Tracking coil modulation & wobble deletion

I want to start this new thread for experts only. We’ve came a long way, “working” out the very details of some special protection, which still seems to us unpossible to break.

This thread in his very beginning should have nothing to do with PSX or PS2, all related things about that stuff has been already discussed without end, and they are not wanted for now.

For the moment this topic is a very first try to get in contact with high-graded & complicated hardware issues. In the far future this, here collected information is intended to be the foundation stone for very sophisticated burning techniques.

OK, lets start with a very good idea:

We have had already collected alot proofs and samples that an usual CD-R(W) (and also DVD-+R(W)) creates always a wobble signal at the tracking coils. Burning such recordable disx without wobble would be a big step into the right direction.
Well, so far the track (pits and lands) always was burned into the middle/centre of the ATIP groove.

Even if the track was burned very straight forward (as usual), the tracking-coils receive the atip background noise.

Seems this problem is inpossible to solve, because we cant eleminate that ATIP, but wait:

If we can manipulate - modulate the tracking-coils, we can burn the whole track “off center”! It should be possible to shift the burned pits slightly left or right “off track”, or better, “off wobble”.

Until now we have no experiences how “thick” that atip background noise is, but it should be possible to find this out. There must be some “wobble free” region inbetween the pregrooves. If we can adjust the tracking-coils in a fashion that the burning laser-beam will get deflected out of center, out of wobble-area, the final created track will not cause any 22khz signals!

btw, if we adjust that track “right beneath wobble”, we can easily turn on-off wobble just by some very little deflection correction pulses (which would move the burning laser for a very short time into the wobble area).

So far the theory! Until anybody in this world can access those “features”, we would need really alot informations, experiments and insider-hardware-knowledge.
We can start to find out how exactly tracking-coils work, in what way the burners hardware interacts with them and steers those coils.

Are they really coils at all? If yes, are they affected by some very small electromagnetical field?
What circuits regulate and control the power for those coils? What kind of ultra-short timing we would need for getting track-burning-fluctuations at, perhaps 8x speed?! How we can power one coil stronger than the other?!

If theres a way clearing those questions and finding out how some firmwares have been coded, or better how we can find some specialists who could integrate our discoveries into there burners (firmwares), I’m shure in at least 5 years the wobble (and alot selfboot retrogamers ;-)problems are solved for ever.

I wrote this just for inspiration, 4 the moment all I can do is search the net for “insider-infos” about very technical CD-writing (hardware) stuff, perhaps I could sacrifice one of my CD-DVD writers making some experiments (perhaps doing some trial’n error firmware modifications :wink:

I know this topic here is one of the most “impossible thoughts ever” on this forum, but these are the final results of some very long time of checking out how some special protection works. Its the final small and slippery bridge, which could lead us OVER the big sea, where all those modchips diving through. ggg

CU, Sam

Long time since I popped in.

You can’t write “between the tracks” The spacing is very tight. At the middle point you would just get wobble from both tracks!

There is more hope for staying in the track, and compensating with a counter-wobble. The CD writers hardware is specifically designed not to do that, but there is always the possibility of hardware/software modification. I have mentioned before the possibility of using a drive at slower speed than designed, or at least expected. Perhaps then some specific model will correct wobble.

Your true interest has always been PSX wobble. The assumption has always been that it is a side to side wobble like ATIP, but was it ever checked? The wobble could just as easily be a volume or up/down wobble. A volume wobble would be much easier to create.

Is there any chance of writing a CD image on a DVD disk? That would eliminate the wobble!

Interesting comments.

@Sam,
I can confirm the coils in the CD lens module are normal magnetic coils - I’ve checked them out on my old 2x burner. There are 4 connection points and applying a small 1.5v (I think a bit of an overkill) battery made them move upwards or downwards!

If it helps anyone I have close up pictures of the lens if any one wants - I could post them on my webspace.

@Blame,

Is there any chance of writing a CD image on a DVD disk? That would eliminate the wobble!

The PSX don’t read DVD’s unfortunately.

