How PSX Copy Protection Works
by Lord Xarph (xarph@blueneptune.com)
Remember back in The Old Days, when copy protection schemes were getting weirder and weirder?
Spiradisk, weird formatting, code wheels, etc.? (For some kickass documentation on this, check out Trixter/Hornet's Life Before Demos at: www.oldskool.org/shrines/lbd
One of the most interesting schemes was physically damaging the disk - using a laser to burn a hole in the disk, then attempting a read or write at that point. If the read/write failed, then the disk was authentic and the game was loaded.
Well, you can't exactly burn a hole in a CD-ROM, but you can do the next best thing: cause a read error at precisely that point.
How do you do this with a CD, especially one that is supposed to be mass-produced on a press? Easy: encode a few sectors with impossible checksums. Icepic!/TRSi has written a highly technical FAQ that has exact figures which helps a great deal. Use your favorite search engine. A search on Altavista for [+playstation +faq +lcepic!/TRSi] turned it right up.
In a nutshell, sectors 12-15 on an authentic PSX disc have a checksum of zero, which is impossible. The PlayStation, on boot, checks for this, finds that the checksum for 12-15 is impossible, authenticates, and goes to check the country code (more on this later).
"So just copy the zero checksum!" Wrong-o. The whole key to this fact is that consumer CD recorders are incapable of writing invalid checksums. Consumer recorders receive bit-by-bit data of the files or content of the disc. They do not receive "redundant" data, which includes checksums. These the recorder determines on its own and writes by itself automatically. Sony manufactures burners for its licensees that will allow user-level control of the checksums and whatnot.
Does this mean you're up shit creek? Of course not. We're hackers, dammit.
You can either patch the firmware in the CD-R to allow the copying of what it thinks are illegal checksums (could be hard) or modify the PlayStation, to ignore a valid checksum (easy).
Country Codes
Copy protection is just one half of a puzzle.
In the console world (and now, the DVD world), you have to deal with country codes. These wonderful things tell what systems the disc is "authorized" to run on; U.S./Canada machines, Japanese machines, PAL machines, etc.
In the case of the PlayStation,, the first five sectors on the CD inform the PlayStation, of the country code. Fortunately, the checksums on this area are correct, so if you want to dupe the disc with a different code (i.e., the one for your PSX), strip sectors 0-15 from the image of your source and put on the system area from a valid disc.
At this point, I should stop and make one thing clear: I have not done this. I do not copy PlayStation, games. My PlayStation, has been modified to run imports, not CD-Rs. I buy originals because I like the idea of people actually getting paid for their hard work. All CD-Rs I have seen have invalid headers and hence require a modified PlayStation, to run. This is for information only, blah blah blah. Let us continue...
So you can't figure out how to modify a PlayStation, disc to work on your unmodified PlayStation, and decide to mod it. First you need to know what model PSX you have.
PlayStation Model Numbers
Model numbers on the PlayStation, have a 3-digit model identifier and a 1-digit region identifier.
The model number is on the bottom of your PlayStation, in the form: SCPH-XXXY
Additionally, you can identify the model based on the feature set, the color of the box it came in, and the same model number printed on the base of the box.
- SCPH-XXX0 - Japanese Model
- SCPH-XXX1 - U.S./Canadian Model
- SCPH-XXX2 - PAL/Europe Model
- SCPH-100Y - This one is the very first PlayStation, models.
The SCPH-100Y model comes in two flavors: below serial number 592000, and above. If you have the lower serial, you can play imports or CD-Rs without modifications. If you have the upper, you can, but it's so damn hard you shouldn't even try. It came in a box with black sides.
The SCPH-200Y is a developer's model. Same as SCPH-100Y, but in a blue case with more RAM and the copy protection/country detection disabled.
The SCPH-300Y model is the Net Yaroze system. Basically a stripped down, consumer version of the developer's kit. I'm not touching this with a 40 foot pole; I'd be here for five more pages. Use a search engine and find out for yourself. To make reference to Brock Meeks' Beyond HOPE keynote - "I'm not Martha Stewart, and this ain't a recipe for a bunt cake."
The SCPH-500Y model only exists in 5000 model as far as we know. This was a Japan-only release according to people who have seen it. I don't know much about it.
The SCPH-550Y model fixed an overheating problem affecting SCPH-100Y models that caused the lens track to warp, lose focus with the disc, and start skipping on anything streamed off the CD (if you use cheap-o blanks to burn CD-Rs, you'll get the same problem. Another reason to buy originals, hint hint!). The CD mechanism is turned 90° clockwise to keep it away from the power supply. It also was the first model to remove the RCA jacks from the back and cost $100 less than the SCPH-550Y. It came in an orange box.
The SCPH-700Y model sold for six months in the U.S. It had a glorified spectrum analyzer and a redesigned board that was harder to modify. Can't remember what color box it came in.
The SCPH-750Y model is the same as the SCPH-700Y except that it comes in a metallic-looking box that includes a DualShock controller (duh) instead of a standard one. For some reason some people got the idea that this was the only model a DualShock would work on. Not true.
The SCPH-900Y model has a completely redesigned mainboard that took longer than usual to figure out how to modify. Sony also removed the parallel port from the back. They don't have any peripherals that use it, and the only peripherals for it are unlicensed. A good chunk of those are "external mod chips" and whatnot that Sony wishes didn't exist. More on these down the line.
Booting Invalid Discs
There are three commonly accepted ways to boot a disc with an invalid header.
