
                                                                Sun 26/11/1995
   pp pppp  lll
    pp   pp  ll
    pp   pp  ll                        tt           tt
    pp   pp  ll                        tt           tt    ii
    pppppp   ll   aaaa   yu  y  sssss tttt   aaaa  tttt        ooo  n nn
    pp       ll       a  yu  y ss      tt        a  tt   iii  oo  o nn  n
    pp       ll   aaaaa  yu  y  ssss   tt    aaaaa  tt    ii  oo  o nn  n
    pp       ll  aa  aa  yu  y    sss  tt t aa  aa  tt t  ii  oo  o nn  n
   pppp     llll  aaaa a  yyyy sssss    tt   aaaa a  tt  iiii  ooo  nn  n
                             y
                         yyyy


                      > > >  E x p o s e'  -  # 1  < < <


What's all this:
----------------

I've been in possesion of this knowledge for quite some time, but have been
reluctant to pass it out for varying reasons.  I have finally decided to let
this out as I am getting less and less time to myself to be able to continue
to hack, crack and code.

I've seen alot of shit in my time, but the total ammount of crap that is being
bandied about by both Sega and Sony (not to mention their patriots across the
global networks) has to be seen to be believed.  Only problem is some people
actually DO believe any shit they hear or read and take it as gospel.

Hopefully after reading this most of you (who have the knowledge and whom I
have targeted this file for) will be able to better understand how the various
protection systems work.

I've decided to release the Saturn specific expose' as a seperate text file as
the ammount of dissension amongst the (ab)users is so great that it brings
back the old Amiga Vs Atari and C64 vs Spectrum days and makes them pale in
comparison.

Below I've documented the various protection methods used and how to bypass
them.  I've also disposed of a couple of myths that are doing the rounds as
well.  The last thing I'll say is that this information is correct and should
be taken at face value.  There is no easy way out here, just the plain facts
to assist the scene.

One thing I'd like to say before we start (and one of the main reasons I never
released this information previously) is that I can't stand 'professional'
pirates.  I'm talking about those guys who copy the stuff and then sell it in
the papers (to lamers) and especially those gooks in Taiwan and China who make
mass duplications of games and deprive developers of their rightful dues.

These people are scum;  I made this to help the hacker and crackers out there
to be able to import and play those (usually superiour) games on their home
units.  Hopefully we'll be seeing trainers and the likes (possibly even demos)
as now that Datel have released their Action Replays on both machines.

Enjoy!

Icepic!/TRSi

                        TRSi - Legends never die!



Anti-Copy Protection:
---------------------

The PSX compact disc copy protection is based upon the premise that most (if
not all) CDRs and pressing stations pre-mastering processes will automatically
regenrate a 'corrupt' sectors EDC/ECC code.

Sectors 12 through 15 contain a zeroised EDC/ECC checksum (impossible) so
if the PSX reads and doesn't see an invalid EDC/ECC then it knows that the
CD in the drive is a copy.  (The EDC is simply a CRC type hash that is used as
a checksum to determine if the sector was read correctly.  The ECC is used to
recreate the sectors data).

The entire range of sectors are written in a RAW format (2352 bytes) and are
completely zeroed, even the XA sub-header and EDC/ECC are zeroed.  When it is
copied on a CDR, these sectors are exact, except for the EDC/ECC code which is
(correctly) written as 0x3F13B0BC.

Note:  The PSX compact discs have a black-polymer coating.  This is not really
an anti-copy protection mechanism.  The black (actually, very dark blue) colour
that is added to the polymer that covers the underside of the disc does very
little to change the refraction of the light from the reading mechanism.  It is
really more of a visual aid in easily determining if a compact disc is pirated.


How to copy the disc with protection intact:
--------------------------------------------

The only way to succesfully duplicate this protection system is to obtain a
modified set of firmware for your CDR unit that will either:

A)  Allow you to write in either disc-at-once or track-at-once mode and not
automatically 'correct' what it thinks to be corrupt sectors with invalid
EDC/ECC codes.

