New PSX/PS2 selfboot thread

vbimport

#1

This is a summary of all the investigations performed by members of this board
regarding the PSX boot process. The original (28 pages long) thread is there.

PSX Bootprotection Summary
.* * * * * * * * * * * * * * * *.


All newbies to the PSX protection and everyone who
thought, the usual claims are true, read THIS first
before you post to the following new “LIMITED” thread.
We are happy to have you here and look forward to your
contribution, motivation and help, but PLS either first you
read the complete PSX/PS2 Protection Breakthrough thread
or at least this very short overview, including the
topic about what we dont wanna discuss here again,
which is in fact just the whole proofen wrong claims.

It was much work to find proofs of what the protection
consists of, and what claims are lies, proofen wrong
rumours or stories of people who seems to have
a bit too much fantasy eg !!


P A R T . 1 :

  • Proofen wrong claims about the protection!

(we wont discuss about that stuff anymore)

  1. EDC (Error Detection Code) zeroed checksum

That was just a “fingerprint” of some old S*ny’s
mastering equipment which has been transferred to the
CD-press, nothing else! Some PSX emulators for PC took
“adavantage” of that difference of sectors #12 to #15,
but they had to correct that in later versions, because
of newer mastering hardware. Proofen as wrong by many
different people, and since everyone can burn RAW DAO 96,
ca. since 1999 (some earlier), everybody unbeliefing
infidels can proof this by their own. btw:
That kind of EDC just is used by Mode2 Form2 sectors,
normally just used for video (as example VCD or str)
streams.

  1. The first 16 sectors contain the bootprotection

That is a misunderstanding. The first 5sectors contain
the territorial info, which only is important for
really selfbootable disx. In Japan those sectors have
an nice pattern, which the PSX seems to be able for
recognising that, for US and PAL, those sectors are
almost zeroed. Just sector #4 contains a short printable
charakter string mentioned for displaying on the screen.
Sectors #5 to #11 contain the graphical coloured PS
logo for displaying on valid PSX bootup, but that
picture can exchanged with all kind of other short
image file in the proper *.tmd format.
Sectors #12 to #15 are the proofen as wrong zeroed
“EDC checksum sectors” (see above), they dont contain
any important info for the PSX.
Those 16 sectors (00 02 00 to 00 02 15) doesnt contain
the main boot-code-information at all, they contain a
second check and the mainly purpose is to display some
bootscreen - info (excluded of the japanese special
bootverification at sector #0 to #4)

  1. burning data “AS” audio CD

(the modless.cdr variant)
In earlier times the only reason to do that was to burn
“fully selfeditable 2352 sectors”, in other words burning
zeroed EDC (proofen as wrong see above).
Other “comrads” thought, with that method the PSX thinks
its an audio CD, so it passes through the “boot check”
and neverthless will execute the datacode.

I proofed that as wrong, when the PSX boots the CD as
Audio CD, even there is the correct data-structure into
the CDDA track, the PSX handles such disx as audio only!
Such disx indeed are bootable with Import Player or
PS-Xchange2 “bootdisx”, but thats not of interrest here.

And, important: I have tested, the PSX first decides only
by the Lead-In structure if its an data or audio CD,
and doesnt check, if the data track is written as audio.
Only if the first Lead-In check “datatrack = true”
was successful, it passes through a second “is it a
Data or Audio Check ?”, after the SCEx check, and decides
a second time (not with bootdisx, they really can boot
“wave-data tracks”) what to do!

  1. Black bottom CD-Rs

They exist from alot different vendors and companies and
the are not from S*ny and have no booting “SCEx leadin”
on them. Some supercool guys said they boot on their
PSXs, but if you ask deeply, they have to confess that
either their PSX/1 was chipped without their knowledge
or they just told some stupid garbage to make themrselfs
important or whatsever.

  1. ‘Bootsector’ out of lasers reach

Wrong, the bootsignal is modulated through the Lead-In
Track, its just not recognisable by PC CD drives of
all kinds, because they dont have the option for puttin
out tracking error signal codes.

  1. Bad sectors - also inside the data area

The PSX uses definitively not any bad sectors as
boot protection! The additional, just sometimes used
Libcrypt protection uses “bad subcodes” as protection,
but that problem was solved a long time ago just buy
RAW DAO 96 read and burn! And some games like
Tombraider use “Correct track start LBA check” protection.

  1. PSX checks for Barcode or ATIP

PSX laser look definitive not for any barcode or other
markings at the very inner ring side of the CD.
The PSX doesnt check intentionally if there exist some
ATIP info!

7x.! Discussable

As sideeffect of the constant 22khz “ATIP” wobble
throughout the whole “empty” CD-R, it seems the SCEx
pulses, which consist of logical zero’s and ones, tend
to be always as One’s, but after pits are written!
We know the PSX laser isnt that “very good looking”,
so for 90% it seems the PSX laser cant read the PSX
ATIP wobble directly, just by the “influenced track”.
That track then has very slightly the “fingerprint” of
the ATIP, even if tracking-coil correted on burning.
Perhaps here sometimes we get the key to switch
on or off the “wobble”.

8.??? Insert further false claims here.

