PSX/PS2 Selfboot Breakthrough !?!

I think (or hope ;-) I'm now very near these tricky little bits.

Here are some nice results:

I've done a very cool reconnaissance: Now I know exactly where the PSX Laser searchs for the countrycode-bootsector. The place is exact 16-17 mm from the begin of the inner CD circle. I simply glued a small paper near the laser-lens and watched from the (under-)side at which location the lense moves when the BIOS looks for the "Bootsector". And because I have a switchable ModChip, I know now exact the location and priod of this 2 times, when this happens.

The location must be on the very edge of the LEAD-IN. And I've found Information that its possible to read out the Bootsector, and the next info, it was in italian language, but I've understanded it so far, the first! CountryCode protection is in the PREGAP!!

An other info told us the Country Code Bytes are streamed from the Subchannels, so its logic this Country Code is located in the PreGaps Subcode (this is a 2 seconds or 150 sector big "unused" space directly before the usual ISO or BIN Sector start, but on PSX-CDs these sectors start with 00 00 20 00 00 00 20 00 Subheader, which is Mode2 Data!).

O.K., What we need: A software which is able to Read out and burn the RAW uncorrected Pregap with Subchannels. I have already a burning Soft called "Gamejack" which is able to read out the Pregap, but doesn't write the 2448 Bytes big Sectors 1:1 on the CD.

I hope in the future Clone CD could implement this feature!! Write and Read RAW the very first Pre Gap.

(Yes, and eventually in the future we need a new ISO File Standard - 2352 Bytes Mainchannel and 96Bytes Subchannel = one Sector).

Then I have the problem because I don't know if my Subchannel data is correct.

My old 16x Liteon Reader spits out Subchanneldata with only: 55 55 55 55 AA AA AA AA 55 55 55 55 AA AA repeated

The new Liteon CD-ReWriter 32x12x40:
80 C0 80 C0 80 80 80 C0 80 80 and this all in all 96 Bytes long in the PreGap and 00 40 00 00 00 00 00 40 00 00 40 40 00 00 Patterns (@'s) in the "usual" Data area.

Please if you want to help me in this case read out an original PSX-CD with a Software and Drive which is able to read this PreGap Subchannel and tell me how they look!

Anyway, I think this PreGap is our last chance at all to burn selfbootable backups. If the bootprotection is encoded in the datatrack-wobble or something we can forget it, my opinion. By the way I checked the PS-X-Change and they used a Replication Mastering Software which was able to write the PreGap - they used Prassi.

If someone knows tricks or possibilities how to easy burn pregaps pls let me know.




One day and 8h of testing later:
----------------------------------------

Strike! Bingo!

The Boot Code is direct on this PreGap place!

Proov it: You can cover whole 16mm (0,63 inch) from the inner circle or totally a circle with 2,4 cm (0.95 inch) radius of a orig. PSX-CD and they will still boot! But if you cover only a little and very small stripe beyond that, finito! You can still read out the whole Data, but the bootprocess halts on the Originals.

What is the importance of these discoverys:

1. The bootsector is far away from the inner circle, and so its never near the ATIP or the BarCode!

2. The Bootsector is NOT inside the LEAD-IN, its directly on the End near where the Data starts!

3. I'm as good as shure its encoded in the PreGaps Subchannel, and its possible to READ out and burn this Pregap with RAW subchannels.

4. If it should not be possible to burn the PreGap with Subchannels RAW and Uncorrected, there maybe still is a way to move or manimpulate this Subcode Data until it Works!

I know here on this forum are the best and talented CD-Craxx so please help to beat this 8 Year old Protection once and forever. THX U!

CU, Sam



by the way here's how it started our 2 months long and crazy hunt for the PSX-boot:

http://www.moogman.com/forum/mainboard.php

Maybe the country info is in fact located on the pregap.
The BlindWrite team also claimed, that maybe their software will copy this protection one day.
As far as I know, the pregap of the first track is somehow special, because in opposite to all the other pregaps, it isn't contained in the image, and it is also present, even if you don't specify a pregap in your cuesheet.
In fact every additional specified pregap will be added to the standard 2 second pregap.
By example:

FILE test.bin BINARY
TRACK 01 AUDIO
PREGAP 00:01:00
INDEX 01 00:00:00

will give you a final pregap of 3 seconds on your CD, violating the CD standard.

it would be very nice if phillips brought out the burner that can copy anything

if the multinationals deviate more from the standards , they will.

thx everyone for your interest and the help with the "illegal" PreGap tricks. I hope we can find some more guys, maybe from HongKong ;-), which can help us to hack this protection.