Its great our old connection still is alive! :smiley:

Yeah Truman, would be great if you up the pix, and I’m still interrested
how to burn or modify CD-Rs until they will do the “complete job”,
but unfortunatly I didn’t made myself alot thoughts how to achive this
for the last time. But my “PSX hacking equipment” :wink: still is alive ‘n
kickin’, and I’m still motivated doing tests and stuff, and with a little
bit of luck I/We will get new innovative idea’s which possibilities are
still left.

CU, Sam

Seems one of such (already formerly) ideas or better dreams
already came true:
The plextor-plexwriter-premium is capable to stretch or
compress the pit-land structure at these values:

0.6, 0.7, 0.8, 1.2 and 1.4

afaik 0.6 means you get just 0.6 of the usual data onto CD
(which means stretching for evtl. better jitter and more
compatibility) and 1.4 would bring (if everything works fine)
the 1.4 times the usual datastorage onto disc.

Its no big problem about the amount of data, because
PSX disx usually don’t have that much and are limited to
630MB, even the Multi-Session issue is no problem at all.

The big question is:
Does a burn at 0.6 or 1.4 eliminates the CD-R wobble?!
Lets assume the PSX has to change the drive speed if the
pits are stretched or compressed (btw. compression could
make problems for the not really profi PSX laser unit),
so the wobble-frequency has to chance, too, right ?!

Lets assume we burn a CD at value 0.6 (stretched),
this would speed up the disc from 1x at bootcodesearch
to around 1.8x (don’t have the exact formula :wink:
In that case the frequency from 22khz would change
to ca. 35khz, should makes it invisible for the PSXs
detection system alias tracking-coils.

If this works that way, we still should be able for burn the whole
content of even large 630 MB disx by using some 90min CD-R.

Great, CD-R wobble bye bye forever! :-)))

Just how to create the needed wobble impulses now!??

The felttip-method perhaps will work now if the pits are compressed,
(because then there should be enough time for the whole SCEx code)
but first we have to test if the PSX can read compressed disx at all.

Who’s buying first such Plexwriter Premium??? ggg

CU, Sam

I made a new crazy discovery:

From now on its possible to burn a PSX backup
which is selfbooting, but for the DreamCast!

btw that very same CD also still boots in the PSX
by Chip, swap etc.!

How does this work - you like I solve the riddle, ok:

Since over a year the Bleem!Cast_beta crack was
leeked through some Beta_tester and is available
on the net.

This bleemcast has the advantage of booting every
PSX game, but unfortunatly it was a very early beta,
the creators of that neverthless fantastic work told
its just around 25% of the final product would have been.

If you are interrested you can find the discussion about
that beta here

Well, here how it works:
Burn the PSX backup as usual as closed session, but
leave the CD open. Now the only thing you have to
do is write as second session the 1BLEEM.BIN as
selfboot hack. Its the same procedure like as I
described in my PSX-DC 2in1 Tutorial here

Now the surprise (was it even for me):
If you put that CD in the DC, it will boot totally
on its on! If you dont know its a PSX disc nobody
would know its no DreamCast game etc!

And for the PSX theres no difference,
would boot as before.

So far so fantastic, the only prob is that bleemcast
is at an very early state. There float some
compatibility lists around, which game works how
good. There work around 20% of all PSX titles,
but even those lack of movie sequences, missing
button mapping, sound problems etc.

However, this development nows another curious
peak about the selfboot related issues we’re in for
such long time, its really kinda ironic! :wink:

CU, Sam

This might not be the current topic of intrest but I know
you have been working on it for a long time.

Here is a clear explanation of things you have been seeking
answers to.

http://www.baetzler.de/vidgames/psx_cd_faq.html

or check out the google cached version if the link above does not work:

http://www.google.ca/search?q=cache:L3B7G339KHYJ:www.baetzler.de/vidgames/psx_cd_faq.html+psx+protection&hl=en&ie=UTF-8

cheers.

@dark, actually, the doc has some misinformation. There was never a copy protection based on bad EDC/ECC. The cause of that was actually bad pressed or scratched Hong Kong discs (yes most of the discs were badly pressed), not forgetting bad CDR media at that time (early days for CDR media).

Also, there are actually 2 levels of country code protection (as mentioned before in our other thread):

  1. Encoded as wobble on the disc, somewhere in or near leadin - this cannot be copied
  2. At sector level (as mentioned in the link you gave) - this can be copied

We are looking at the 1st protection - which can’t be copied with conventional PC software and drive. It’s only emulated by modchip.

