PSX/PS2 Selfboot Breakthrough !?!

I think (or hope :wink: I’m now very near these tricky little bits.

Here are some nice results:

I’ve done a very cool reconnaissance: Now I know exactly where the PSX Laser searchs for the countrycode-bootsector. The place is exact 16-17 mm from the begin of the inner CD circle. I simply glued a small paper near the laser-lens and watched from the (under-)side at which location the lense moves when the BIOS looks for the “Bootsector”. And because I have a switchable ModChip, I know now exact the location and priod of this 2 times, when this happens.

The location must be on the very edge of the LEAD-IN. And I’ve found Information that its possible to read out the Bootsector, and the next info, it was in italian language, but I’ve understanded it so far, the first! CountryCode protection is in the PREGAP!!

An other info told us the Country Code Bytes are streamed from the Subchannels, so its logic this Country Code is located in the PreGaps Subcode (this is a 2 seconds or 150 sector big “unused” space directly before the usual ISO or BIN Sector start, but on PSX-CDs these sectors start with 00 00 20 00 00 00 20 00 Subheader, which is Mode2 Data!).

O.K., What we need: A software which is able to Read out and burn the RAW uncorrected Pregap with Subchannels. I have already a burning Soft called “Gamejack” which is able to read out the Pregap, but doesn’t write the 2448 Bytes big Sectors 1:1 on the CD.

I hope in the future Clone CD could implement this feature!! Write and Read RAW the very first Pre Gap.

(Yes, and eventually in the future we need a new ISO File Standard - 2352 Bytes Mainchannel and 96Bytes Subchannel = one Sector).

Then I have the problem because I don’t know if my Subchannel data is correct.

My old 16x Liteon Reader spits out Subchanneldata with only: 55 55 55 55 AA AA AA AA 55 55 55 55 AA AA repeated

The new Liteon CD-ReWriter 32x12x40:
80 C0 80 C0 80 80 80 C0 80 80 and this all in all 96 Bytes long in the PreGap and 00 40 00 00 00 00 00 40 00 00 40 40 00 00 Patterns (@'s) in the “usual” Data area.

Please if you want to help me in this case read out an original PSX-CD with a Software and Drive which is able to read this PreGap Subchannel and tell me how they look!

Anyway, I think this PreGap is our last chance at all to burn selfbootable backups. If the bootprotection is encoded in the datatrack-wobble or something we can forget it, my opinion. By the way I checked the PS-X-Change and they used a Replication Mastering Software which was able to write the PreGap - they used Prassi.

If someone knows tricks or possibilities how to easy burn pregaps pls let me know.

One day and 8h of testing later:

Strike! Bingo!

The Boot Code is direct on this PreGap place!

Proov it: You can cover whole 16mm (0,63 inch) from the inner circle or totally a circle with 2,4 cm (0.95 inch) radius of a orig. PSX-CD and they will still boot! But if you cover only a little and very small stripe beyond that, finito! You can still read out the whole Data, but the bootprocess halts on the Originals.

What is the importance of these discoverys:

  1. The bootsector is far away from the inner circle, and so its never near the ATIP or the BarCode!

  2. The Bootsector is NOT inside the LEAD-IN, its directly on the End near where the Data starts!

  3. I’m as good as shure its encoded in the PreGaps Subchannel, and its possible to READ out and burn this Pregap with RAW subchannels.

  4. If it should not be possible to burn the PreGap with Subchannels RAW and Uncorrected, there maybe still is a way to move or manimpulate this Subcode Data until it Works!

I know here on this forum are the best and talented CD-Craxx so please help to beat this 8 Year old Protection once and forever. THX U!

CU, Sam

by the way here’s how it started our 2 months long and crazy hunt for the PSX-boot:

http://www.moogman.com/forum/mainboard.php
:smiley:

Maybe the country info is in fact located on the pregap.
The BlindWrite team also claimed, that maybe their software will copy this protection one day.
As far as I know, the pregap of the first track is somehow special, because in opposite to all the other pregaps, it isn’t contained in the image, and it is also present, even if you don’t specify a pregap in your cuesheet.
In fact every additional specified pregap will be added to the standard 2 second pregap.
By example:

FILE test.bin BINARY
TRACK 01 AUDIO
PREGAP 00:01:00
INDEX 01 00:00:00

will give you a final pregap of 3 seconds on your CD, violating the CD standard.

will give you a final pregap of 3 seconds on your CD, violating the CD standard

it would be very nice if phillips brought out the burner that can copy anything :bow: :bow: :bow:

Originally posted by slayerking
[B]

it would be very nice if phillips brought out the burner that can copy anything :bow: :bow: :bow: [/B]

if the multinationals deviate more from the standards , they will.

thx everyone for your interest and the help with the “illegal” PreGap tricks. I hope we can find some more guys, maybe from HongKong ;-), which can help us to hack this protection.

