" or some other unlicensed but factory pressed discs. Back in the early days of the PS I don't believe CD-R technology was available enough but the bootleg pressings probably were available throughout Asia.

Without any internal modifications these systems can play burned discs.
PC-Engine CD / TurboGrafx CD
Mega CD / Sega CD
Neo-Geo CD
Playstation
Sega Saturn
DreamCast
Playstation 2
GameCube
Xbox

PCE and Sega CD have no protections, perhaps because they were the first CD systems.

Neo-Geo CD apparently has protection on some games that needs to be cracked but no internal mods are needed.

Playstation can boot CD-Rs via many devices that facilitate the "Swap Trick" and infact every BIOS atleast up until the one used in the SCPH-7501 systems can by Swap Tricked by swapping the spinning disc during startup. I remember doing the swap trick on my 7501 console which required I think 3 disc swaps. Most people used a Cheat Cartridge plugged into the expansion port on the back. Most of them had some way to stop the CD Motor to allow easy swapping. There is now a replacement ROM for cheat cartridges called UniROM which allows for using a secret unlocking command in the CD Controller which allows playing CD-Rs without any swap tricks. It however has a bug in the loader you must use to start a CD-R in this way which breaks compatibility with many games. One workaround is to use the GameShark Lite CD. You boot that from UniROM after unlocking the drive and then GameShark Lite to load your CD-R.

Sega Saturn has an exploit that can be put on Action Replay and other Cartridges that uses some hardware features to inject security data or something to that effect allowing for a CD-R to be recognized as licensed and allow booting and running games. However I have heard compatibility is not quite 100%. Check the Saturn forum here about it.

DreamCast you know you can find self-booting ISOs everywhere. Not much to say.

Playstation 2 is vulnerable to the swap trick as well if you have the right Disc. But even better is the discovery and invention of two projects, FreeMCBoot and ESR. FreeMCBoot allows you to boot software from the Memory Card which is a feature in the BIOS of all PS2s until a certain point in the "Slimline" model production. FreeMCBoot can be use with the program ESR which is an interesting loader that allows you to boot patched PS2 DVD ISO's burned to DVD-R which makes the system recognize them as DVD Movie discs. By doing this the system will allow reading of the disc which is would normally deny when it IDs a disc as a PS2 DVD lacking the security data. One thing to note is that even if you have a Slimline PS2 that won't boot from memory card, you could get a SwapMagic Disc which boots on any console to load ESR from USB storage and then you could play DVD-Rs. I'm not 100% sure as I haven't done that but I see no reason that wouldn't work.

GameCube has the Action Replay and SD Card adapter that can use SDLoad to load homebrew and something called GC OS that can inject "drive code" to enable running DVD-R discs. There is also I believe a harder to find disc meant to load homebrew by Datel that uses their own SD adapter. Either way, it's not that hard. You can also with a BBA and Phantasy Star Online upload programs and from there GC OS to load DVD-Rs.

Xbox has various software exploits but also you can remove the hard drive and do things to it to "soft mod" the system.

 

Some of the things you mentioned are not one disc exploits like what OP is asking about... such as using swap discs. The Xbox needs a console-side mod so that doesn't count either.

 

Sreamcast was a big goof on Sega's part. The hardware checked for genuine GD-ROM but that didn't matter because there's no consumer GD-ROM burner or GD-R discs. People who dumped the disk hacked it to fit the smaller CD-R with a different loader that tricks DC into loading it. Sega could have fixed the DC to not load program at all from non GD-ROM disc, and treat any CD and CD-R as audio.

Oh well, saved us a bundle by not needing modchip or cheat devices.

 

Nothing to fix. MIL-CD was an intentionally added feature not a bug.

Add 3DO and CD-I to the list

 

Can't believe that no one has mentioned the Wii yet! You can install the homebrew channel with only an SD card and a copy one Smash Bros and then play all the backups you want direct from disc, or even better, installed on an external hard drive.

 

Some of you are missing the point. The topic is titled:

CD based console backups without modding?

 

Hello
i may be wrong but AmigaCD32 complies with this topic.

 

There were swap discs that did this, but you needed to disable the door switch so that the console wouldn't recognize that the disc had been changed. More recently Martin Korth (aka "no$cash") found an intentional backdoor in the CD controller code of the US and PAL consoles (but not the Japanese ones) that would let you boot copies directly. It involves sending a series of undocumented commands to the CD controller, and after this will will treat any CD-ROM XA disc with a data track as track 1 as being licensed.

Of course, you still need some way of doing this - the easiest is to connect a ROM to the expansion port and use the pre-boot hook to send the commands to the CD controller, since that gets called early on before the console sends the GetID command to the CD drive.

 

I can say with confidence that you can add the CD32 and the CDTV to this list.

 

I think most of us are thinking that implies "without a modchip". None of what I mentioned involves modifying the console itself besides the Xbox softmod.

TriMesh, the unlock does not quite behave as you have stated for PS1. The unlock enables reading commands to work as normal, however the disc is still going to be identified as an Unlicensed Mode 2 disc. The PS BIOS shell program does actually check this before attempting to load a disc. UniROM is a cheat cartridge ROM replacement that allows you to do the mid-boot hook and send the unlock command. You can then actually have it load the shell program from the BIOS, which will fail to load an unlicensed disc that reading has been unlocked for because it checks the disc's ID/type and finds it is NOT a licensed Playstation disc. However reading is still possible. You can actually test this by unlocking the drive, putting a licensed disc in and having it start the BIOS shell. Once it has begun loading the game, or the game is actually in progress, you can open the lid and insert a copy of the game which will continue to play just fine as the drive is unlocked.