Swapping: If you have a first-edition SCPH-100Y, then you can do a swap trick to run an invalid disc. The first PlayStation, loaded the header information from a disc prior to initiating a boot sequence. Newer models check it as part of the bootstrap process, but with the first edition, you can boot into the PlayStation, CD player, have it load the Table of Contents (TOC) (and hence, the header information) from a valid disc, then swap the disc with an invalid one without triggering the lid-open sensor. Exit the CD menu, and the bootstrap will be done without rechecking the header.
I'm not going into any more detail on how this is done - once again, search engines are your friends - but I will say this makes for a very poor choice. For one, the motor is still spinning while you swap the discs (Game enhancer people: shut up; I'll get to you in a bit), and excessive swapping damages the motor.
Also, games that use redbook audio (that's standard audio you play in your CD player) will use the old table of contents for track start/end frames, so your music will be incredibly screwed up.
Mod Chipping: This is, by far, the most common and, in my opinion, best way to run invalid discs. This is what is described in Flack's column, so I'm not getting into how you do it. One thing Flack left out was where you solder the mod chip to the board. Let's hear it again, campers: Search engines are your friend! A search on Altavista for [+playstation +mod +installation +pictures] turned up 271 hits.
Now the downside to chipping, which Flack left out probably because his article was written before the term had even been invented: Lock-outs. Starting with two Japanese games named PoPoRoGue and I.Q Final, Sony started putting code on select PlayStation, titles that hung the game when it detected a mod chip. This worked by sending a second start signal to the PlayStation, after the game had already booted. A standard PlayStation, would reject the start signal; a modified one would not. Hackers, naturally, jumped all over this. Within a few weeks, it became known that entering a code in a GameShark would bypass the lockout code and boot the game. A low-tech solution was to simply install a switch on the mod chip and turn it off after the boot-strap process. Additionally, new "stealth" chips are available that bypass this lockout code altogether.
Game Enhancers: Now, the part of the article I've been itching to write ever since Matt's letter in 16:2 (which was fully half incorrect, hate to say it. Game Enhancers, and all its knockoffs, are not GameSharks. The GameShark, manufactured and sold in the U.S. by Interact, is the only parallel port device for the PlayStation, that does not allow you to play invalid discs out of the box. The knockoff versions of the GameShark do allow you to boot invalid discs - by re-enabling the swap trick from the first edition SCPH-100Y series! Now, you boot into the Game Enhancer's CD player with a valid disc, swap, and then bootstrap. The Game Enhancer even stops the motor for you. Early model PlayStations, screwed up the audio TOC when swapping; from what I hear, the Game Enhancer and its ilk do not.
So why isn't everyone using Game Enhancers? For starters, the new SCPH-900Y PlayStations, don't even have a parallel port to plug them into. Also, most add-on discs don't function with a Game Enhancer - add-on discs basically reboot the PlayStation, in the middle of a session, and the Game Enhancer can't alter that secondary sequence in any way. Some Game Enhancers allow you to run add-ons by manually starting the executable, but that only works on games where there is an executable - the current fad is to embed the entire game in a disk image on the CD itself with a pointer for the system that links to a sector inside the subsidiary image. I don't even want to think about hacking that at this time of the evening.
PlayStation Emulation
One of the major legal wars currently raging is over two software packages: Connectix' Virtual Game Station, and Bleem LLC's Bleem!.
Both of them are (almost) fully-featured PlayStation, emulators that allow you to play PlayStation, games on your Mac or PC. In the case of Bleem!, the graphics are improved by piping them through a 3D accelerator if one is available. Sony, naturally, is spitting nails over these emulators. Sony is claiming they infringe on their intellectual right (they don't; not one bit of Sony code is used) and is attempting to gain injunctions against both products to keep them from shipping.
One of the obvious reasons Sony is so angry is that it's remarkably easy to hack both these programs to play invalid discs; they can't out of the box. I'm not going to say how this is done - mostly because I don't know - but rest assured it's quite possible.
Legal Ramifications
All right, trot out the legal disclaimers: I am not a lawyer, all of the above was for educational purposes, if you get sued and go to jail or get nailed with a fine because of this stuff, it ain't my fault, etc., etc., etc.
There are a frightening number of companies that spam rec.games.video.sony with distressing regularity offering the sale of PSX "backups." I find this truly amazing. What these companies are doing, any way you measure it, is illegal. I'm going to quote now from the rec.games.video.sony FAQ:
3.15 - Are CDR backups legal?
In a nutshell: maybe. This is a very confusing topic that has led to many a flame war in the newsgroup. Just so you have some reference points, this is all based off information from the IDSA (International Digital Software Association), the entity you'll most likely be tangling with if you get busted for piracy. The law in question is 17 U.S.C. Section 117(2). As for countries other than the U.S.: If your country has signed the Berne Convention, these apply to you. If not; you're on your own.
Basically, you have the right to make one copy of a game that you own an original of for archival purposes (read: your dog decides to play Frisbee with it or other such damage).
The law states that you cannot post or download a backup off the Internet. Backup server operators: yer screwed.
You cannot sell backups unless you are the copyright holder of the software. Backup sellers: yer screwed.
The backup copy can only be transferred to another person if the original is also transferred and the transfer is part of the transaction of all rights in the program. In other words, you can't trade a backup unless you own the rights to the game.
As for backup services? Who knows. Just keep in mind that the IDSA has many very expensive lawyers at their disposal for the sole purpose of making your life a living hell.