B)  Allow you to write the first track in RAW mode (2352 byte sectors, CD-DA)
and then force the TOC to report the track as a CD-XA track.

I have a modified unit that does this (the first mothod), so it is possible if
you have the technical knowledge and a suitable CDR unit.


Country Lock-Out Protection:
----------------------------

Let's get some things straight here.  There is alot of misinformation around
(read: bullshit) from people who don't know what the fuck they're on about
(ie: most internet newsgroup junkies).

The Japanese units are SCHP-1000.  There are a number of different builds of
these units, all with the SCHP-1000 model number but depending on the date of
manufacture they may have different ROM BIOS versions.  The basic difference
in the ROM BIOS is that the earlier units did not have the country code check
(as it was not finalised) and therefore will allow you to use the 'swap method'
to boot non-Japanese games, whilst the newer units will not (as is the same
with the Euro/US machines).

The development units are SCHP-2000 and are identical to the base-build (ie:
the first revision) SCHP-1000, except their ROM BIOS has both the country and
CD based protection disabled and they are a deep-blue colour instead of the
typical grey.

The USA playstation are designated SCHP-3000.  These are basically a cheaper
build of the SCHP-1000, using 70ns RAM (instead of 60ns) and do not have the
inbuilt SVHS port.  They also have the country code protection check in their
ROM BIOS (as with the later revision Japanese SCHP-1000's).

The Australian playstations are designated SCHP-1002.  These are identical to
the US versions, except that they are PAL by default and look for the standard
country code for Europe (PAL).

I have not seen a European playstation, but my guess is that they are identical
to the Australian unit, possibly only the model number is different.

The PSX country code lockout is based upon the first 5 sectors of the CD.

Sectors 0-4 (5 total) contain the 'Licensed from' line and buffer padding which
tells the unit that the compact disc is either licensed for its area or not.

This check is parsed in the ROM bootstrap at boot time, so on the newer
generation of PSX's it will fail - even with the disc swap method.  The disc
swap method only bypasses the copy protection portion, not the country code
check on those machines.


How to bypass the country protection:
-------------------------------------

Included in this archive are three (3) image files.  They are the System Area
from a Japanese, European and US licensed CD.  All that is required to bypass
the protection is to read the first track of the game you wish to convert and
either skip or strip the first 16 sectors (0 through 15) and then substitute
the correct image file in its place.

The image files are called:  PSX_JAP.RAW, PSX_EUR.RAW and PSX_USA.RAW.

If you don't know how to do this then you shouldn't even be reading this file.


Why some games don't work with the swap method:
-----------------------------------------------

I included this because of all the total bullshit I have seen in the associated
newsgroups about the PSX protection.  I'll take the 'Mortal Kombat 3' fiasco as
an example.

Mortal Kombat 3 does NOT have protection.  There are a couple of reasons why
this game locks-up.

Firstly, the 'swap-method' is not perfect.  The way it works is that the PSX
takes a legitimate licensed disc and reads its TOC (Table Of Contents) into
its RAM.  Then the (ab)user swaps the CD, without the PSX knowing (by either
holding down the drive sense or shorting it) and then exiting the CD-DA player
screen which in turn inititates the bootstrap sequence.

The problem lies in the fact that the original CDs TOC is held in RAM whilst
the copies TOC will most certainly be different.  This is most noticable on
games where your original only has a few (or none) CD-DA tracks and you try to
play a game that DOES.  You will either get 'choppy' sound (or none) as the PSX
will utilise the starts and limits of the original discs TOC.

This also applies to the length of the CD-XA (Data/ROM) track!  So if you boot
with a small game (Ridge Racer is circa 3 megabytes) and then swap it for a
game like MK3, when MK3 attempts to use the ROM kernals 'Read_Long_Data' call
it will fail, as the TOC will report that there is no data at that point, even
if there is.

