This is a summary of all the investigations performed by members of this board
regarding the PSX boot process. The original (28 pages long) thread is there.
PSX Bootprotection Summary
.* * * * * * * * * * * * * * * *.
All newbies to the PSX protection and everyone who
thought, the usual claims are true, read THIS first
before you post to the following new "LIMITED" thread.
We are happy to have you here and look forward to your
contribution, motivation and help, but PLS either first you
read the complete PSX/PS2 Protection Breakthrough thread
or at least this very short overview, including the
topic about what we dont wanna discuss here again,
which is in fact just the whole proofen wrong claims.
It was much work to find proofs of what the protection
consists of, and what claims are lies, proofen wrong
rumours or stories of people who seems to have
a bit too much fantasy eg !!
P A R T . 1 :
- Proofen wrong claims about the protection!
(we wont discuss about that stuff anymore)
1. EDC (Error Detection Code) zeroed checksum
That was just a "fingerprint" of some old S*ny's
mastering equipment which has been transferred to the
CD-press, nothing else! Some PSX emulators for PC took
"adavantage" of that difference of sectors #12 to #15,
but they had to correct that in later versions, because
of newer mastering hardware. Proofen as wrong by many
different people, and since everyone can burn RAW DAO 96,
ca. since 1999 (some earlier), everybody unbeliefing
infidels can proof this by their own. btw:
That kind of EDC just is used by Mode2 Form2 sectors,
normally just used for video (as example VCD or str)
2. The first 16 sectors contain the bootprotection
That is a misunderstanding. The first 5sectors contain
the territorial info, which only is important for
really selfbootable disx. In Japan those sectors have
an nice pattern, which the PSX seems to be able for
recognising that, for US and PAL, those sectors are
almost zeroed. Just sector #4 contains a short printable
charakter string mentioned for displaying on the screen.
Sectors #5 to #11 contain the graphical coloured PS
logo for displaying on valid PSX bootup, but that
picture can exchanged with all kind of other short
image file in the proper *.tmd format.
Sectors #12 to #15 are the proofen as wrong zeroed
"EDC checksum sectors" (see above), they dont contain
any important info for the PSX.
Those 16 sectors (00 02 00 to 00 02 15) doesnt contain
the main boot-code-information at all, they contain a
second check and the mainly purpose is to display some
bootscreen - info (excluded of the japanese special
bootverification at sector #0 to #4)
3. burning data "AS" audio CD
(the modless.cdr variant)
In earlier times the only reason to do that was to burn
"fully selfeditable 2352 sectors", in other words burning
zeroed EDC (proofen as wrong see above).
Other "comrads" thought, with that method the PSX thinks
its an audio CD, so it passes through the "boot check"
and neverthless will execute the datacode.
I proofed that as wrong, when the PSX boots the CD as
Audio CD, even there is the correct data-structure into
the CDDA track, the PSX handles such disx as audio only!
Such disx indeed are bootable with Import Player or
PS-Xchange2 "bootdisx", but thats not of interrest here.
And, important: I have tested, the PSX first decides only
by the Lead-In structure if its an data or audio CD,
and doesnt check, if the data track is written as audio.
Only if the first Lead-In check "datatrack = true"
was successful, it passes through a second "is it a
Data or Audio Check ?", after the SCEx check, and decides
a second time (not with bootdisx, they really can boot
"wave-data tracks") what to do!
4. Black bottom CD-Rs
They exist from alot different vendors and companies and
the are not from S*ny and have no booting "SCEx leadin"
on them. Some supercool guys said they boot on their
PSXs, but if you ask deeply, they have to confess that
either their PSX/1 was chipped without their knowledge
or they just told some stupid garbage to make themrselfs
important or whatsever.
5. 'Bootsector' out of lasers reach
Wrong, the bootsignal is modulated through the Lead-In
Track, its just not recognisable by PC CD drives of
all kinds, because they dont have the option for puttin
out tracking error signal codes.
6. Bad sectors - also inside the data area
The PSX uses definitively not any bad sectors as
boot protection! The additional, just sometimes used
Libcrypt protection uses "bad subcodes" as protection,
but that problem was solved a long time ago just buy
RAW DAO 96 read and burn! And some games like
Tombraider use "Correct track start LBA check" protection.
7. PSX checks for Barcode or ATIP
PSX laser look definitive not for any barcode or other
markings at the very inner ring side of the CD.