Here are now the whole PreGap Analyses of the last 6 hours:

A bit frustrating for me on my comparisons is the fact,
that complete every! Disc I have tested has no subchannels
in the 1st second of the Pregap and always! a C0 80 mixed
Subchannel Pattern on the 2nd second!
This could mean that this 2nd second Subcodes in no way
contains any Country Code, because they consist of the
totally identicals Bytes or byte Patterns like all! other
Discs.

The only really unique thing is the Mode2 Subheader
on all of the 75 sectors of the 1st second on all
of the 1st PSX CD Pregap. But maybe this is only an old
CD-XA standard?! Because in this 1st second Pregap
there is no data in the main- nor in the subchannel.

This Quest for the Bootsector meanwhile for me is a true
Odyssee. This is really unbelievable crazy. But I ask my-
self how the China Guys have done it. Shure, they use
professional CD Printing or Pressing Systems to create
their X-Change2's and selfbootable HongKong Silvers, but
where did they get the "Master-Record"?? Did they
"organized" themself a RAW bootsector Binary directly from
Sony or from anywhere of their factories, or what did
they used for reading out the RAW Lead-In and all this
"uncopyable" junk?! And what the h*ll if in the near
future all this "cracked" CD-Protection Companys ask
Sony for help.... will we need a Modchip for our PC?
;-)

Oh Man, I would never mentioned that this near 10 year old
CD Protection is still such a hard nut for our newest
CD-Writers and after all because of the Modchips REALLY
not worth to hang in there. So I have to repeat my state-
ment: If I don't find really very new and good Insider-
Infos about this "Mastermind" Protection I can't and won't
continue with this "Selfboot-Project". Sorry.

But in the end I'm satisfied: I and We X-rayed this whole
thematic no perfect and complete. We cleared out that
NO SINGLE Bootdisc ISO out there workes without ModChip,
we now know exactly where the Protection is and where not.

But unfortunatly a lot things in the digital world are
hardware dependent. And so this one. Without the right
equipment still today no one would be able to read out
20 year old Atari2600 cartridges. Compared with such
"problems" our PSX or PS2 "nonselfboot problems" are
really very small. ;-)

But on the other hand I think its
a certificate of poverty for our modern "Hitec"times.
And I really wonder how long we have to wait until
such "childproblems" are solved. ;-)


Maybe we should beg Sony personally:
-----------------------------------------
"Come on guys, you've had a lot of success and
earned really good money with your PSX, but now
its an 'antique' ;-) system, so please do us a favour
and tell us how to backup it selfbootable,
we only want to play this old titles on our
unchipped PS2,
and we will buy as service in return your new
uncopyable PS2 DVD Games. Hey, is this a deal!?"

;-) ;-) ;-)

CU, Sam





O.K. enough of the nice words, here now the new results:
********************************************************

Subh.=Subheader SubC.=SubChannel=Subcode
EDC=ErrorDetectionCode M2=Mode2
Mode2 Subheader: 00 00 20 00 00 00 20 00



PSX orig.CDs |1st 75sectors Pregap | 2nd 75sectors Pregap
---------------------------------------------------------
Demo 99 Mode2 Subh., no SubC. no Subh., C0-80 SubC.
with no EDC Checksum no EDC Checksum
Audio Tracks


Al.in t.Dark Mode2 Subh., no SubC. no Subh., C0-80 SubC.
with no EDC Checksum no EDC Checksum
Audio Track


Evil Dead Mode2 Subh., no SubC. no Subh., C0-80 SubC.
no no EDC Checksum no EDC Checksum
Audio Tracks


Riven Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
no no EDC Checksum no EDC Checksum
Audio Tracks


PS-Xchange2 Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
no 3F 13 B0 BE Checksum 3F 13 B0 BE Checksum
Audio Tracks

--------------------------------------------------------

burned PSX Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
CD no EDC Checksum EDC!, special Data:
(burned with 54 44 49 01 50 01 01 01 01 80 FF FF FF 00
CD Master Pro) Data on begin of every Second2 Preg.Sector

burned Data no Subheader,no SubC. no Subh., C0-80 SubC.
CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC

orig. Data no Subheader,no SubC. no Subh., C0-80 SubC.
CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC

orig. Audio no Subheader,no SubC. no Subh., C0-80 SubC.
CD no EDC Checksum no EDC Checksum

orig. no Subheader,no SubC. no Subh., C0-80 SubC.
DreamCast CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC
with Audio

@Sam123456789
I wonder, how some manufacturers managed it to create boot discs for the PSX (so it doesn't need to be modified) ...
BTW: How did you read out the data from the pregap?
Some websites claim, that PSX discs use "bad blocks" or "bad sectors" for copy protection. But I never encountered a PSX CD with bad sectors (EDC/EDC). Any idea?