The problem with MK3 is in the audio tracks.  MK3 uses 64 CD-DA tracks, and if
it can not access some of these tracks (especially those between 8-15) it will
lock-up as it thinks it has a read failure.  The main problem is that MK3 is
the FIRST game to use 64 tracks (the other 'record holders' were previously
Ace Combat (Air Combat in the US) and some bowling game, both were 48 tracks
of CD-DA.

The second problem with MK3 is shoddy code.  It is full of dodgy code that does
weird shit with internal timers.  My guess is that it is supposed to do strange
things whilst in-game (pop up funny faces?) but this leads to problems as it
doesn't disable these timers when in the 'Insert Coin' mode.  This is probably
the worst case of a rushed game I have seen to date.


Facts and falacies:
-------------------

The licensed PSX compact discs are thinner than conventinal CDR and music CDs
is true.  The laser in the mechanism does infact 'ride' at different heights
during the reading of the CD.  When a licensed (read:  black undercoat) CD is
inserted into the unit, the laser does indeed ride slightly higher, but not
high enough to actually touch the surface of the disc.  When a conventional
CD is inserted, it will ride at whatever height it gets the best read rate at.
The head tracking and riding is adjusted by the mechanism controller which uses
the optimum reading level for each particular disc.  This is calibrated when
the disc is first inserted and when the TOC and protection are checked.  You
may have noticed that sometimes when you swap discs, the PSX will not load the
CD (it'll sit there spinning and seeking, making weird noises) and this is the
reason why.  It will not recalibrate until you reset the mechanism which is
done when you open and close the door.

There has been some talk in various circles about the 'pot trick'.  This is
where people open the PSX and meddle with the pots (variable resistors) that
control the gain and such for the CD mechanism.  These are located to the lower
left just below the CD mechanism.  Adjusting these will NOT allow you to bypass
the protection (as claimed by some).  All it will allow you to do is either
improve the reading ability of the drive in some cases, or fuck the ability
to read any disc (in most other cases).  I suggest you don't touch the pots
unless you know exactly what your doing and have the ability to reset them if
you screw up.


The End:
--------

I can't think of any more that is important.  With this information you should
be able to copy (and if not with protection intact, still) play non-conforming
games on your home unit.

One last note:  When playing an NTSC game on a PAL unit (and vice-versa) keep
in mind that even if the 50/60Hz is switched, the colourbust will remain on
the original NTSC or PAL bandwidth.  The only way to properly play these games
(as far as I've been able to ascertain) is to use an RGB cable that uses a
Scart/Euroconnector.

Hopefully now that Datel will soon release their Action Replay cart (Not the
SAVE carts, but a real hacking cartridge) for the playstation, someone will be
able to just use it to disable the internal ROM kernals protection routines
which would allow a CDR disc to be booted without swapping, etc.

If you want to contact me, you can try.  If you can find TombStone, then you'll
be able to get a message to me.  I won't be in Australia for much longer though
as I'm going to Europe and the UK early next year.

I want nothing more than to see a decent scene evolve around the new generation
of consoles with trainers, cracks and demos.

Let the games begin...


Greets:
-------

I'll probably forget a whole host of people here, but I'll try anyway:

All the TRSi boys worldwide, in whatever scene your in.

All the users on TombStone here in Sydney, Australia.

Everyone who used to call Vanguardium.

The men at Datel in the UK, for providing the scene with their Action Replays
and doing some pretty niffty reverse-engineering.

The staff at Future Publishings 'Edge'.  One of the best industry magazines to
see the light of day.

vFast/TRSi:  Our 'humble' leader...  ;)  See you when I'm over there!

MDS and Sonic/UCF:  Lets see if you can 100% crack Steinbergs CuBase v2.62 ;)

Avenger/Smilesoft:  For one of the best cracking tools ever!  (TRON rules)

FireStarter:  Tombstone is cool, but I think Vanguardium was still nice... ;)

Wolverine/TDU-Jam:  Did you ever finnish that Dongle autocracker?

R2D2/Outlaws:  How about you, you wanna try to break CuBase 100% ???

Hoson/Hybrid:  Call me, dude.

DC-Bite:  'Who the duck do you think you are'  Quack.  Quack.


