Sun 26/11/1995 pp pppp lll pp pp ll pp pp ll tt tt pp pp ll tt tt ii pppppp ll aaaa yu y sssss tttt aaaa tttt ooo n nn pp ll a yu y ss tt a tt iii oo o nn n pp ll aaaaa yu y ssss tt aaaaa tt ii oo o nn n pp ll aa aa yu y sss tt t aa aa tt t ii oo o nn n pppp llll aaaa a yyyy sssss tt aaaa a tt iiii ooo nn n y yyyy > > > E x p o s e' - # 1 < < < What's all this: ---------------- I've been in possesion of this knowledge for quite some time, but have been reluctant to pass it out for varying reasons. I have finally decided to let this out as I am getting less and less time to myself to be able to continue to hack, crack and code. I've seen alot of shit in my time, but the total ammount of crap that is being bandied about by both Sega and Sony (not to mention their patriots across the global networks) has to be seen to be believed. Only problem is some people actually DO believe any shit they hear or read and take it as gospel. Hopefully after reading this most of you (who have the knowledge and whom I have targeted this file for) will be able to better understand how the various protection systems work. I've decided to release the Saturn specific expose' as a seperate text file as the ammount of dissension amongst the (ab)users is so great that it brings back the old Amiga Vs Atari and C64 vs Spectrum days and makes them pale in comparison. Below I've documented the various protection methods used and how to bypass them. I've also disposed of a couple of myths that are doing the rounds as well. The last thing I'll say is that this information is correct and should be taken at face value. There is no easy way out here, just the plain facts to assist the scene. One thing I'd like to say before we start (and one of the main reasons I never released this information previously) is that I can't stand 'professional' pirates. I'm talking about those guys who copy the stuff and then sell it in the papers (to lamers) and especially those gooks in Taiwan and China who make mass duplications of games and deprive developers of their rightful dues. These people are scum; I made this to help the hacker and crackers out there to be able to import and play those (usually superiour) games on their home units. Hopefully we'll be seeing trainers and the likes (possibly even demos) as now that Datel have released their Action Replays on both machines. Enjoy! Icepic!/TRSi TRSi - Legends never die! Anti-Copy Protection: --------------------- The PSX compact disc copy protection is based upon the premise that most (if not all) CDRs and pressing stations pre-mastering processes will automatically regenrate a 'corrupt' sectors EDC/ECC code. Sectors 12 through 15 contain a zeroised EDC/ECC checksum (impossible) so if the PSX reads and doesn't see an invalid EDC/ECC then it knows that the CD in the drive is a copy. (The EDC is simply a CRC type hash that is used as a checksum to determine if the sector was read correctly. The ECC is used to recreate the sectors data). The entire range of sectors are written in a RAW format (2352 bytes) and are completely zeroed, even the XA sub-header and EDC/ECC are zeroed. When it is copied on a CDR, these sectors are exact, except for the EDC/ECC code which is (correctly) written as 0x3F13B0BC. Note: The PSX compact discs have a black-polymer coating. This is not really an anti-copy protection mechanism. The black (actually, very dark blue) colour that is added to the polymer that covers the underside of the disc does very little to change the refraction of the light from the reading mechanism. It is really more of a visual aid in easily determining if a compact disc is pirated. How to copy the disc with protection intact: -------------------------------------------- The only way to succesfully duplicate this protection system is to obtain a modified set of firmware for your CDR unit that will either: A) Allow you to write in either disc-at-once or track-at-once mode and not automatically 'correct' what it thinks to be corrupt sectors with invalid EDC/ECC codes. B) Allow you to write the first track in RAW mode (2352 byte sectors, CD-DA) and then force the TOC to report the track as a CD-XA track. I have a modified unit that does this (the first mothod), so it is possible if you have the technical knowledge and a suitable CDR unit. Country Lock-Out Protection: ---------------------------- Let's get some things straight here. There is alot of misinformation around (read: bullshit) from people who don't know what the fuck they're on about (ie: most internet newsgroup junkies). The Japanese units are SCHP-1000. There are a number of different builds of these units, all with the SCHP-1000 model number but depending on the date of manufacture they may have different ROM BIOS versions. The basic difference in the ROM BIOS is that the earlier units did not have the country code check (as it was not finalised) and therefore will allow you to use the 'swap method' to boot non-Japanese games, whilst the newer units will not (as is the same with the Euro/US machines). The development units are SCHP-2000 and are identical to the base-build (ie: the first revision) SCHP-1000, except their ROM BIOS has both the country and CD based protection disabled and they are a deep-blue colour instead of the typical grey. The USA playstation are designated SCHP-3000. These are basically a cheaper build of the SCHP-1000, using 70ns RAM (instead of 60ns) and do not have the inbuilt SVHS port. They also have the country code protection check in their ROM BIOS (as with the later revision Japanese SCHP-1000's). The Australian playstations are designated SCHP-1002. These are identical to the US versions, except that they are PAL by default and look for the standard country code for Europe (PAL). I have not seen a European playstation, but my guess is that they are identical to the Australian unit, possibly only the model number is different. The PSX country code lockout is based upon the first 5 sectors of the CD. Sectors 0-4 (5 total) contain the 'Licensed from' line and buffer padding which tells the unit that the compact disc is either licensed for its area or not. This check is parsed in the ROM bootstrap at boot time, so on the newer generation of PSX's it will fail - even with the disc swap method. The disc swap method only bypasses the copy protection portion, not the country code check on those machines. How to bypass the country protection: ------------------------------------- Included