P A R T . 2 :

Here now starts the verified boot protection information
we wanna discuss in future about, for developing further
anything possible and finding many more details about :


I wanna explain it from the very start:


The track(s) of a pressed CD consist of an as good as
straigth spiral, beginning in the inner circle and
continuing 'til the outside edge.
The factor “almost straight” is very important.
Because the laser-unit has some tracking coils, which
purpose is to keep the laser-beam, or better reflection
of the beam!, as good as centered even if the CD
spins at a very high speed, so the beam doesnt loose
the trail while reading the track.

The PSXs tracking coils took some advantage of this
tecnic, and they have a special output for
“tracking errors”. Because at the pressing state of the
PSX CDs, the Lead-In gets a very little, but still
recognisable modulation (near as it was in earlier time
on vinyl records). That modulation constists of long
or shorter tracks of 22khz wobble pulses, the
shortes distance we found out is ca. the lengt of:
1/3 to 1/4 CD sector. The signals consist of the SCEE,
SCEA, or SCEI characters in old RS232 transmission code,
which is already completly decoded and no big secret.

The modchip simply injects that SCEx characters into
the needed wire at the needed time and so the PSX
BIOS and CPU ‘thinks’, the CD-controller sends over the
correct signal and starts the boot code sequence.

Recreation of that SCEx 22khz wobble pattern with CD-R

This was and still is our big challenge !!

To win that challenge, we’ve found out alot interresting
test-results, Truman developed a special CD burning
software which first time ever was and is able to burn
x-special edited Leadins, at any position and which is
able to skip single sectors or whole parts.
—insert link to his homepage if wanted-
And we found out, the 22khz pattern are creatable,
simply by painting stripes or dots over the CD-Rs
leadin region, which almost causes identic 22khz
“ON - OFF / logical 0 - logical 1” pattern like the
original pressed SCEx wobble “creates”. To verify and
control that patterns at all, BlameTheEx and bootdisx Sam
(i have to write in 3rd person about me ggg)
invented a PSX - PC-line-in connection system, attached
to different special pins of the modchip and the
laser-unit-flatribbon-lines. We made documentations
about how it works and what testing results we got,
they are hopefully still available at the page:
http://the8ball.50megs.com/index.htm
Alot further links arent connected directly, but the< can
be found throughout the whole PSX/PS2 selfboot thread.

Really alot tiring SCEx ‘pattern over leadin tests’ have
been made and analysed and they were honoured by
very much public interrest here at the cdfreaks Forum.

Bu to paint ‘around blind’ on CD-Rs was very unreliable,
'cause the PSX laser reacts unpredictable, the pattern
cannot duplicated and transfered that exactly (at least
for the moment) as it would be needed, and the negativst
point:

One CD circle accords just for 0,125 second, but the
complete SCEx string needs the time of ca. 0,250 second.
This makes it inpossible to “paint” the complete
boot-string over the lead-in’s circle, at least as long
we dont find a method to compress that pattern or making
the psx-Laser switching from one to a second “level”.
Thats very hard to do, restricted by the tight space
of the leadin circle. Tests to burn ‘thicker’ Leadins failed,
because of the PSX-laser hardware seems to be restricted
to find the leadin and data area at a already fixed
distance-range.

btw. it was proofen, the PSX doesnt need: a lead-out track
and the Lead-in must not have the full size, either
it is just the half size starting at the “REAL” beginning
and the datatrack immediatly stars directly, or there is
space between lead-in and the data which then starts at
the usual position (still at halfsized leadin!), or even
if the first 5500 leadin sectors are missing (seen from
the “real” start writing position) and just the
“second half” is present and followed directly by the
data track, everything almost works (if the laser is
calibrated correctly and has no problems for reading
CD-Rs at all).
We also did alot Skip! leadin sector tests, but they
arent usable for writing “22khz wobble creation”,
the skipped distances are simply too long for the needed
SCEx values, and it seems the skipping hasnt any effect
at all to create 22khz breaks. Yes, the problem is:
Creating 22khz breaks of the right lenght, because it
seems or is really so, the CD-R is full of continuing,
uninterrupted 22khz waves “heard by the PSX laser”.

Our last developments have been in that directions:

a) perhaps development of CD-writer modichips
b) burning structures into the leadin which causes the
PSX laser either to change the spin-speed from
1x to perhaps a higher value (the SCEx search is
done at 1x CDreading speed) or to find some
backdoors, which enables us to skip the boot code
search sequence or imitate it!
c) leading the PSX laser from the usual leadin track
to a second one, having the needed space for the
painted patterns
d) disturbing the tracking coils by heavy sound/noise
vibrations, which is really risky to destroy the
hardware (and "neighborhoodfrienships gg), til now
we didnt had any success with that
e) very few attempts finding ppl who have the knowledge
for programming modchips for our purposes
f) analysing of electronical circuit board prints of the
PSXs controller hardware and more
g) analysing of so calles “square waves” the PSX laser
creates on “disturbing”
h) finding out the location inside of the leadin where
the psx laser searchs the ‘protection trail’
(for the moment it seems its all over the lead-in)
i) finding reliable information about the mysterious
lik sang boot-cdr
j) short tries how to created split CD-Rs with orig
bootsectors, also how to “mount” those if possible
k) injecting SCEx noise signals from the PCs soundcard
into some PSX pins to circumvent the modchip
l) searching ppl who had coded PSX for PC emulators
and perhaps know some “boot secrets”
m) …