There are two ways you'll encounter psx discs with bad sectors. The first is if you borrow one from your local video store which has been scratched by previous borrowers. The second is if you get a badly manufactured Asian pirate copy which usually are full of bad sectors and other errors. However, you'll never encounter them on an undamaged licensed original.

I was always under the impression that early PSX CDs had a small area (within the first 20 sectors) of invalid EDC (all zeros).

Apparently that's why early versions of Bleem! wouldn't play back-up games, because the Bleem! developers thought that they had correctly identified a characteristic of the PSX protection and they implemented that check in their software to keep Sony off their backs. But apparently this EDC error was caused by a strange anomaly with the model of CD Burner Sony used for mastering discs. When they changed the burners used in their mastering procedure, the games were produced with correct EDC and Bleem! needed a quick fix to rectify the situation.

Is this a myth or is it the truth behind the erroneous claims of bad sectors being part of PSX protection?

BTW, please excuse me if these are worthless rumours. Whilst I do take an interest in CD protections and suchlike, I must admit that the subject is certainly not my speciality by any means. I don't own a PSX and I don't intend to, but I would like to understand how Sony created a protection which has remained so effective.

Searching around the Internet for a bit, I found this link. I dunno if the information in it is accurate, though . . .

trying to defeat the psx is almost impossible without a modchip. you fellas are talking about burning pregaps and whatever, it wont work. try putting something over the barcode of a ps1 or ps2 game, i stuck a very small piece of tape over the very inner bit of the game and it said please insert psx or ps2 format cd. so you need the entire barcode and simply, if you wanted to copy a game without the need of a modchip you would need a pressing machine with a completely blank cd. the blank cant have an ATIP and must go almost all the way to the centre to get an exact copy of the barcode.

good luck anyway

Exaxct this site, I meant for example when I talked about those "bad sectors".
But even Discworld (PAL/German), which is meanwhile really old, doesn't seem to contain any of them.

from what i understand, they HAVE to be pressed, so they coudl be pressed with the same code as an original ps game. how they managed to do anything after that, though, still puzzles me.

First: Thx Olli for fixing the problems of reading subchannel data in Pre-Gap with Lite-On drives!!!


This is our final chance to burn selfbootable PSX backups, so please help together to find such a burning software.

We need a burning soft which is capable to read AND write the first! pregap RAW DAO96 uncorrected!


I've written the PS-XChange2 totally RAW uncorrected with CloneCD, and after that I saved both CDs as RAW ISOs with DiscJuggler, because this software is able to read and save the whole data, inclusive the Pregap with subchannels RAW.

Then I've compared both ISOs with File Compare32 and the only difference was the subchannels of the very first PreGap, and only the 2nd second.

O.K., in the next years I doubt we have a chance to read AND over all write the Lead-In RAW DiscAtOnce, but there must be a way to write the first PreGap intentionally.

Maybe CloneCD can implement this feature in the future, lets hope. Maybe there is a trick with an edited cue-sheet.

If you want to experiment with the software which was used mastering the PSXChange2, you'll find it here:

Pra**i CD Rep Prof.:

http://ftp.boe.tcc.edu.tw/cpatch/cdr/cdrep/source/

And if you click there parent directory you eventually find a useful patch... ;-)

(its from 1998 and no more available on their website, so who cares!)

CU, Sam



x.x:
Sorry to all, I will reply later to your posts.thx f interrest.


The complete PSX Boot description! :
http://www.moogman.com/forum/viewthread.php?record=877

@little-endian:
>> I wonder, how some manufacturers managed it to create boot discs...

Yes, me too, I'm shure Sony didn't gave them a original Bootmasterdisk for pressing their own Bootdisks or already selfbooting Hong Kong Silvers. So with the right equipment there must be a way to read out and write or press all the data which is needed to make disks autobootable.