Here are now the whole PreGap Analyses of the last 6 hours:

A bit frustrating for me on my comparisons is the fact,
that complete every! Disc I have tested has no subchannels
in the 1st second of the Pregap and always! a C0 80 mixed
Subchannel Pattern on the 2nd second!
This could mean that this 2nd second Subcodes in no way
contains any Country Code, because they consist of the
totally identicals Bytes or byte Patterns like all! other
Discs.

The only really unique thing is the Mode2 Subheader
on all of the 75 sectors of the 1st second on all
of the 1st PSX CD Pregap. But maybe this is only an old
CD-XA standard?! Because in this 1st second Pregap
there is no data in the main- nor in the subchannel.

This Quest for the Bootsector meanwhile for me is a true
Odyssee. This is really unbelievable crazy. But I ask my-
self how the China Guys have done it. Shure, they use
professional CD Printing or Pressing Systems to create
their X-Change2’s and selfbootable HongKong Silvers, but
where did they get the “Master-Record”?? Did they
“organized” themself a RAW bootsector Binary directly from
Sony or from anywhere of their factories, or what did
they used for reading out the RAW Lead-In and all this
“uncopyable” junk?! And what the h*ll if in the near
future all this “cracked” CD-Protection Companys ask
Sony for help… will we need a Modchip for our PC?
:wink:

Oh Man, I would never mentioned that this near 10 year old
CD Protection is still such a hard nut for our newest
CD-Writers and after all because of the Modchips REALLY
not worth to hang in there. So I have to repeat my state-
ment: If I don’t find really very new and good Insider-
Infos about this “Mastermind” Protection I can’t and won’t
continue with this “Selfboot-Project”. Sorry.

But in the end I’m satisfied: I and We X-rayed this whole
thematic no perfect and complete. We cleared out that
NO SINGLE Bootdisc ISO out there workes without ModChip,
we now know exactly where the Protection is and where not.

But unfortunatly a lot things in the digital world are
hardware dependent. And so this one. Without the right
equipment still today no one would be able to read out
20 year old Atari2600 cartridges. Compared with such
“problems” our PSX or PS2 “nonselfboot problems” are
really very small. :wink:

But on the other hand I think its
a certificate of poverty for our modern "Hitec"times.
And I really wonder how long we have to wait until
such “childproblems” are solved. :wink:

Maybe we should beg Sony personally:

“Come on guys, you’ve had a lot of success and
earned really good money with your PSX, but now
its an ‘antique’ :wink: system, so please do us a favour
and tell us how to backup it selfbootable,
we only want to play this old titles on our
unchipped PS2,
and we will buy as service in return your new
uncopyable PS2 DVD Games. Hey, is this a deal!?”

:wink: :wink: :wink:

CU, Sam

O.K. enough of the nice words, here now the new results:


Subh.=Subheader SubC.=SubChannel=Subcode
EDC=ErrorDetectionCode M2=Mode2
Mode2 Subheader: 00 00 20 00 00 00 20 00

PSX orig.CDs |1st 75sectors Pregap | 2nd 75sectors Pregap

Demo 99 Mode2 Subh., no SubC. no Subh., C0-80 SubC.
with no EDC Checksum no EDC Checksum
Audio Tracks

Al.in t.Dark Mode2 Subh., no SubC. no Subh., C0-80 SubC.
with no EDC Checksum no EDC Checksum
Audio Track

Evil Dead Mode2 Subh., no SubC. no Subh., C0-80 SubC.
no no EDC Checksum no EDC Checksum
Audio Tracks

Riven Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
no no EDC Checksum no EDC Checksum
Audio Tracks