in this archive are three (3) image files. They are the System Area from a Japanese, European and US licensed CD. All that is required to bypass the protection is to read the first track of the game you wish to convert and either skip or strip the first 16 sectors (0 through 15) and then substitute the correct image file in its place. The image files are called: PSX_JAP.RAW, PSX_EUR.RAW and PSX_USA.RAW. If you don't know how to do this then you shouldn't even be reading this file. Why some games don't work with the swap method: ----------------------------------------------- I included this because of all the total bullshit I have seen in the associated newsgroups about the PSX protection. I'll take the 'Mortal Kombat 3' fiasco as an example. Mortal Kombat 3 does NOT have protection. There are a couple of reasons why this game locks-up. Firstly, the 'swap-method' is not perfect. The way it works is that the PSX takes a legitimate licensed disc and reads its TOC (Table Of Contents) into its RAM. Then the (ab)user swaps the CD, without the PSX knowing (by either holding down the drive sense or shorting it) and then exiting the CD-DA player screen which in turn inititates the bootstrap sequence. The problem lies in the fact that the original CDs TOC is held in RAM whilst the copies TOC will most certainly be different. This is most noticable on games where your original only has a few (or none) CD-DA tracks and you try to play a game that DOES. You will either get 'choppy' sound (or none) as the PSX will utilise the starts and limits of the original discs TOC. This also applies to the length of the CD-XA (Data/ROM) track! So if you boot with a small game (Ridge Racer is circa 3 megabytes) and then swap it for a game like MK3, when MK3 attempts to use the ROM kernals 'Read_Long_Data' call it will fail, as the TOC will report that there is no data at that point, even if there is. The problem with MK3 is in the audio tracks. MK3 uses 64 CD-DA tracks, and if it can not access some of these tracks (especially those between 8-15) it will lock-up as it thinks it has a read failure. The main problem is that MK3 is the FIRST game to use 64 tracks (the other 'record holders' were previously Ace Combat (Air Combat in the US) and some bowling game, both were 48 tracks of CD-DA. The second problem with MK3 is shoddy code. It is full of dodgy code that does weird shit with internal timers. My guess is that it is supposed to do strange things whilst in-game (pop up funny faces?) but this leads to problems as it doesn't disable these timers when in the 'Insert Coin' mode. This is probably the worst case of a rushed game I have seen to date. Facts and falacies: ------------------- The licensed PSX compact discs are thinner than conventinal CDR and music CDs is true. The laser in the mechanism does infact 'ride' at different heights during the reading of the CD. When a licensed (read: black undercoat) CD is inserted into the unit, the laser does indeed ride slightly higher, but not high enough to actually touch the surface of the disc. When a conventional CD is inserted, it will ride at whatever height it gets the best read rate at. The head tracking and riding is adjusted by the mechanism controller which uses the optimum reading level for each particular disc. This is calibrated when the disc is first inserted and when the TOC and protection are checked. You may have noticed that sometimes when you swap discs, the PSX will not load the CD (it'll sit there spinning and seeking, making weird noises) and this is the reason why. It will not recalibrate until you reset the mechanism which is done when you open and close the door. There has been some talk in various circles about the 'pot trick'. This is where people open the PSX and meddle with the pots (variable resistors) that control the gain and such for the CD mechanism. These are located to the lower left just below the CD mechanism. Adjusting these will NOT allow you to bypass the protection (as claimed by some). All it will allow you to do is either improve the reading ability of the drive in some cases, or fuck the ability to read any disc (in most other cases). I suggest you don't touch the pots unless you know exactly what your doing and have the ability to reset them if you screw up. The End: -------- I can't think of any more that is important. With this information you should be able to copy (and if not with protection intact, still) play non-conforming games on your home unit. One last note: When playing an NTSC game on a PAL unit (and vice-versa) keep in mind that even if the 50/60Hz is switched, the colourbust will remain on the original NTSC or PAL bandwidth. The only way to properly play these games (as far as I've been able to ascertain) is to use an RGB cable that uses a Scart/Euroconnector. Hopefully now that Datel will soon release their Action Replay cart (Not the SAVE carts, but a real hacking cartridge) for the playstation, someone will be able to just use it to disable the internal ROM kernals protection routines which would allow a CDR disc to be booted without swapping, etc. If you want to contact me, you can try. If you can find TombStone, then you'll be able to get a message to me. I won't be in Australia for much longer though as I'm going to Europe and the UK early next year. I want nothing more than to see a decent scene evolve around the new generation of consoles with trainers, cracks and demos. Let the games begin... Greets: ------- I'll probably forget a whole host of people here, but I'll try anyway: All the TRSi boys worldwide, in whatever scene your in. All the users on TombStone here in Sydney, Australia. Everyone who used to call Vanguardium. The men at Datel in the UK, for providing the scene with their Action Replays and doing some pretty niffty reverse-engineering. The staff at Future Publishings 'Edge'. One of the best industry magazines to see the light of day. vFast/TRSi: Our 'humble' leader... ;) See you when I'm over there! MDS and Sonic/UCF: Lets see if you can 100% crack Steinbergs CuBase v2.62 ;) Avenger/Smilesoft: For one of the best cracking tools ever! (TRON rules) FireStarter: Tombstone is cool, but I think Vanguardium was still nice... ;) Wolverine/TDU-Jam: Did you ever finnish that Dongle autocracker? R2D2/Outlaws: How about you, you wanna try to break CuBase 100% ??? Hoson/Hybrid: Call me, dude. DC-Bite: 'Who the duck do you think you are' Quack. Quack.