Meanwhile I hardly doubt that there is any EDC/ECC bad block protection at all. Because a lot of new orig. PSX disc have these "zeroed" 12-15 sectors no more, even the PSXchange2 doesn't have them. And I've found some information that a zeroed EDC doesn't renders a sector bad. No, if the sectors EDC is zeroed this only signals that the EDC for this sector is "switched off". So I think we can forget this EDC/ECC "rumor", and besides it would be no problem to burn them with RAW DAO96 uncorrected. But I'm as good as shure this is not the bootprotection!


@philamber & Bilto:
Thx for your information and Bilto, I think your information is not just a rumor. But the only thing I don't get is why all these "PSX backup cracks" and tutorials or FAQs want to tell us this would be the protection and with a hardware which is able to burn uncorrected we would get selfbooting backups! I wonder if they've ever self burned any booting backup! Some are written 1996, a long time before RAW DAO96 and the new CloneCD, so why should they know all this so exactly?


@god of burning:
Hey what your talking about? What you've written is not true!! You can overwrite for shure the ATIP, the Barcode and a big part of the LEAD-IN region, and an original Disc will still boot. Just use a watersolutable CD-Marker and paint a ring as far as possible starting from the inside. So don't please tell us storys, there are too much lies about bootdisc etc. on the internet, and the most of them I've already defeated with my own tests!!!
In the meanwhile I'm really allergic for all these lies!


@ckin2001:
The question is: Why they have to been pressed? I suspect there is unreproducable information in the LEAD-In, and as long no burning Software is able to read and write RAW the whole LEAD-In with subchannels maybe we have no chance - only if the bootinformation is located in the Pregaps Subchannel. At the moment I'm focusing my research on this area.


CU, Sam

I still can't believe that lots of people still trust (even backing them up with their own false claims) ancient articles - I've stop beleiving those PSX articles ages ago.

I've proved that bad sectors as protection were false claims in a forum way back with a Ricoh 6200 (2x - very old model recorder). It could copy those zeroised EDC/ECC and some bad sectors with Goldenhawk's CDRWIN back then. And still people wouldn't listen.

@Sam123456789, in the past 3 years, I've tried a couple of theories myself. The closest I've got to is looking at the code of the first generation mod chips. In one of the mod chip source you can easily see what the bytes of the country code protection consists of - I'll repeat them here (one of these will exist on the original PSX depending on the country):

SCEE
SCEI
SCEA

The above are the ASCII representation, but will of course be in binary bits on the CD.

They will be present some where on the CD that our readers cannot read from. The solution is to find out where these are written to. And if possible, make a program that will generate these and write to the CDR - so that you wouldn't need to read them from the PSX CD (you can't read them anyway).

Oh damned, this selfboot problematic drives me crazy:

Here, read this new posting from


Is it just an evil lie to keep the selfboot mythos alive or is it true??!!

http://www.moogman.com/forum/viewthread.php?record=449

Reaper Grim
neoangel1222@aol.com
Posted: 2002-06-30 - Post reply
--------------------------------------------------------------------------------
About the whole burned disk not working...that's not entirely true. I once recieved a PSX game that had been burned, and it worked totally fine in my non-modified PSX. I never had to use a boot disk or anything. But he did mention that it was burned in a certian manor, though he never did say exactally why. That and the game did have a short lifespan. The disk became unreadable and it had places where it would freeze up and not load after maybe, 80 hours of playing it. There is a way to burn it, but I don't think downloading it would work. Unless you were downloading an image file of the disk, then that might work, cause you'd be getting an exact copy. I dunno, just thought it might help some of you out.

On a side note, I had a question. Has anyone ever heard of a PS2 Boot disk (preferably one you can buy) that can play import PSX games? I'd rather not spend the extra however much and buy a PSOne or PSX when I already have a PS2. Thanks all


......
...
.



CU, Sam

Hallali! The hunting season for the bootprotection has begun! ;-)

Hi Truman and thx for your reliable information.
Your "theory" is a prooved factum! This information is also
told by different modchip sites, as ex.:

Playstation Mod Chip FAQ
http://modchip.aeug.org/faq.html


Question 2. How does a mod chip work?

Answer2. The mod chip will generally have a minimum of two i/o connections to the
playstation mainboard. These go to opposite sides of an inverter gate which
transmits subcode data information from the CD controller to the main CPU.
This data stream indicates the region of the CD in use. By driving the input
of this gate logically low, the output is floated. Then on the other side
a new data stream can be injected by the mod chip.