P A R T . 3 :

Last but not least I have to notice that we’ve had the
help of the “dinosaurs” of the PSX boot protection,
like:

Alex Lau, Old Crow, AndrewM (who came a bit late ggg),
Barubary and some “top secret” informers,
who brought us onto the right way,
after searching around into the PreGap subs
etc. and also a big appreciation goes out to the
CDfreaks Forum Mods and owners which let us test around
:wink: :slight_smile: for such a long time & so making it possible for going
so far! Now that PSX protection craccing goes into a
new and hopefully more succesfully aera, and we still
enjoy every helpful information and (insider)-tip for
finding out as much as possible about it, as example
much more detailed infos how that prot. was developed
and how it was recreated by diverse HK etc. companies,
with or without CD-Rs. Our goal still is to develope
the needed software, hardwaremodifications, techniques,
FAQs etc. for beating “sometimes” that protection.

Not to forget all the people who helped us over that
whole time and also thx to Wig Wam and his group for
his superb, “toadstool use compatible” * E Egg*
artistic expressure of the “Misalignment” theme!
Nice impression and influence making things visible
which we dealt for so long and still looking 4 t answer.

Very few of us decided to hang into that very hard
challenge, even there’s not much light in sight, but
its in the tradition of “beating every system sometimes”
and I’m shure, we will be always the winners, even if
it takes years! Its the mental strenght which counts.
And we dont need always the newest system to proof
our skills, even the PS2 sometimes will be an old
system, if it isnt it yet already.

PErsonal wishes:

  1. If you are new to this topic but really interrested,
    I suggest first reading through the whole
    PSX/PSX Breakthrough thread, it really contains
    indescribable info about our development and indeep
    going infos, also some funny stuff.

  2. In that thread also is decribed how a PSX - PC
    connection can be built up, and I really hope, besides
    only me, some other tec-freaks are incouraged enough also
    connecting their PSX and then are being able to
    verify the SCEx or test signals! Thats really important,
    because the more can test the created signals and
    compare those with the orig. SCEx, the faster we could
    find the clues how it can be done finally.

  3. I hope our whole work within that PSX-protection topic
    will remain forever inside the Internet and will
    animate and inspirate following “generations” :wink:
    for further development (of course just if we wont
    beat that prot. in our lifetime! ggg :wink:

  4. Sometimes I’ll get my hand of a Sny’s machine
    which enables me to burn finally selfbootable stuff,
    if we really never find a way to make it with usual
    public PC - CD-R equipment :wink: I guess I have to visit
    that S
    ny party sometimes personally! :wink:

Additional infos :

The actual bit patterns for SCEx:
SCEA: 1 00110101 00,1 00111101 00,1 01011101 00,1 01111101 00
SCEI: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01101101 00
SCEE: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01011101 00

One bit of SCEx data (4 milliseconds long) will be 4.8 millimetres long.

The SCEx is written on a track starting at about 24mm diameter (15cm circumference) and 2 (?) mm wide.

The SCEx signal is repeated throughout the track, once every 250 ms, or 30cm. The signal is 42 bits long, from first to last “1” bit (168ms, 20.16cm).

The SCEx is written as side to side wobble, at 22.05 khz.

The 22.05 khz wobble of the underlying track (not the recorded “pits”, which are not supposed to wobble) used to store ATIP information on writable disks is 5.44 um peak to peak, with an amplitude of ±0.03um. The wobble for SCEx is probably similar, however normal factory made read only disks do not have an underlying track. Ether the official playstation disks are different, or they have wobbled pits.

The track width is only 1.6 um, about 2 wavelengths of the 0.78 um laser light used, so ANY markings on the track, that are not centred, will be detected as side to side information, whether it is “pits”, or the underlying track.

WOBBLE GROOVE

Data on a CD-R are organised on a single 5,3 kilometers long spiral called ‘groove’ or ‘pre-groove’. The groove is actually not a flat spiral, but a soft sinewave called ‘wobble’. This sinewave is very slow (22.05 kHz), with a small amplitude (30 nm) and a constant width (600 nm) ; all the data, coded as pits and lands, are located in this spiral. The wobble is mandatory to write on a disc, so the complete track is wobbled, which includes the PCA, PMA, lead-in, program area and lead-out.

This wobble has 3 uses. First, it allows the drive to regulate the rotation speed of the disc. Indeed, the drive continuously measures the frequency of the sinewave it reads and it can for instance adjust the motor speed so that it always matches the theoretical 22.05kHz value : when this happens, the disc spins at 1x CLV. Second, the wobble is used as tracking information, i.e. it ensures that the pits are correctly written along a track. Finally, the wobble carries ATIP informations through frequency modulation of the wobble sinewave (22.05kHz +/- 1kHz).

How does the wobble suffer from CD-R burning ? Pretty well it seems, since ATIP informations can still be read from a burned disc. In fact, the wobble is actually partially damaged during burning, because the pit width is close to the wobble width (600 nm), so that the edges of the wobble can be damaged where pits are burned. Moreover, the pits are not exactly written following the wobble. Indeed, before being used as tracking information (push-pull), the wobble signal is processed by a 5kHz low-pass filter, and therefore the head does not follow the wobble : this means that the pits are actually written on a flat spiral trajectory, which increases the probability of damaging the edges of the wobble on particular locations.

added by me:

To summarise for our purposes:

  1. The wobble exists throughout the disk, and is not significantly removed by writing.

  2. The Writer uses the same detectors for both wobble, and side to side error correction. However, before using the signal for error correction, the wobble is filtered out by a 5khz low pass filter. This is the official design.