The PSX doesnt check intentionally if there exist some
As sideeffect of the constant 22khz "ATIP" wobble
throughout the whole "empty" CD-R, it seems the SCEx
pulses, which consist of logical zero's and ones, tend
to be always as One's, but after pits are written!
We know the PSX laser isnt that "very good looking",
so for 90% it seems the PSX laser cant read the PSX
ATIP wobble directly, just by the "influenced track".
That track then has very slightly the "fingerprint" of
the ATIP, even if tracking-coil correted on burning.
Perhaps here sometimes we get the key to switch
on or off the "wobble".
8.??? Insert further false claims here.
P A R T . 2 :
Here now starts the verified boot protection information
we wanna discuss in future about, for developing further
anything possible and finding many more details about :
I wanna explain it from the very start:
The track(s) of a pressed CD consist of an as good as
straigth spiral, beginning in the inner circle and
continuing 'til the outside edge.
The factor "almost straight" is very important.
Because the laser-unit has some tracking coils, which
purpose is to keep the laser-beam, or better reflection
of the beam!, as good as centered even if the CD
spins at a very high speed, so the beam doesnt loose
the trail while reading the track.
The PSXs tracking coils took some advantage of this
tecnic, and they have a special output for
"tracking errors". Because at the pressing state of the
PSX CDs, the Lead-In gets a very little, but still
recognisable modulation (near as it was in earlier time
on vinyl records). That modulation constists of long
or shorter tracks of 22khz wobble pulses, the
shortes distance we found out is ca. the lengt of:
1/3 to 1/4 CD sector. The signals consist of the SCEE,
SCEA, or SCEI characters in old RS232 transmission code,
which is already completly decoded and no big secret.
The modchip simply injects that SCEx characters into
the needed wire at the needed time and so the PSX
BIOS and CPU 'thinks', the CD-controller sends over the
correct signal and starts the boot code sequence.
Recreation of that SCEx 22khz wobble pattern with CD-R
This was and still is our big challenge !!
To win that challenge, we've found out alot interresting
test-results, Truman developed a special CD burning
software which first time ever was and is able to burn
x-special edited Leadins, at any position and which is
able to skip single sectors or whole parts.
---insert link to his homepage if wanted-
And we found out, the 22khz pattern are creatable,
simply by painting stripes or dots over the CD-Rs
leadin region, which almost causes identic 22khz
"ON - OFF / logical 0 - logical 1" pattern like the
original pressed SCEx wobble "creates". To verify and
control that patterns at all, BlameTheEx and bootdisx Sam
(i have to write in 3rd person about me ggg)
invented a PSX - PC-line-in connection system, attached
to different special pins of the modchip and the
laser-unit-flatribbon-lines. We made documentations
about how it works and what testing results we got,
they are hopefully still available at the page:
Alot further links arent connected directly, but the< can
be found throughout the whole PSX/PS2 selfboot thread.
Really alot tiring SCEx 'pattern over leadin tests' have
been made and analysed and they were honoured by
very much public interrest here at the cdfreaks Forum.
Bu to paint 'around blind' on CD-Rs was very unreliable,
'cause the PSX laser reacts unpredictable, the pattern
cannot duplicated and transfered that exactly (at least
for the moment) as it would be needed, and the negativst
One CD circle accords just for 0,125 second, but the
complete SCEx string needs the time of ca. 0,250 second.
This makes it inpossible to "paint" the complete
boot-string over the lead-in's circle, at least as long
we dont find a method to compress that pattern or making
the psx-Laser switching from one to a second "level".
Thats very hard to do, restricted by the tight space
of the leadin circle. Tests to burn 'thicker' Leadins failed,
because of the PSX-laser hardware seems to be restricted
to find the leadin and data area at a already fixed
btw. it was proofen, the PSX doesnt need: a lead-out track
and the Lead-in must not have the full size, either
it is just the half size starting at the "REAL" beginning
and the datatrack immediatly stars directly, or there is
space between lead-in and the data which then starts at
the usual position (still at halfsized leadin!), or even
if the first 5500 leadin sectors are missing (seen from
the "real" start writing position) and just the
"second half" is present and followed directly by the
data track, everything almost works (if the laser is
calibrated correctly and has no problems for reading
CD-Rs at all).