The data that the CPU is looking for is a serial data stream at 250bps
consisting of the characters SCEI, SCEE or SCEA depending on whether the
console is Asian, PAL or North American. By sending all three data streams
in a rotating sequence, the chip can satisfy the console that it is reading
a CD of the appropriate region.
...

The subcode (=subchannel) data must contains these bytestrings in some kind of hexvalues, they should contains 53 43 45 (SCE = S ony C omputer E ntertainment). Maybe in encrypted form, and I think this string is repeated to prevent read errors. But where, where??? In the Lead-In Subchannel??!!

I have one idea: To patch some game data subchannels (evtl. the bootsectors) with some of the extracted PreGaps 2nd second subchannel-bytes, because afaik at the moment there is no program which is capable to write the very first data pregap RAW DAO96 uncorrected. G*mejack and D*scjuggler only save these 150 PreGap sectors uncorrected at the begin of their ISOs, but it seems they don't write it uncorrected (not with my Liteon 32x12x40). And of course CloneCD makes much better "clones" of the whole rest of the CD!

An other method would be to intercept the data or "electric" stream the LaserUnit of the PSX sends at bootup to the CPU, but this is very complicated and makes really a lot expenditure. And afaik the bootcheck is made in some kind of encrypted method.

Truman, your idea to write these (encoded ?) bytestrings is it. But a second question is: Is the PSX searching for the country codes all over the discs subchannel or only on some special locations like LeadIn or Pregap?? But of course first we need these bytes or byte patterns. The Subchannel in the PSX 2nd second pregap only consists of 80 and C0 hex values: As example this is the RAW subchannel of sector 1 of the pregaps 2nd second:

80 CO 80 80 80 80 80 C0 80 80 80 80 80 80 80 C0 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 C0 C0 C0 80 80 C0 C0 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 C0 80 80 80 80 80 80 80 C0 C0 C0 80 C0 C0 80 80 C0 C0 C0 80 80 80 C0 C0 C0

Someone any idea to decode these subchannel bytes or what kind of information they contain?



CU, Sam


P.S. And of course Olli, "Creator of the famous SheepDollyCD ;-)" (maybe you read this), you'll be the first we will provide with the information to beat this 'ancient' protection!

beating the psx with your home burner is useless, [EDIT][/EDIT]. get a mod chip and save yourself the time. one last thing, the protection in the psx is the hardest to bypass out of any protection ive ever seen, its tougher than safedisk2, tages, etc. yet it is so simple to beat with a mod chip, without one though, you then see the absolute superiority.

---

Last edited by FutureProof; 08-07-2002 at 08:42.

@god of burning
You forget, that the most of these forum users (me included), who mess around with e.g. copy protections, are in some kind "freaks". We all could save much time, if we would use cracks, but we want 1:1 copies. I still hope, the PSX protection can be beaten once and for all.


So, Sam123456789, keep up all the good work!

I just want to say that the ECC errors are a form of protection and _are_ present on a copy of the HK bootdisc that I have. The really _strange_ thing about this disc is that it boots on my US PS1 and also gets a strange reaction on my JP PS2(boots with a distorted sony logo and freezes). The country code is not like that of regular discs on there...

Maybe someone can figure it out?

It´s true that you´ll save a lot of time when you buy a mod chip, but I totally agree with little-endian, this is the forum of cd FREAKS and freak´s will freak it out !!

@god of burning:
...[EDIT][/EDIT]what we try is to go as far as possible, and without people with this , our attitude as ex. CloneCD never would have been possible. By the way I have already a (switchable) mod.

@little-endian:
Yes, thx, and at the moment I'm far away to be finished with the PSX boot protection. Of course I know it will become harder and harder from now on to come foreward.

@Psx29:
My PAL PS-X-Change2 Bootdisc (also produced in HK or in this region) has no EDC/ECC Errors nor bad blocks. And I think your Bootdisc doesn't work on Jap PS2 Console because of the additional first 5 Country Code sectors, which are for US and not jap. But you're right, it would be really faszinating to read out the complete! bootdisc and compare the RAW Lead-In with any usual orig. PSX CD.