  3. The wobble can’t be removed, or meaningfully altered, by writing, because the laser head doesn’t follow the wobble.

In addition we have no way of writing pits with any sort of variation near 22khz.

We can skip sectors, but they are at 75 to the second, which is far too slow.

We can write bit patterns that have a lot, or very little pit, but the writer will swap pits for lands, if necessary, for the next byte. The algorithm used is designed to force an evening out of pits and lands, and we have no control over it. It is effective. The result is a maximum pit density wobble, that drops steadily downwards below 127 khz.

Regardless, a pit density wobble will not be interpreted as a side to side wobble, by the playstation, as long as the pits are laid in the centre of the track.


Presumably some writers, use a filter that varies according to the write speed, but always lower than the wobble frequency. Perhaps some of the fastest, are mechanically capable of correcting wobble at 1X speed, although any mechanical system that could correct a 22khz wobble would be impressive.

It’s feasible that some poorly designed high speed writer might correct wobble at 1X speed without modification. If so, an additional filter, switched on and off by a mod chip, would work.

Its plausible, but not exactly likely, that an expert bios programer could modify a writer bios to hack out the wobble in patches, to create a SCEx signal.

It is slightly more likely that an expert on writer design could use a mod chip, and additional components, to bypass the filter in pulses, so as to write the SCEx signal.

I am not entirely sure what the result of wobble correction would be. I doubt the result would be a complete removal, as far as the playstation’s reading is concerned. However I am convinced that it will ether significantly reduce or increase the perceived wobble, and that may be enough.

It is highly unlikely that by the time any such design was published, the writer used would still be in production, nor can there be any reasonable hope that such a method will work for playstation 2 disks.


It would be entirely possible for a CDR manufacturer to produce disks with the SCEx built in, although i suspect they might need modified software to write. However, I would be amazed if it could do so without copywrite infringement. Sony would certainly mount an expensive legal battle, whether they would win or loose. I doubt any manufacturer would dare.


#2

I have an idea we could try. This is a long shot but it would stilll be interesting.

Perhaps we could confuse the psx into booting by doing some weird twinsector stuff inside the leadin.

I have no idea what affect this would have or how you would implement it but it would be worth a try.

Just throwing an idea out.


#3

Thank you for making a summary.

it makes things a lot clearer for me…(to a certain degree :wink: )

thanx

damian


#4

Regarding the “Square waves”

These turn up in laser output pin 5, and others, irregularly in most samples i have seen.

Sam found that painting stripes on the pregap track of a copied disk caused the needed “0”'s at the point used by the output of a Modchip. However, in most cases they were shorter than expected. Too short to be useful.

The signal at pin 5 showed that the stripes did remove the 22khz wobble, but that it was usually soon replaced by the distinctive “Square wave”. Unfortunately it is also interpreted as “1”.

This “Square wave” is a much lower frequency than the wobble, but it is higher in volume, and naturally, has lots of harmonics within the rather broad frequency range the playstation will accept.

What are “Square waves”? Clearly they occur when tracking is a problem. Maybe they are a signal from the tracking coils, as the playstation hunts for the track. It could be bouncing from side to side of the track to measure the central position. Maybe they are the signal of a head skipping tracks before settling on one its happy with.

The “square waves” did not always occur. Some samples showed considerable promise. I am convinced that it is possible to create stripes that work reliably. Sam did not actual create many disks, nor did he try different paints, or felt tips, to see which worked best. My guess is that a lighter colour, that allowed enough signal through to maintain tracking, would work.


Regarding PART 1, section 7x.

We do not know exactly how official playstation disks are made, but we do know they are stamped, read only, disks. Normally such disks have no track bar the pits themselves. We have been assuming that the wobble used by the SCEx is of the pits, rather than a track like that used by ATIP.

The PSX doesn’t read ATIP. However that maybe ether because:

a) It could, but Sony found no good reason for it to do so. ATIP is only necessary for writing, and the PSX is read only.

b) It can’t because ATIP is frequency modulated. The SCEx is pulse modulated.

The argument that the PSX can’t detect the ATIP wobble directly doesn’t hold. It can detect the wobble. It just doesn’t read the ATIP data within the wobble.

The argument that the ATIP wobble results in a recording with a pit wobble, also doesn’t hold. Writers are supposed only to correct for tracking errors below 5khz. They detect the 22khz wobble, but it’s filtered out before the signal is applied to the tracking coils.

The whole beauty of using a 22khz track wobble to carry the ATIP information is that it uses the same detecting system that holds the laser to the centre of the track, by tracking the pits. Although ATIP wobble is of the track alone, and the pits shouldn’t be wobbled, clearly this system will detect wobble in ether. I see no reason why detecting a track wobble should be any harder than, or different from, detecting pit wobble.


#5

Kward

Twin sectors will not cause a boot. The Playstation will accept nothing less than a SCEx signal.

However there IS real merit in exploring such things as twin sectors. We know that the playstation reads somewhere around the end of the last track, before searching for the SCEx in the pregap. The interesting question is: how does the playstation find the pregap?