PS-Xchange2 Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
no 3F 13 B0 BE Checksum 3F 13 B0 BE Checksum
Audio Tracks


burned PSX Mode2 Subh., no SubC. M2 Subh., C0-80 SubC.
CD no EDC Checksum EDC!, special Data:
(burned with 54 44 49 01 50 01 01 01 01 80 FF FF FF 00
CD Master Pro) Data on begin of every Second2 Preg.Sector

burned Data no Subheader,no SubC. no Subh., C0-80 SubC.
CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC

orig. Data no Subheader,no SubC. no Subh., C0-80 SubC.
CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC

orig. Audio no Subheader,no SubC. no Subh., C0-80 SubC.
CD no EDC Checksum no EDC Checksum

orig. no Subheader,no SubC. no Subh., C0-80 SubC.
DreamCast CD CDROM Mode1 EDC & ECC CDROM Mode1 EDC & ECC
with Audio

:confused:

@Sam123456789
I wonder, how some manufacturers managed it to create boot discs for the PSX (so it doesn’t need to be modified) …
BTW: How did you read out the data from the pregap?
Some websites claim, that PSX discs use “bad blocks” or “bad sectors” for copy protection. But I never encountered a PSX CD with bad sectors (EDC/EDC). Any idea?

Originally posted by little-endian
Some websites claim, that PSX discs use “bad blocks” or “bad sectors” for copy protection. But I never encountered a PSX CD with bad sectors (EDC/EDC). Any idea? [/B]

There are two ways you’ll encounter psx discs with bad sectors. The first is if you borrow one from your local video store which has been scratched by previous borrowers. The second is if you get a badly manufactured Asian pirate copy which usually are full of bad sectors and other errors. However, you’ll never encounter them on an undamaged licensed original.

Originally posted by little-endian
Some websites claim, that PSX discs use “bad blocks” or “bad sectors” for copy protection. But I never encountered a PSX CD with bad sectors (EDC/EDC).

I was always under the impression that early PSX CDs had a small area (within the first 20 sectors) of invalid EDC (all zeros).

Apparently that’s why early versions of Bleem! wouldn’t play back-up games, because the Bleem! developers thought that they had correctly identified a characteristic of the PSX protection and they implemented that check in their software to keep Sony off their backs. But apparently this EDC error was caused by a strange anomaly with the model of CD Burner Sony used for mastering discs. When they changed the burners used in their mastering procedure, the games were produced with correct EDC and Bleem! needed a quick fix to rectify the situation.

Is this a myth or is it the truth behind the erroneous claims of bad sectors being part of PSX protection?

BTW, please excuse me if these are worthless rumours. Whilst I do take an interest in CD protections and suchlike, I must admit that the subject is certainly not my speciality by any means. I don’t own a PSX and I don’t intend to, but I would like to understand how Sony created a protection which has remained so effective.

Searching around the Internet for a bit, I found this link. I dunno if the information in it is accurate, though . . .

trying to defeat the psx is almost impossible without a modchip. you fellas are talking about burning pregaps and whatever, it wont work. try putting something over the barcode of a ps1 or ps2 game, i stuck a very small piece of tape over the very inner bit of the game and it said please insert psx or ps2 format cd. so you need the entire barcode and simply, if you wanted to copy a game without the need of a modchip you would need a pressing machine with a completely blank cd. the blank cant have an ATIP and must go almost all the way to the centre to get an exact copy of the barcode.

good luck anyway :wink:

Originally posted by Craftse
Searching around the Internet for a bit, I found this link. I dunno if the information in it is accurate, though . . .

Exaxct this site, I meant for example when I talked about those “bad sectors”.
But even Discworld (PAL/German), which is meanwhile really old, doesn’t seem to contain any of them.

Originally posted by little-endian
@Sam123456789
I wonder, how some manufacturers managed it to create boot discs for the PSX (so it doesn’t need to be modified) …

from what i understand, they HAVE to be pressed, so they coudl be pressed with the same code as an original ps game. how they managed to do anything after that, though, still puzzles me.

First: Thx Olli for fixing the problems of reading subchannel data in Pre-Gap with Lite-On drives!!!

This is our final chance to burn selfbootable PSX backups, so please help together to find such a burning software.

We need a burning soft which is capable to read AND write the first! pregap RAW DAO96 uncorrected!

I’ve written the PS-XChange2 totally RAW uncorrected with CloneCD, and after that I saved both CDs as RAW ISOs with DiscJuggler, because this software is able to read and save the whole data, inclusive the Pregap with subchannels RAW.

Then I’ve compared both ISOs with File Compare32 and the only difference was the subchannels of the very first PreGap, and only the 2nd second.