@BurnFre@k:
Yeah, lets freak out!! PSX Burn Partys with Girls'n S*x'n Dr*gs'n R*cknRoll! ;-)

.
..
...
....
.....
......
Here is the newest Bootprotection Information from our
"Bootdisc Forum" at www.moogman.com :
http://www.moogman.com/forum/viewthread.php?record=884


Macaijah
macaijah@hotmail.com
Posted: 2002-07-02 - Post reply
--------------------------------------------------------------------------------
Even if you did copy everything from the cd bit-for-bit, you still wouldn't be able to copy the boot protection. Ive treaded this path before and it always leads to the same place everytime, "Might as well get a mod-chip". I know someone who has ripped the entire contents of a psx cd from the lead-in to the lead-out, burnt it with bit-for-bit accuracy and it still didn't work. It's because the boot protection is not stored as normal data on the cd. It's modulated on top of the data spiral (wrapped around the data at the lead-in area) as a mis-aligned track. It's done just right so no errors occur on the normal data spiral. If one were to look at the voltage during with a tracking coil & scope, it is evident that there is distinct AM envelope in sync with the SCEx data (during the protection check process). This protection is written to the glass master completely asyncronously (SCEx at 300 Baud serial signal) and has nothing to do with the normal pits and lands that a cd has, which makes it impossible to copy (with normal cdr equipment).
Sam
bootdisx@hotmail.com
Posted: 2002-07-03 - Post reply
--------------------------------------------------------------------------------
Thx Macaijah for your detailed info. I suspected this would be the protection only for PS2, and I couldn't believe they were able to use such kind of sophisticated method already 1994-1995.

This was the info at PS2Dev forum (no more available):

From aDoL_iVxX :

A number(or whatever) is encoded into binary form. This code is stored in the PS2 and must appear on any discs for the PS2 to recognize it as a boot CD. However, this is no normal "hidden" code; what Sony did to make this hard is kinda crazy- they modifed a CD/DVD laser assembly to write outside of the normal data path, in the shape of a sine wave which oscillates at 22.1kHz freq (which is 1/2 44.1kHz, CD sample rate...) THe code is written in the TOC with this method. Now, while the new data path is "wobbling" back and forth over the normal, straight (well, curved to the CD) data path, they would have had to fashion a new cd-laser reader assembly to read it; instead, they decreed that every time the new data path crosses the old data path, it is read as a binary "1", and the absence of the 2nd path along the first is considered a binary "0". This encrypted code is written a number of times over throughout the TOC, so that it is easier for the CD reader to pick up on the code.

I am of the mind that is should be easy to find a way to make bootable CD's, I've got a few ideas that I'm going to try, but I'm too lazy to keep going and list them....

aDoL_iVxX



.
..
...
So far this post from Mai 2002. What do you think: Is there really a way to do it?! Meanwhile I hardly doubt it! Of course its only a question of receiving this Country Code. Over the Modchip or over the laser-lens. Eventually its possible to create bit-patterns which simulates the presence of this code or "inject" the same signal into the laser?! But of course the main problem is our limitated 'private-user' soft- and hardware, we even can't write the Lead-In RAW.

I just wonder and ask myself how the guys in HongKong done it. Did they've stolen an original recorder, mastering or pressing equipment from Sony or do they only have good contacts to the manufacturers of these Hitec-machines? And if so, how they can recreate or rebuilt this overmodulated signal-track and Lead-In?!

CU, Sam
Macaijah
macaijah@hotmail.com
Posted: 2002-07-03 - Post reply
--------------------------------------------------------------------------------
Hi Sam,

Actually, the protection scheme I listed *is* for the original playstation. This entire topic was hashed around over two years ago at *the* original message board where the first mod-chips were concieved. I'm not sure if the PS2 has the same type of protection, but if the PS1 was this complex and was developed many years ago, I can only imagine how complex the PS2 protection may be *gulp*.

Remember, SCEx isn't even stored as normal data on the cd, so writing normal pits and lands isn't going to do the trick. If at all possible, you would need to add some stuff to your cdr to be able to write this pattern, but even then you would need to custom write burning software that modulates the SCEx data ontop and mis-aligned of the lead-in. The guys in hong-kong have cd stampers. It would be easy for them to make bootable silvers, since sony's protection is patented, one would only have to dig through the patents and read about the specifics of it. Despite popular belief, it has nothing to do with sony's developement "recorders". Remember, the boot protection is added during the glass mastering process. I'm of the mind, "I hope someone makes a *real* boot-cd for the ps2 (like the ones for PS1 by datel)."
Sam
bootdisx@hotmail.com
Posted: 2002-07-05 - Post reply
--------------------------------------------------------------------------------
Hi,

I'm back! I agree the PS2 protection for shure is some more levels "better".