Some such method as twin sectors might fool the playstation into seeking for the SCEx in a track at a far larger radius. This would make possible a SCEx pattern marked in felt tip, on a single revolution.


#6

Hi, I have read the old thread and all this is really interesting to me even though I don’t own PSX.
If I understood this correctly, 22.05 KHz carrier on disc is modulated with code in a press stage.
What I don’t understand is:

  1. Is the whole CD modulated in such a way or just the LeadIn portion?
  2. Pressed CDs for PSX probably do not have Power Calibration Area and Program Memory Area like CD-R/RW discs. Does writing without OPC (i.e. leaving those areas intact) make any difference?
  3. What is the final status about old Yamaha writer myth?
  4. On page 35 of mmc2 standard CD Frame structure is explained. It says:

Data is recorded in a continuous stream of Small Frames. Each byte of a Small Frame is encoded with an 8 bit to 14 bit modulation (EFM) code. Three merging bits are appended. The merging bits are chosen to provide minimum low-frequency signal content and optimize phase lock loop performance.

What I would like to know is who choses those merging bits? Recorder or software? I know that it is possible to write weak sectors and to deliberately create C2 errors on a disc so with (in)proper EFM encoding it shoud be possible to create such a signal that will cause desired tracking errors. Or is that already ruled out?
I am asking this since I have a piece of software that does similar things to hard drives (spinrite). It knows all modulation/encoding schemes used in modern hard drives and it is able to create a pattern that consists of strong signal immediately followed by a weak one. Strong signal then makes drive to turn signal amplifier off and if the medium is defective it won’t be able to read immediately following weak signal since it can’t manage to turn the amplifier back on so fast. Software then shifts that pattern accros the whole drive surface thus testing every single bit position (whict takes considerable amount of time).
If that kind of encoding manipulation is possible for hard drives I guess that it should be possible with EFM. Any comments on this?

  1. Someone said that at the point where modulation crosses with data track the signal read by laser is affected. Does that still hold?

Finnaly, don’t give up on this guys.
Best regards,
Prime


#7

prime

  1. Just the lead-in portion.
  2. No. The PSX looks for a SCEx, and only a SCEx.
  3. Its a myth.
  4. The recorder chooses the merge bits. Always. Some recorders can be fooled into making a poor choice.
  5. 22.05khz wobble is small, at a much lower frequency than the data, and side to side rather than up and down (or for writeable disks, with the same effect, light and dark). It is unlikely to effect reading.

#8

One more question and few ideas:

  1. Is the PSX interested in DATA from lead-in or not?

Originally posted by BlameTheEx
prime
5) 22.05khz wobble is small, at a much lower frequency than the data, and side to side rather than up and down (or for writeable disks, with the same effect, light and dark). It is unlikely to effect reading.

I saw somwhere a drawing of the wobble track (looks like sinus). Recorded pits partialy cover it but it is wider than the recorded signal so it can’t be fully covered by pits.
If I understood correctly, recorder always follows the wider wobble track while writing to disc and it is actually writing over it (but not destroying it by doing so or otherwise readers could not read the disc).
Maybe if a lead-in is constructed in such a way (even by making invalid EFM codes) that it contains pits and lands that immitate SCEx code?
Idea - if laser power is greater the pits are longer. That could be used to manipulate pits in such a way that they even overlap so there is no edge to detect but with higher power wobble could be “punched” hard enough to look like it is pressed with SCEx code.
I come to that idea by reading the thread where someone mentioned that some guy managed to make a copy by using some special trick but the disc detorriated and become unusable over time and that could probably happen if it was written with too much power.

Edit:
I just saw an interesting article at cdrlabs:

Yamaha decided to deal with this by creating a process they called Audio Master. They decided to artificially slow down the speed of burning by increasing the length of the pits and lands. Although the disc is still spinning at its 24x or 32x speed, the density of bits on the CD’s goes down. The normal 1.2 m/s linear speed turns into 1.4 m/s. 74 minute discs suddenly only hold 63 minutes, and 80 minute discs now only hold 68 minutes due to the extended pit length. Although the feature sizes are increased, they’re still within Red Book standards.

This proves that it is possible to create markings of desired length on the disc. Full article here:

Best regards,
Prime


#9

I keep reading of “SCEx” but it is not discussed in any great depth. I do not understand what it is… a wav signal, a part of the pre-groove, can someone explain?


#10

Prime

Sigh. No.

You are correct in believing that is possible to write wobble with pits. Indeed it is my assumption that this is how Sony does it. However:

a) normal pits are not just a little bit smaller than wobble waves, they are FAR smaller. One wobble wave = length of about encoded 12 bytes. Each byte is 17 bits long. We have on way of even creating a pit as long as an encoded byte.

b) Nobody has found a writer that has the software commands that will write the pattern of pits/lands we need.

c) Even if we could, the pits would follow an un-wobbled track, and would thus not be detected as wobble.

Conclusion: We cannot create wobble by writing with any unmodified recorder that we know about. How many times do I have to say this?

The secret of writing wobble with pits is not in creating special pits, but rather in adding side to side wobble to a normal pit track. As yet none of us have created a writer mod that will do this. There are plenty of ideas, but nobody has put sufficient time, or energy, to develop them into a working prototype.

xtacydima.