O.K., in the next years I doubt we have a chance to read AND over all write the Lead-In RAW DiscAtOnce, but there must be a way to write the first PreGap intentionally.

Maybe CloneCD can implement this feature in the future, lets hope. Maybe there is a trick with an edited cue-sheet.

If you want to experiment with the software which was used mastering the PSXChange2, you’ll find it here:

Pra**i CD Rep Prof.:

http://ftp.boe.tcc.edu.tw/cpatch/cdr/cdrep/source/

And if you click there parent directory you eventually find a useful patch… :wink:

(its from 1998 and no more available on their website, so who cares!)

CU, Sam

:smiley:

x.x:
Sorry to all, I will reply later to your posts.thx f interrest.

The complete PSX Boot description! :
http://www.moogman.com/forum/viewthread.php?record=877

@little-endian:
>> I wonder, how some manufacturers managed it to create boot discs…

Yes, me too, I’m shure Sony didn’t gave them a original Bootmasterdisk for pressing their own Bootdisks or already selfbooting Hong Kong Silvers. So with the right equipment there must be a way to read out and write or press all the data which is needed to make disks autobootable.

Meanwhile I hardly doubt that there is any EDC/ECC bad block protection at all. Because a lot of new orig. PSX disc have these “zeroed” 12-15 sectors no more, even the PSXchange2 doesn’t have them. And I’ve found some information that a zeroed EDC doesn’t renders a sector bad. No, if the sectors EDC is zeroed this only signals that the EDC for this sector is “switched off”. So I think we can forget this EDC/ECC “rumor”, and besides it would be no problem to burn them with RAW DAO96 uncorrected. But I’m as good as shure this is not the bootprotection!

@philamber & Bilto:
Thx for your information and Bilto, I think your information is not just a rumor. But the only thing I don’t get is why all these “PSX backup cracks” and tutorials or FAQs want to tell us this would be the protection and with a hardware which is able to burn uncorrected we would get selfbooting backups! I wonder if they’ve ever self burned any booting backup! Some are written 1996, a long time before RAW DAO96 and the new CloneCD, so why should they know all this so exactly?

@god of burning:
Hey what your talking about? What you’ve written is not true!! You can overwrite for shure the ATIP, the Barcode and a big part of the LEAD-IN region, and an original Disc will still boot. Just use a watersolutable CD-Marker and paint a ring as far as possible starting from the inside. So don’t please tell us storys, there are too much lies about bootdisc etc. on the internet, and the most of them I’ve already defeated with my own tests!!!
In the meanwhile I’m really allergic for all these lies!

@ckin2001:
The question is: Why they have to been pressed? I suspect there is unreproducable information in the LEAD-In, and as long no burning Software is able to read and write RAW the whole LEAD-In with subchannels maybe we have no chance - only if the bootinformation is located in the Pregaps Subchannel. At the moment I’m focusing my research on this area.

CU, Sam

I still can’t believe that lots of people still trust (even backing them up with their own false claims) ancient articles - I’ve stop beleiving those PSX articles ages ago.

I’ve proved that bad sectors as protection were false claims in a forum way back with a Ricoh 6200 (2x - very old model recorder). It could copy those zeroised EDC/ECC and some bad sectors with Goldenhawk’s CDRWIN back then. And still people wouldn’t listen.

@Sam123456789, in the past 3 years, I’ve tried a couple of theories myself. The closest I’ve got to is looking at the code of the first generation mod chips. In one of the mod chip source you can easily see what the bytes of the country code protection consists of - I’ll repeat them here (one of these will exist on the original PSX depending on the country):

SCEE
SCEI
SCEA

The above are the ASCII representation, but will of course be in binary bits on the CD.

They will be present some where on the CD that our readers cannot read from. The solution is to find out where these are written to. And if possible, make a program that will generate these and write to the CDR - so that you wouldn’t need to read them from the PSX CD (you can’t read them anyway).

Oh damned, this selfboot problematic drives me crazy:

Here, read this new posting from

Is it just an evil lie to keep the selfboot mythos alive or is it true??!!

http://www.moogman.com/forum/viewthread.php?record=449

Reaper Grim
neoangel1222@aol.com
Posted: 2002-06-30 - Post reply

About the whole burned disk not working…that’s not entirely true. I once recieved a PSX game that had been burned, and it worked totally fine in my non-modified PSX. I never had to use a boot disk or anything. But he did mention that it was burned in a certian manor, though he never did say exactally why. That and the game did have a short lifespan. The disk became unreadable and it had places where it would freeze up and not load after maybe, 80 hours of playing it. There is a way to burn it, but I don’t think downloading it would work. Unless you were downloading an image file of the disk, then that might work, cause you’d be getting an exact copy. I dunno, just thought it might help some of you out.