We also did alot Skip! leadin sector tests, but they
arent usable for writing "22khz wobble creation",
the skipped distances are simply too long for the needed
SCEx values, and it seems the skipping hasnt any effect
at all to create 22khz breaks. Yes, the problem is:
Creating 22khz breaks of the right lenght, because it
seems or is really so, the CD-R is full of continuing,
uninterrupted 22khz waves "heard by the PSX laser".
Our last developments have been in that directions:
a) perhaps development of CD-writer modichips
b) burning structures into the leadin which causes the
PSX laser either to change the spin-speed from
1x to perhaps a higher value (the SCEx search is
done at 1x CDreading speed) or to find some
backdoors, which enables us to skip the boot code
search sequence or imitate it!
c) leading the PSX laser from the usual leadin track
to a second one, having the needed space for the
d) disturbing the tracking coils by heavy sound/noise
vibrations, which is really risky to destroy the
hardware (and "neighborhoodfrienships gg), til now
we didnt had any success with that
e) very few attempts finding ppl who have the knowledge
for programming modchips for our purposes
f) analysing of electronical circuit board prints of the
PSXs controller hardware and more
g) analysing of so calles "square waves" the PSX laser
creates on "disturbing"
h) finding out the location inside of the leadin where
the psx laser searchs the 'protection trail'
(for the moment it seems its all over the lead-in)
i) finding reliable information about the mysterious
lik sang boot-cdr
j) short tries how to created split CD-Rs with orig
bootsectors, also how to "mount" those if possible
k) injecting SCEx noise signals from the PCs soundcard
into some PSX pins to circumvent the modchip
l) searching ppl who had coded PSX for PC emulators
and perhaps know some "boot secrets"
P A R T . 3 :
Last but not least I have to notice that we've had the
help of the "dinosaurs" of the PSX boot protection,
Alex Lau, Old Crow, AndrewM (who came a bit late ggg),
Barubary and some "top secret" informers,
who brought us onto the right way,
after searching around into the PreGap subs
etc. and also a big appreciation goes out to the
CDfreaks Forum Mods and owners which let us test around
for such a long time & so making it possible for going
so far! Now that PSX protection craccing goes into a
new and hopefully more succesfully aera, and we still
enjoy every helpful information and (insider)-tip for
finding out as much as possible about it, as example
much more detailed infos how that prot. was developed
and how it was recreated by diverse HK etc. companies,
with or without CD-Rs. Our goal still is to develope
the needed software, hardwaremodifications, techniques,
FAQs etc. for beating "sometimes" that protection.
Not to forget all the people who helped us over that
whole time and also thx to Wig Wam and his group for
his superb, "toadstool use compatible" * E Egg*
artistic expressure of the "Misalignment" theme!
Nice impression and influence making things visible
which we dealt for so long and still looking 4 t answer.
Very few of us decided to hang into that very hard
challenge, even there's not much light in sight, but
its in the tradition of "beating every system sometimes"
and I'm shure, we will be always the winners, even if
it takes years! Its the mental strenght which counts.
And we dont need always the newest system to proof
our skills, even the PS2 sometimes will be an old
system, if it isnt it yet already.
If you are new to this topic but really interrested,
I suggest first reading through the whole
PSX/PSX Breakthrough thread, it really contains
indescribable info about our development and indeep
going infos, also some funny stuff.
In that thread also is decribed how a PSX - PC
connection can be built up, and I really hope, besides
only me, some other tec-freaks are incouraged enough also
connecting their PSX and then are being able to
verify the SCEx or test signals! Thats really important,
because the more can test the created signals and
compare those with the orig. SCEx, the faster we could
find the clues how it can be done finally.
I hope our whole work within that PSX-protection topic
will remain forever inside the Internet and will
animate and inspirate following "generations"
for further development (of course just if we wont
beat that prot. in our lifetime! ggg
Sometimes I'll get my hand of a S*ny's machine
which enables me to burn finally selfbootable stuff,
if we really never find a way to make it with usual
public PC - CD-R equipment I guess I have to visit
that S*ny party sometimes personally!
Additional infos :
The actual bit patterns for SCEx:
SCEA: 1 00110101 00,1 00111101 00,1 01011101 00,1 01111101 00
SCEI: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01101101 00
SCEE: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01011101 00
One bit of SCEx data (4 milliseconds long) will be 4.8 millimetres long.
The SCEx is written on a track starting at about 24mm diameter (15cm circumference) and 2 (?) mm wide.
The SCEx signal is repeated throughout the track, once every 250 ms, or 30cm. The signal is 42 bits long, from first to last "1" bit (168ms, 20.16cm).