We can’t explain much further, because that’s about all we know. The SCEx signal is coded as pulses of side to side wobble. Exactly what is being wobbled, we are not sure.

The assumption is that, on an official Playstation disk, it is the track of written pits. We think this because pressed disks do no contain the wobbled ATIP track that writable disks have. However it is possible that Playstation disks are an exception.


#11

Hi,
To set something straight, wobble is factory pre-pressed on every CD.
It is the spiral sinusoidal track wider than the track you are
writing. Even after media is recorded that wobble is still visible
to the drive. If that wasn’t true, drive would not be able to read
the CD. Wobble is actually synchro-track so the laser can find data
track and stay within it while reading and writing. Wobble serves
as a means to correct rotational speed of a drive - it is converted
to 22.05KHz sqare-wave and compared to internal clock generator.
If the actual wobble frequency detected is lower than 22.05KHz then
the drive speed is increased otherwise it is decreased.

Aside from that, inside the wobble track, media manufactures insert
ATIP by means of frequency modulation. They modulate wobble with
+/- 1KHz so it yields 21.05KHz and 23.05KHz which drive decodes
as zeros and ones and returns the complete bit stream as ATIP info.

What I really do not understand is the claim that s*ny did
amplitude modulation with SCEx signal to wobble track.
What does that mean?
Is the wobble wider/thinner on the spot where SCEx signal
is present/absent or it is deeper/shallower?
What kind of tracking error is introduced with this modulation
when PC drives can read the lead in of pre-pressed PSX CD?
I hope I am not boring you with questions and also that someone
can answer this.
Regards,
Prime


#12

Prime

Not quite. A niggle, but wobble is normally only on writeable CD’s. Factory pressed read only CD’s don’t have it, with the exception of playstation disks. The reason is that ATIP track is only necessary for writing. It is not necessary for reading.

The wobble on a playstation disk is at the same frequency as ATIP wobble, but there are real differences. It is for writing the SCEx ONLY. It does not exist all through the disk. It only exists as pulses of wobble that spell out the SCEx signal in the lead-in track. A 4.8 mm, 4 ms, stretch of wobble is treated as a “1”, the same length of no wobble is treated as an “0”.


#13

No posts for a month!

Come on people. This challenge CAN be won.

Since Sam connected the input of his computers sound card to various points in his PSX, we have had an easy method to see what happens when we try out ideas.

Not all ideas have been tried:

  1. There are still real possibilities of success with the felt tip method. Nobody has tried a selection of felt tips. A felt tip that allows a percentage of light through may well work.

We would need to fool the PSX into seeking the SCEx track at a larger radius, but it probably can be done.

  1. Nobody has tried, and published, injecting a SCEx signal into the tracking coils of a CD writer. It could be as easy as wiring the output of a sound card to the tracking coil.

Perhaps a capacitor and inductor in series may be needed as a notch filter, that isolates the tracking coil circuit from the sound card, except at the modulating frequency, but that’s hardly rocket science.

It’s also true that you will want to overwrite the SCEx track only, but the Truman Tool should do that.


#14

> No posts for a month!
> Come on people. This challenge CAN be won.

Hi Blame!

Nice to see, at least you, again ggg. Well, I still havent that much time for the protection 'cause I have to convert thousands of wavs into mp3s and write down alphabetically sorted DJ-playlists and alot other stuff for the moment, but I’m still motivated for beating that “life-challenge” sometimes & hopefully in the ‘near’ future.

Therefore I did a few tests in the summer-months but they were negativ:

Heres the translated log of that test, it was an reversed “burn datatrack with Audio-leadin” and I knew it wouldnt work but I wanted it to proof it:


Test from 27th August 2003

burned a 598 sectors large PS-X-Change2 ISO as Audio with Mitsumi 2801, which finally gave me a 600 sectors large track with an zero + - offset of the data. (With Liteon I got an offset of 24 bytes (24 bytes had been inserted at the begin). track without lead-in-out just usual.

Next burned the same 598 sectors as usual data XA as session closed/writeprotected, but directly as the Mitsumi wanted to start to write the Leadin/-out I hardware-swapped the disc with the Audio Track, so that “Audio Disc” gots an absolutly “usual” Data Lead-in.

Results:


without chip: boots to the black “insert PSX Disc screen” then hangs

with chip: boots to the grey CD-Player/Memory Card screen

I think the reason why it didnt booted at all was the “unscrambled” audio data track, the PSX expected something scrambled. I wrote that audio track with WinOnCD as Track Image and as LSB form. There also is the MSB Audio form possible to choose, perhaps thats the datastyle scrambled version then. Anybody knows the difference between LSB and MSB, I didnt found any explanation.


OK, so far that test, at least we have another little mapping how the laser-unit acts and reacts.

But now the good news:


A few days ago had an new exciting idea how we possibly can press the complete SCEX string into our small “125 milliseconds” lead-in circle:

Therefore we can try to “intermerge” the RS232 bits of our characters:

as example:

[xxx] marks the erased “doubled” data bits

SCEA
10011010 [100]<-100 111 [10100]<-1010 1110 [100]<-10 111110 [100]<<->>

will give:
100110101001111010(0)111010(0)111110

= 32 wobble on/off states (included both extra zeros: (0) )
= 32 x 4 milliseconds = 128milliseconds ca. 0.125 second we need

(end 100 value is same as at the begin and so can be deleted as well)
(if there are just 2 wobble offs instead of 1 wobble off it think its possible to cut that as well and imitate (felttip-paint) perhaps an middle state of 1,5 at the disc) so I used that compression also.