On a side note, I had a question. Has anyone ever heard of a PS2 Boot disk (preferably one you can buy) that can play import PSX games? I’d rather not spend the extra however much and buy a PSOne or PSX when I already have a PS2. Thanks all



.

CU, Sam

Hallali! The hunting season for the bootprotection has begun! :wink:

Hi Truman and thx for your reliable information.
Your “theory” is a prooved factum! :slight_smile: This information is also
told by different modchip sites, as ex.:

Playstation Mod Chip FAQ
http://modchip.aeug.org/faq.html

Question 2. How does a mod chip work?

Answer2. The mod chip will generally have a minimum of two i/o connections to the
playstation mainboard. These go to opposite sides of an inverter gate which
transmits subcode data information from the CD controller to the main CPU.
This data stream indicates the region of the CD in use. By driving the input
of this gate logically low, the output is floated. Then on the other side
a new data stream can be injected by the mod chip.

The data that the CPU is looking for is a serial data stream at 250bps
consisting of the characters SCEI, SCEE or SCEA depending on whether the
console is Asian, PAL or North American. By sending all three data streams
in a rotating sequence, the chip can satisfy the console that it is reading
a CD of the appropriate region.

The subcode (=subchannel) data must contains these bytestrings in some kind of hexvalues, they should contains 53 43 45 (SCE = S ony C omputer E ntertainment). Maybe in encrypted form, and I think this string is repeated to prevent read errors. But where, where??? In the Lead-In Subchannel??!!

I have one idea: To patch some game data subchannels (evtl. the bootsectors) with some of the extracted PreGaps 2nd second subchannel-bytes, because afaik at the moment there is no program which is capable to write the very first data pregap RAW DAO96 uncorrected. Gmejack and Dscjuggler only save these 150 PreGap sectors uncorrected at the begin of their ISOs, but it seems they don’t write it uncorrected (not with my Liteon 32x12x40). And of course CloneCD makes much better “clones” of the whole rest of the CD!

An other method would be to intercept the data or “electric” stream the LaserUnit of the PSX sends at bootup to the CPU, but this is very complicated and makes really a lot expenditure. And afaik the bootcheck is made in some kind of encrypted method.

Truman, your idea to write these (encoded ?) bytestrings is it. But a second question is: Is the PSX searching for the country codes all over the discs subchannel or only on some special locations like LeadIn or Pregap?? But of course first we need these bytes or byte patterns. The Subchannel in the PSX 2nd second pregap only consists of 80 and C0 hex values: As example this is the RAW subchannel of sector 1 of the pregaps 2nd second:

80 CO 80 80 80 80 80 C0 80 80 80 80 80 80 80 C0 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 C0 C0 C0 80 80 C0 C0 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 C0 80 80 80 80 80 80 80 C0 C0 C0 80 C0 C0 80 80 C0 C0 C0 80 80 80 C0 C0 C0

Someone any idea to decode these subchannel bytes or what kind of information they contain?

CU, Sam

P.S. And of course Olli, “Creator of the famous SheepDollyCD ;-)” (maybe you read this), you’ll be the first we will provide with the information to beat this ‘ancient’ protection!

beating the psx with your home burner is useless, [EDIT]:cop:[/EDIT]. get a mod chip and save yourself the time. one last thing, the protection in the psx is the hardest to bypass out of any protection ive ever seen, its tougher than safedisk2, tages, etc. yet it is so simple to beat with a mod chip, without one though, you then see the absolute superiority.

@god of burning
You forget, that the most of these forum users (me included), who mess around with e.g. copy protections, are in some kind “freaks”. We all could save much time, if we would use cracks, but we want 1:1 copies. I still hope, the PSX protection can be beaten once and for all.

So, Sam123456789, keep up all the good work!

I just want to say that the ECC errors are a form of protection and are present on a copy of the HK bootdisc that I have. The really strange thing about this disc is that it boots on my US PS1 and also gets a strange reaction on my JP PS2(boots with a distorted sony logo and freezes). The country code is not like that of regular discs on there…

Maybe someone can figure it out?