@Sam,

Yeah Truman, would be great if you up the pix

I’ve uploaded 2 close up pics of a CD lens from a broken 24x CD rewriter:

http://www.xcdtool.pwp.blueyonder.co.uk/cd_lens_4_coil_points.jpg
http://www.xcdtool.pwp.blueyonder.co.uk/cd_lens_magnetic_coils.jpg

For those interested they were taken with Sony’s snazzy DSC T1 at 5.1 megapixel, scaled down to 800x600 and resaved.

Noticed that the 1st pic clearly shows the connection points to the magnetic coils and the 2nd pic shows a very close up of the coil themselves.

Thanx Truman, very interresting to see.
Perhaps we should attach some kind of small magnets on top of the PSX disx. ggg
But I got some serious idea:
Could it work if we can get the CD at the edge of 22khz On-Off?
Will it brute-force spin until some SCEx looking signal-mix occures?

Sam, I also had an idea of using magnets on the disc, what are your opinions Truman/ anybody?

Using magnets is no different from using the marker pen, both are not accurate enough for us to control - think about it… you need to be able to control it at a rate of about 250kbps (that’s 250,000 bits per second!) - this is easy for a machine, but for a human hand and eyes, it’s a hit and miss. Also, how are you going to get magnets the size of pit/land widths?

Hi Guys,

I’ve been silently following your thread and I want to say you have some very logical theories regarding how the PS1 disc is designed and how the system boots.

I am a technical person but not in regards to such integral parts of CD structure, such as the wobble. I have learned a lot from you guys. Since there isn’t a 100% consensus on how the PS1 boots up, I want to add my two cents that I used to be a PS1 hobbyist and tried with a lot of effort to get backups to boot without a chip. There was only on way to boot a backup disk and I wanted to share this information with you in case you are not familiar with it. It’s called the “swap trick”.

The first revisions of the PS1 could boot backups if you had an original correct region. Later revisions could only boot import games: The earliest PS1s could do a simple swap from the CD Audio menu, while the latest “swap trick” was rather complicated and I believe gives a little more insight as to how the machine boots.

Interestingly enough, this swap method always had a degree of error because redbook audio was ALWAYS screwed up because the PS1 would always read and keep the TOC of the original PS1 disc in memory. For overviews of all known swap methods, click here: http://www.planetnintendo.com/superpope/contact/swapfaq.html

Below are details on the last swap method:

"Some definitions:
local CD - An American CD (one you don’t have to do the swap
trick to get to work).
foreign CD - The CD you want to play (I.E. Sailor Moon).
PSX - Sony Playstation

 "Step 1:  You need to get the little button that tells the PSX it
   is closed to stay down.

 "Step 2:  You may want to watch a local CD boot a few times,
   just to get familiar with how the Sony boots up.  This helps
   *tremendously*, trust me.  You watch this because the Sony will
   change speed several times (we'll call this 1x and 2x speed).
   You will want to swap the CDs at some of these speed changes,
   so just watch it a while to get a kind of feel for when it
   will happen.

 "Step 3: Put your local CD in the PSX and turn on the power.  I use
   the demo disc that came with my PSX, just in case. . .
   The white screen will come up and the PSX will do the bass-filled
   sound test.  Just as the screen is about to turn black, the CD
   will speed up to 2x speed.  *Just* as it speeds up, pop the
   local CD off and pop the foreign CD on.

 "Step 4: The screen should go black now and you should hear the
   chimes.  The CD will slow back down to 1x speed.  Let it, and
   just wait.  The CD will speed back up to 2x speed.  Again, let
   it.  Now, as soon as it slows down again, pop the foreign CD
   off and pop the local CD on.

 "Step 5: The CD will speed back up to 2x again.  As soon as this
   happens, pop the local CD off and pop the foreign CD on."

 "Step 6: At this point, the game should start playing.

 "Make no mistake, this is *not* easy to do.  It will take
 several tries to get the timing just right.  It took me quite
 a while to get it to work the first time, but since then, I've
 had no trouble at all."