The SCEx is written as side to side wobble, at 22.05 khz.
The 22.05 khz wobble of the underlying track (not the recorded "pits", which are not supposed to wobble) used to store ATIP information on writable disks is 5.44 um peak to peak, with an amplitude of +-0.03um. The wobble for SCEx is probably similar, however normal factory made read only disks do not have an underlying track. Ether the official playstation disks are different, or they have wobbled pits.
The track width is only 1.6 um, about 2 wavelengths of the 0.78 um laser light used, so ANY markings on the track, that are not centred, will be detected as side to side information, whether it is "pits", or the underlying track.
Data on a CD-R are organised on a single 5,3 kilometers long spiral called 'groove' or 'pre-groove'. The groove is actually not a flat spiral, but a soft sinewave called 'wobble'. This sinewave is very slow (22.05 kHz), with a small amplitude (30 nm) and a constant width (600 nm) ; all the data, coded as pits and lands, are located in this spiral. The wobble is mandatory to write on a disc, so the complete track is wobbled, which includes the PCA, PMA, lead-in, program area and lead-out.
This wobble has 3 uses. First, it allows the drive to regulate the rotation speed of the disc. Indeed, the drive continuously measures the frequency of the sinewave it reads and it can for instance adjust the motor speed so that it always matches the theoretical 22.05kHz value : when this happens, the disc spins at 1x CLV. Second, the wobble is used as tracking information, i.e. it ensures that the pits are correctly written along a track. Finally, the wobble carries ATIP informations through frequency modulation of the wobble sinewave (22.05kHz +/- 1kHz).
How does the wobble suffer from CD-R burning ? Pretty well it seems, since ATIP informations can still be read from a burned disc. In fact, the wobble is actually partially damaged during burning, because the pit width is close to the wobble width (600 nm), so that the edges of the wobble can be damaged where pits are burned. Moreover, the pits are not exactly written following the wobble. Indeed, before being used as tracking information (push-pull), the wobble signal is processed by a 5kHz low-pass filter, and therefore the head does not follow the wobble : this means that the pits are actually written on a flat spiral trajectory, which increases the probability of damaging the edges of the wobble on particular locations.
added by me:
To summarise for our purposes:
1) The wobble exists throughout the disk, and is not significantly removed by writing.
2) The Writer uses the same detectors for both wobble, and side to side error correction. However, before using the signal for error correction, the wobble is filtered out by a 5khz low pass filter. This is the official design.
3) The wobble can't be removed, or meaningfully altered, by writing, because the laser head doesn't follow the wobble.
In addition we have no way of writing pits with any sort of variation near 22khz.
We can skip sectors, but they are at 75 to the second, which is far too slow.
We can write bit patterns that have a lot, or very little pit, but the writer will swap pits for lands, if necessary, for the next byte. The algorithm used is designed to force an evening out of pits and lands, and we have no control over it. It is effective. The result is a maximum pit density wobble, that drops steadily downwards below 127 khz.
Regardless, a pit density wobble will not be interpreted as a side to side wobble, by the playstation, as long as the pits are laid in the centre of the track.
Presumably some writers, use a filter that varies according to the write speed, but always lower than the wobble frequency. Perhaps some of the fastest, are mechanically capable of correcting wobble at 1X speed, although any mechanical system that could correct a 22khz wobble would be impressive.
It's feasible that some poorly designed high speed writer might correct wobble at 1X speed without modification. If so, an additional filter, switched on and off by a mod chip, would work.
Its plausible, but not exactly likely, that an expert bios programer could modify a writer bios to hack out the wobble in patches, to create a SCEx signal.
It is slightly more likely that an expert on writer design could use a mod chip, and additional components, to bypass the filter in pulses, so as to write the SCEx signal.
I am not entirely sure what the result of wobble correction would be. I doubt the result would be a complete removal, as far as the playstation's reading is concerned. However I am convinced that it will ether significantly reduce or increase the perceived wobble, and that may be enough.
It is highly unlikely that by the time any such design was published, the writer used would still be in production, nor can there be any reasonable hope that such a method will work for playstation 2 disks.
It would be entirely possible for a CDR manufacturer to produce disks with the SCEx built in, although i suspect they might need modified software to write. However, I would be amazed if it could do so without copywrite infringement. Sony would certainly mount an expensive legal battle, whether they would win or loose. I doubt any manufacturer would dare.