O.K. but lets go for the PSX and let me try to understand: Afaik the technic of the PSXs laser is almost the same as a usual 2x CD-Rom drive.

Next: There are (special) physical structures on the CD (in the Lead-In) which cause a -special- reaction, when the "usual" PSXs laser comes in contact with.

But: The PSXs laser only reads the oscillating track when it crosses the "linear" track. And afaik it searches for this "additional" code in the subchannel, which is written not as second track or as track "under" the datatrack but written as 96 bytes in front of the 2352 bytes of each sector, of course encoded with EFM.

So what I wonder is: Why it shouldn't be possible to create some sort of pits-lands pattern which can trigger the same laser-reflection the PSX-Bios can interpretes "correct" as country Code?!

Let me use an analogy: For the ship its the same if the lighthouse uses a spinning lamp or if someone burns a big fire on the cliffs and covers it with the correct timing. Or if someone sends S.O.S. with a mirror or with a flashlight. And I'm shure the PSX isn't that "intelligent" to recognise the difference.

But at the moment our main problem first would be to find any hardware - software solution, to write the Lead-In at all. We can't manipulate data of an area where we have no access.

A different step would be to modify some PSX in this form so it would be able to read CD-RW media, so their would no financial loss over and over again by burning "Test-CDs".

It would be easy if we'd have a PSX Emulator for PC, which has the original Country Code "Lead-In" Protection implemented! Maybe there's a way to write one, or only a programm which simulates this protection and nothing else. Why not, we have the original BIOS and it should be able to get the part of code and convert it so the emulator uses the PC drive with the almost same commands as in original.

A next possibility would be finding a loop-hole or backdoor to bypass the whole Country Code protection. Eventually to find a way to make the PSX hang on bootup and jump over the complete bootprocedure. I will try test some coaster if they make the PSX hang, and I will look why.

But the first important thing is a software which is able to write the LEAD-In RAW. The one you know, where you told he did the whole RAW writing: Did he used some kind of professional equipment or a special firmware and PC software?

About the Hong Kong guys: I don't believe that it's that easy to read the patents and recreate the protection, even if they have cd-stampers. Maybe Sony explains an overview of the protection in the patent-files, but I can't imagine they describe it that detailed everyone with the right hardware is able to easily recreate the whole protection.

About the "Real" Boot CD for PS2:
Don't forget the PS-X-Change2 in fact is no real Boot CD at all! Its just an orig. pressed CD with very short program which interrupts the loading sequence after bootup and continues after pressing a button. Of course first the disks have to be changed and the door closed recognition mechanism has to be tricked, but there is no new Laser Calibration as example, and I don't know whats with accurate TOC reading.

By the way, if you trick this closed tray recog. mechanism, you even can use any Gameshark, X-Ploder or Action Replay Cheat CD as Boot Disk.

Thx @ "John <jwilson2k3@hotmail.com> who told me this info.

And I need much more detailed information about this whole LEAD-In Modulation stuff. And I wonder for what these development recorders are necessary, if they cannot write the complete protection.

CU, Sam

---

Last edited by FutureProof; 08-07-2002 at 08:45.

I've just got one piece of advice for you, Sam123456789 -

If Sony ever threatens you with legal bullshit and doesn't let you come forward with your information, don't listen to them. Information should be free.

One more motivational thing - if you actually pull this off, you will be known as a legend for years and maybe decades to come so keep up your good work and I wish you the best of luck!

> This was the info at PS2Dev forum (no more available):

Look again, the post is still there.

> in the shape of a sine wave which oscillates at
> 22.1kHz freq (which is 1/2 44.1kHz, CD sample rate...)

This is the description of the wobble you find on
any cd-r, which carries the ATIP informations.

> instead, they decreed that every time the new data
> path crosses the old data path, it is read as a
> binary "1", and the absence of the 2nd path along
> the first is considered a binary "0".

Very unlikely. Instead I think the guy who posted that
didn't fully understand the patent he read. I remember
having read a Sony patent for copy protection which
mentions wobble and ATIPs, I'll try to find it back
next week.

Disc swapping........ >>> Time waist !!!


Mod chips are GREAT