This is a verbatim markup of article <firstname.lastname@example.org> as posted on the newsgroup rec.games.video.sony by Alex Wilkins <Alex@satellit.demon.co.uk>. Views presented in this article are not necessarily my own. If you have any questions like where to get the archives mentioned in the article, don't ask me, as I don't have them. Ask Alex instead.
- Thomas Bätzler, 14. 12. '95
Sun 26/11/1995 pp pppp lll pp pp ll pp pp ll tt tt pp pp ll tt tt ii pppppp ll aaaa yu y sssss tttt aaaa tttt ooo n nn pp ll a yu y ss tt a tt iii oo o nn n pp ll aaaaa yu y ssss tt aaaaa tt ii oo o nn n pp ll aa aa yu y sss tt t aa aa tt t ii oo o nn n pppp llll aaaa a yyyy sssss tt aaaa a tt iiii ooo nn n y yyyy > > > E x p o s e' - # 1 < < <
I've seen alot of shit in my time, but the total ammount of crap that is being bandied about by both Sega and Sony (not to mention their patriots across the global networks) has to be seen to be believed. Only problem is some people actually DO believe any shit they hear or read and take it as gospel.
Hopefully after reading this most of you (who have the knowledge and whom I have targeted this file for) will be able to better understand how the various protection systems work.
I've decided to release the Saturn specific expose' as a seperate text file as the ammount of dissension amongst the (ab)users is so great that it brings back the old Amiga Vs Atari and C64 vs Spectrum days and makes them pale in comparison.
Below I've documented the various protection methods used and how to bypass them. I've also disposed of a couple of myths that are doing the rounds as well. The last thing I'll say is that this information is correct and should be taken at face value. There is no easy way out here, just the plain facts to assist the scene.
One thing I'd like to say before we start (and one of the main reasons I never released this information previously) is that I can't stand 'professional' pirates. I'm talking about those guys who copy the stuff and then sell it in the papers (to lamers) and especially those gooks in Taiwan and China who make mass duplications of games and deprive developers of their rightful dues.
These people are scum; I made this to help the hacker and crackers out there to be able to import and play those (usually superiour) games on their home units. Hopefully we'll be seeing trainers and the likes (possibly even demos) as now that Datel have released their Action Replays on both machines.
Icepic!/TRSi TRSi - Legends never die!
Sectors 12 through 15 contain a zeroised EDC/ECC checksum (impossible) so if the PSX reads and doesn't see an invalid EDC/ECC then it knows that the CD in the drive is a copy. (The EDC is simply a CRC type hash that is used as a checksum to determine if the sector was read correctly. The ECC is used to recreate the sectors data).
The entire range of sectors are written in a RAW format (2352 bytes) and are completely zeroed, even the XA sub-header and EDC/ECC are zeroed. When it is copied on a CDR, these sectors are exact, except for the EDC/ECC code which is (correctly) written as 0x3F13B0BC.
Note: The PSX compact discs have a black-polymer coating. This is not really an anti-copy protection mechanism. The black (actually, very dark blue) colour that is added to the polymer that covers the underside of the disc does very little to change the refraction of the light from the reading mechanism. It is really more of a visual aid in easily determining if a compact disc is pirated.
I have a modified unit that does this (the first mothod), so it is possible if you have the technical knowledge and a suitable CDR unit.
The Japanese units are SCHP-1000. There are a number of different builds of these units, all with the SCHP-1000 model number but depending on the date of manufacture they may have different ROM BIOS versions. The basic difference in the ROM BIOS is that the earlier units did not have the country code check (as it was not finalised) and therefore will allow you to use the 'swap method' to boot non-Japanese games, whilst the newer units will not (as is the same with the Euro/US machines).
The development units are SCHP-2000 and are identical to the base-build (ie: the first revision) SCHP-1000, except their ROM BIOS has both the country and CD based protection disabled and they are a deep-blue colour instead of the typical grey.
The USA playstation are designated SCHP-3000. These are basically a cheaper build of the SCHP-1000, using 70ns RAM (instead of 60ns) and do not have the inbuilt SVHS port. They also have the country code protection check in their ROM BIOS (as with the later revision Japanese SCHP-1000's).