The trick is, that if we are lucky, the PSX cant find the “absolute entry point” for reading the “stand alone character” because they dont stand alone anylonger (off course we had erased the 12 bit long zero gaps) and so it finds withing our continous string all kind of needed SCEx characters.

here the compressed string for PAL Europe/Australia:

10011010 [100] 100 111 [101 00] 1010 11 [101 00] 1010 1110 [100]
100110101001111010(0)111010(0)1110
28 to 30 data bits

This is our only easy method, and we have seen already with our unique: Trumans tool “burn Lead-in etc. anywhere” tests the PSX wont read that leadin outside a specific (hardware) radius value.

The above intermerged SCEA string:

10011010100111101001110100111110
or
100110101001111010111010111110

must painted clockwise as following shown (laserwriteable CD side on top - for painting ‘interrupted’ circle like on usual paper):

10011 0101 001 11 1 010111010111110

(just as example):

10011 ->
…0101
…001
…11
…1

etc.

AND: not to forget: I suggest we dont paint stripes in the form of I or | 's, but use slightly slanting ones: /
With that method the distances could shift a little better.

So far so nice, the next step how to test that compressed stringy thingy !!! :wink:

The best method would be if someone could feed the Modchip with the above string and check out the result. If it doesnt work, he still could try to compress or mutilate the original strings until the PSX refuses to boot.
Unfortunatly at the moment I have no idea how to code a little program which lets usual programmable Fun, Gold or Silver smartcards spit out any SCEx signals. Its not that easy to convert the 12c508 or 16c54 chip sepecific code into 16f84 or 16f877 etc. So first I would have to buy an usual socket 12c508 chip and a free - PCB Card with usual smartcard contacts so I can program my own modchips. First of course someone needs to code a hex file where a certain “editing space” is reserved where I could input all kind of different SCEx values like those above.

The 2nd met. is to burn that pattern perfect in the original wobble style. But I doubt for instance the PSXChange CD company will let us use their “black-press”. And S*ny would have a big laugh if we ask them to test our “compressed SCEX wobble”. eg

The 3rd is creating a felt-tip-paint pattern out of our 28 to 32 data units string. A circle where every 0 would be ment as a small dot or stripe, and every 1 would become a “window to the wobble”.
And thats the big problem: How strong, what color, how thick, how exact etc.!!

I suggest for perfectionating such tests we must use a shortend lead-in with a little unwritten gap between lead-in and pregap/datatrack, so we are shure the color doesnt covers any data sectors also. For luck with Trumans CD Tool we can burn cutoff Lead-Ins already.
But just by bare eyes its still really hard to get that CD-marker or felt-tip lines or dots or stripes really over the correct place, its almost a work for some painting-artists, because it has to be done very exactly. (at least until we havent reproducable transfer-foils).

If we just have one single result where the intended 0-1 paint-pattern matches the wobble-on off pattern we’re saved. Maybe so its better first trying smaller strings instead of the whole revolution. But at least thats alot work painting/erasing try again & again and for the moment it seems I’m the only one who’s able to analyse the result the PSX tracking coil reports us and would do the whole graft(ing). Everyone else for the moment just would have a hit or miss result, and thats only for the very few people whos modchip is on-off switchable.

Until we havent alot more support, it seems the felt-tip-paint-test-method remains as our only chance!

It could work, if the tracking-coil filters out what the PSX wants to see in our compressed string. And that could be really possible, at least if the PSX doesnt stop to search for the string when everything else looks “just right”, as we have seen on alot formerly felttip pattern tests. And we know already that the PSX still boots if the string is as example: SABCDEFEF etc. The only difference here is the ca. 12 x 4 milliseconds gap between the characters. But if the PSX doesnt need that gaps, were lucky!

Not to forget: here’s Andrew M.'s PSX SCEx page


perhaps he will joins us again.

CU, Sam


#15

Sam. It does sound possible.

However i have always wondered if that track is found by hardware.

Certainly the lead-in is found be hardware originally, but the SCEx track is read only after the lead-out is read. At this point the CD has been recognised. Is it not possible that the seek to the SCEx track then depends on sector numbers?

Before going into long and complicated tests, there is one simple thing we have to know: can we paint a line that doesn’t cause square waves? We know that it sometimes doesn’t, but we don’t know if it can done reliably.

If effective lines can be created, there are lots of possible solutions, but if not, there are none. Felt tips would be a dead end.


#16

Felt tip maybe the best solution… I think we just need the accuracy. I have looked at some art and craft tools - products from Switzerland/Holland/Germany. Yes I ordered a catalogue from Germany - company called Optec: www.optec.com (translated English version - but still some of it is in german). It came today. They have amazing quality rubber stamps, stamp cutters and stencils. The stencils are amazing, they even have curves and finely cut lines in them - I think they were cut with laser. So, it should be possible that some company could later (with a working pattern) cut a PSX stencil with laser accuracy.