Some of you may not think this information useful, but I have a feeling that all information should be provided when examining the issue. Think about the meaning of the swap method for a second. The PS1 will still boot even if it has severe problems reading during the boot procedure. The machine makes a lot of noise when performing the last swap trick.

-Hyperblue

Gentlemen,

Fascinating discussion. As a former copy-protection developer (but first a breaker :wink: ) for Apple ][ disks, this brings back some fond memories.

What about the old Yamaha drives that could put images on the discs? They called the technology tattooing or T@2. Could this method be used to accomplish this or was it not capable of putting the images through the ATIP area where they would need to be?

Just a thought,

  • Phil

@pquesinb, the tattooing command only work after a disk has been written, i.e. when the drive detects that a leadout has been written. So someone will have to hack the firmware first. Besides the drives are no longer manufactured so not many hackers would be looking at it.

Lately I’ve been at Hamburg and checked out the price of such gigarec capable
writer. Unluckily it was whole 200 Euro’s (around 250 Dollars) at that store.

I would have bought this burner if I hadn’t already two Liteon 811S CD/DVD burners.
Just for making again another frustrating discoveries 200 buck’s it a bit too much.

btw. it would frustrate me, if only such gigarec compatible
drives would be able to create those selfbooting backups.

So at least for the moment we have to find a better way. Imaginable, those
firmware “cross-compatibility” hackers in the near future will understand the
firmware code that pretty, so they can add such gigarec speedtuning-features
for us.

Next idea I had was to “brute-force” the “opening-code” pattern by keycard.
at the moment we only know that the SCEx works, but what if some simply,
short additional secret code also would do the trick?

As we have no insiders from S*ny here, the only way to find this out would
be to feed the keycard with “brute-force” patterns, or a little brute force
creating code (as example which only creates 3 bytes-strings or something).

Damned, why the heck I (we) always have to make the impossible possible?! :wink:

There is another way you can find out for sure. The protection is to do with the BIOS, so all we have to do is get a dump of it (which you can get some on the net) and you also need the PS1 C++ SDK (the disks you get with black development PS1). With those you can decode the BIOS and see what it does, i.e. you’ll know exactly what it does. Someone who has written a PS1 emulator can easily do this, unfortunately I know no one who has the time or ability to do this.

Truman,

I am not sure that emulator programmers really do understand how the boot sequence works. One of the points that Bleem used to try to avoid being put out of business by Sony was to state that it would only work with original PSX discs and not copies. Turned out that that was wrong because Bleem programmers relied on the false information that original PSX discs contained deliberate errors, so that if you put in a copy, the disc would not have errors, therefore, the emulation would not run it. Problems arose when even original discs would not play on Bleem because those dics (edit, sorry perhaps a Fruedian slip, should be “discs”) did not contain the errors that some of the early PSX discs did.

BTW, I thought this was just about dead because the ATIP would always cause the PSX to read a “1” for the wobble and you could not get a “0” even when the burning was skipped (i.e. you have a burn area, no-burn area, burn area, etc to emulate the SCEx code). The only way to get a self booting CD-R was to somehow do away with the ATIP or burn in between (as Sam posted in this or another thread).

It really depends on the programmer. If the programmer is only working with other peoples libraries (open source or donation), then they would probably only know how to make changes in C++ (high level) calls, unless they also learn the assembly instructions. The original programmers who wrote those libraries would indeed know quite a bit about the boot protection sequence (providing that protection is to do with the BIOS). Don’t forget that an emulator is trying to run the same PSX instructions, i.e. it isn’t the game that is modified, you really do put in a real PSX CD and it runs!

ePSXe and many of the other emulators require the real PSX BIOS file before they even work. They actually use the file to boot from. Bleem did some strange things (anti hack stuff for softice, etc) to try and protect it’s code, and hence we saw some versions did as you mentioned. It may have been a bug on their part since later versions worked fine with original and copies.

I agree with your last points. What a shame, but at least we know more or less how the protection work in detail.

@SAM

Just thought I’d tell you that i’v got more than enough money, now to buy a Plextor writter, and i wouldn’t mind doing some tests for you. If you want me to do some tests for you just send me an e-mail to: domainstealer@hotmail.com with the instructions of what you want me to do. If I still have no luck, I could always send the plextor back.

Thanks. PS: If you do send me anything, please tell me about it here.