The Australian playstations are designated SCHP-1002. These are identical to the US versions, except that they are PAL by default and look for the standard country code for Europe (PAL).
I have not seen a European playstation, but my guess is that they are identical to the Australian unit, possibly only the model number is different.
The PSX country code lockout is based upon the first 5 sectors of the CD.
Sectors 0-4 (5 total) contain the 'Licensed from' line and buffer padding which tells the unit that the compact disc is either licensed for its area or not.
This check is parsed in the ROM bootstrap at boot time, so on the newer generation of PSX's it will fail - even with the disc swap method. The disc swap method only bypasses the copy protection portion, not the country code check on those machines.
The image files are called: PSX_JAP.RAW, PSX_EUR.RAW and PSX_USA.RAW.
If you don't know how to do this then you shouldn't even be reading this file.
Mortal Kombat 3 does NOT have protection. There are a couple of reasons why this game locks-up.
Firstly, the 'swap-method' is not perfect. The way it works is that the PSX takes a legitimate licensed disc and reads its TOC (Table Of Contents) into its RAM. Then the (ab)user swaps the CD, without the PSX knowing (by either holding down the drive sense or shorting it) and then exiting the CD-DA player screen which in turn inititates the bootstrap sequence.
The problem lies in the fact that the original CDs TOC is held in RAM whilst the copies TOC will most certainly be different. This is most noticable on games where your original only has a few (or none) CD-DA tracks and you try to play a game that DOES. You will either get 'choppy' sound (or none) as the PSX will utilise the starts and limits of the original discs TOC.
This also applies to the length of the CD-XA (Data/ROM) track! So if you boot with a small game (Ridge Racer is circa 3 megabytes) and then swap it for a game like MK3, when MK3 attempts to use the ROM kernals 'Read_Long_Data' call it will fail, as the TOC will report that there is no data at that point, even if there is.
The problem with MK3 is in the audio tracks. MK3 uses 64 CD-DA tracks, and if it can not access some of these tracks (especially those between 8-15) it will lock-up as it thinks it has a read failure. The main problem is that MK3 is the FIRST game to use 64 tracks (the other 'record holders' were previously Ace Combat (Air Combat in the US) and some bowling game, both were 48 tracks of CD-DA.
The second problem with MK3 is shoddy code. It is full of dodgy code that does weird shit with internal timers. My guess is that it is supposed to do strange things whilst in-game (pop up funny faces?) but this leads to problems as it doesn't disable these timers when in the 'Insert Coin' mode. This is probably the worst case of a rushed game I have seen to date.
There has been some talk in various circles about the 'pot trick'. This is where people open the PSX and meddle with the pots (variable resistors) that control the gain and such for the CD mechanism. These are located to the lower left just below the CD mechanism. Adjusting these will NOT allow you to bypass the protection (as claimed by some). All it will allow you to do is either improve the reading ability of the drive in some cases, or fuck the ability to read any disc (in most other cases). I suggest you don't touch the pots unless you know exactly what your doing and have the ability to reset them if you screw up.
One last note: When playing an NTSC game on a PAL unit (and vice-versa) keep in mind that even if the 50/60Hz is switched, the colourbust will remain on the original NTSC or PAL bandwidth. The only way to properly play these games (as far as I've been able to ascertain) is to use an RGB cable that uses a Scart/Euroconnector.
Hopefully now that Datel will soon release their Action Replay cart (Not the SAVE carts, but a real hacking cartridge) for the playstation, someone will be able to just use it to disable the internal ROM kernals protection routines which would allow a CDR disc to be booted without swapping, etc.
If you want to contact me, you can try. If you can find TombStone, then you'll be able to get a message to me. I won't be in Australia for much longer though as I'm going to Europe and the UK early next year.
I want nothing more than to see a decent scene evolve around the new generation of consoles with trainers, cracks and demos.
Let the games begin...
\|/ ____ \|/ @~/ .. \~@ Alex Wilkins /_( \__/ )_\ UK Satellite Data Research \__U_/
$Id: psx_cd_faq.html 1.3 1996/01/11 23:51:56 thb Exp thb $