Anyway, maybe we or someone could make a normal finely cut stencil with the correct dots for the SCEx pattern say on paper or thin card and then even numpties could go over with felt tip on to a CD to test.

Now all we need are practical ideas how we can go about making such testing stencils (and no I’m not leading the topic - we’re not going into arts and craft business :slight_smile: ). Any ideas anyone?


#17

Truman.

Well, I was thinking about providing the SCEx pattern as a picture for downloading. Print onto a cd label. Stick the label onto a blank CD, and drill out the pattern with a modelling mini drill. The result could ba a good stencil, if done with patience and skill. No doubt a modelling enthusiast could set up a cottage industry that way.

Still it still doesn’t solve the problem of finding the correct felt tip, spray paint, rubber stamp ink, or what have you.

As far as I can determine, felt tipping usually (but not always) results in misstracking. This wouldn’t be much of a problem, as the track isn’t read and the felt tip covers a lot of tracks, if it wasn’t for the resulting square waves. I think these square waves originate in the tracking coils, and are caused by the PSX seeking the track.

Unfortunately the PSX is not very discriminating in its acceptance of a “SCEx line on” signal. It’s supposed to be switched on by a 22khz wobble, but the square waves also work. The net result is that the “SCEx line off” we have attempted to create is drastically shortened. Too short to be useful.

Sam’s felt tip results were mixed. Occasionally the “SCEx line off” occurred as we wanted it. My theory is that this was when the laser was at the edge of the felt tip, and some of the light was getting through. If so, a semi-transparent ink, which coats reasonably evenly should work. Brush lines may well be a problem.

Truman.

Have you any idea how the PSX finds the SCEx track after reading the leadout? Is there any hope of fooling it into reading a different SCEx track at a larger diameter, or even better, reading a track immediately after the leadout?


#18

Semi Transparent Test #1

Here

http://the8ball.50megs.com/transp1.htm

you can find my newest test, looks absolutly promising (check out 2-mod-off-zoom-in.gif) !! I used a little remaining colour of an almost dry red Edding 500 marker (no, not all my pencils are almost dry ggg).

As you can see, the signal breaks are very long this time! Thats really amazing. btw you have to rename the .psx extension to .mp3, 'cause wav files are too big and I dont wanna split always the files.

Unfortunatly I used a bit fast burned test psx backup CD without any physical gap inbetween lead-in <–> data track. Therefore for the moment I couldnt get that backup to boot with modchip and/or Xchange2 after the transparent test any longer. But before it booted. Next time I’ll use a different and “better” test CD.


@Blame, your idea of publishing a description is good, but I still brood how it should be made best. If you want an electronical layoutplan I’m the wrong person to draw it, but I could provide an easy and short step by step manual with some nice pix. Id like to keep that manual very simple, so alot ppl can use it - therefore I suggest we just describe the CD-Unit flat-ribbon cable pin5 connection. And as ground they should use some of the plain metal body parts of the PSX instead of my modchip ground pin.

The rest is easy, a little audiojack in connection with the microphone-in of a PCs (onboard-) soundcard. And finally the recording of the sound (I think 44khz is enough sampling rate) with any working software (I use NERO wav editor) and last but not least the 15-24khz highpass filtering with Goldwave. The crucial and critical part of the whole connection is the connection to CDunit pin5! But its still easier instead of taking apart the whole PSX until someone reaches the usual modchip pins!

The easiest way would be just simply putting a very small needle into the flatribbon cable pin5 connection without destroying the very thin wire. And the second plus of that method: All psx models have the same CDunit cable. Personally I cant imagine alot guys will “scex-connect” their stations. At the moment the most of them (if anybody at all) will wait with their own experiments how our tests here develope. Im very confident, but every little support is welcome.

@Truman: Did see your post just a second ago. Thank you so much for adding those new feature, its fantastic! 4 the moment I’m running outa time but will answer soon. Thx alot!

CU, Sam


#19

Sam

Great work.

I am too tired to check the wave files tonight, but will give them a good look monday.

It looks like game on.


#20

I came across this site before and this seems to be new on their site
could be some special discs for the ps2. Just thought I would post it for anyone interested.
http://www.hoei.co.jp/japan/dpm/news.html

This is another link and this company seems to I think make duplicators for producing PS2 discs, they also have the media at the link above. Their specs show they use a PX-40TS drive besides a few others maybe someone on here can make out what exactly what their business is, its not in english so you have to make out what you can and post it on here so we know if its of any help.

http://www.hoei.co.jp/japan/dpm/products/index.html

Also here is their link to their firmare updates for the drives.
http://www.hoei.co.jp/worldwide/download/index.html

Also if you read the “Writing Tool Readme” from the link above it
shows these drives are suported with their product:

1-2. The supported CD-R/RW recorders for Writing Tool are as follows:
@@ Yamaha: CDR100, CDR400, CRW4260, CRW4416, CRW2100E
Matsushita: CW7502, CW7585, UJDA310
Plextor: PX-R412C, PX-R820T, PX-W1210TA, PX-W1610TA, PX-W2410TA
Teac: CD-W24E, CD-W28E, CD-W512EB, CD-W516EB, CD-W524E, CD-W540E
Generic: CRD-BP1400P, CRD-BP1500P
Lite-on: LTR-52246S

This maybe of no use at all but just wanted to make sure you all knew it was there.