Anyway, the whole point I'm making is to clarify the secret unlock (which doesn't work on Asian consoles) actually only does one thing. It allows normal Read commands to actually work on unlicensed discs. But the disc is still identified properly, and the SCEx codes are not generated. This causes a program for anti-mod games like Legend of Dragoon and perhaps others. But the vast majority of games do not likely care about anything that could ruin this backdoor secret. The only current implementation of this discovery is UniROM which has some bugs.

If you choose to use UniROM to explore the secret unlock you will find that as of version 0.2 that the "FastBoot" function (which you must use to load a CD-R) does not load all games properly. I could not get The Raiden Project or Final Fantasy VII to load and make it into the game. Both would freeze before then. However a workaround is to do the unlock and then load GameShark Lite, the CD based cheat program. It can properly load these games which then work fine.

I'm hoping to eventually see a Cheat ROM replacement that does the secret unlock and then loads a patched shell program that would still attempt to load a unlicensed disc so that you would end up with a totally "stealth" method of loading CD-Rs via Expansion ROM.

 

Well, I was trying to avoid going into too much detail - I did actually write my own code to do this, but quickly ended up losing interest for two different reasons:

1) It doesn't work on machines with Japanese CD controllers - which includes the SCPH-xxx3 models common in HK
2) The unlock flag is in mechacon RAM (bit 7 of location 0x9f, to be precise), and this is cleared when the CD reset command is issued

I think #2 is the show stopper, since there are a lot of games that issue that 0x1c CD_Reset command.

If you want to be absolutely precise, then, yes, it does nothing at all to the actual "Licensed" flag (bit 7 of location 0x90) - it's just that the command processing for the read commands (0x06 and 0x1b) checks the flag for the unlock commands before it checks for the licensed flag so they will work anyway.

Interestingly, the 0x1c CD-ROM reset command is not listed in the normal developer docs, but some titles seem to issue it anyway. Another anomaly (from the developer API side) is that if you call CdGetDiscType() then it returns with CdlOtherFormat rather than CdlCdromFormat, but this is probably a minor issue because that call isn't used much (probably because it doesn't work at all on the DTL-H2000 and returns confusing results on the debug consoles).

If it's the fastboot code I've seen floating around the net, it's a bit buggy anyway, so it's quite possible that this has nothing to do with the unlock. I'm not sure of the interactions between the unlock code and the modchip detection stuff - I did some quick tests with Dino Crisis (JP) on a SCPH-5501 using the unlocked CD controller trick and that seemed to work fine both using the original disc and a CD-R copy.

The only difference I can think about my approach was that I was using the "load file" function in Caetla to start the game (upload the unlock code, run it and return to Caetla), then start the game from the CD browser.

 

Which games send the CD reset command? NoCash said this could be a problem with some games, but no scope is given as there are no games listed as doing this sort of thing. The games I tested worked fine although I didn't test a large number of titles.

The modchip detection depends on the game because they don't all work the same way. One method I've heard is very simple and just resets and checks the SCEx counter and basically looks to see if it keeps going up due to the old style modchip. But another method is that you can control where the laser is seeked to to test if you get SCEx codes when you shouldn't, as well as that you get them when you should. Or you can just re-read the codes incase of a swap trick.

Legend of Dragoon does not like a CD-R running on an unlocked drive presumably because it trys to re-read the SCEx codes and gets zero. I recall the anti-mod code will catch you if you use the swap trick which would be the same issue as it would be re-reading the SCEx code from a CD-R and getting zero valid codes.

I'm sure the issues in UniROM are related to the FastBoot as I said before if you go the long route by using the GameShark Lite program you will get the games loaded properly and they will function with the unlock and game running from CD-R. I did not test a large number of games, but I did not find a single game that had problems with the unlock. Games I tested included Final Fantasy VII, Mega Man X4, Resident Evil 3, Raiden Project, and Street Fighter II Collection. The FastBoot failed for FF7, Resident Evil 3, and The Raiden Project. Each game would freeze at some point.

 

When I was playing around with CD emulation, I built a CD command logger, and I clearly remember seeing it in the logs (and not just the initial one that the boot ROM sends)

Most of the games I have here are Japanese - and they all seem to implement the modchip detection in the first way - seek the disc to somewhere in the data area, send the counter reset command and then check to make sure that no SCEx strings are detected.

Thinking about it, the easiest way to trigger another disc validation is ... to reset the CD controller. In fact, from what I remember the only things that reset the licensed flag are a CD reset or opening the drive door - so if it really is revalidating the disc then the simplest way of doing so is just sending that 0x1c command...

Edit, the only log I can seem to find is the one from Dino Crisis - and that didn't issue a reset command. Interestingly, it *did* send a GetID, but it still booted (for reference, this was an original disc on an unmodified console).

<- Start of copy protection check
c=0x1a {} (GetID) [CD-ROM XA, Licensed, SCEI]
c=0x02 {0x40,0x34,0x00} (Setloc 40:23:00)
c=0x0e {0x01} (SetMode 1x CDDA)
c=0x16 {} (SeekP)
c=0x0b {} (Mute CDDA)
c=0x03 {} (Play - current loc)
c=0x19 {0x04} (Test - Read SCEx)
c=0x19 {0x05} (Test - Get SCEx) [Total=0, OK=0]
c=0x09 {} (Pause)
<- End of copy protection check

 

Well if you find any games that interfere with the unlock by doing something like issuing the reset command I would like to hear about it.

 

I think Sega/Mega CD and the 3DO could do that, too.

 

I will dig out my CD command tracer and get it running again - I can try Legend of Dragoon on it, and if there are any other problematic games let me know and I'll try them too