Skip to main content

How PS1 security works


With all the exploit related news and the upcoming ecfw by frostegater, we barely see articles that have nothing to do with the vita, so lets take a step away for brief moment from the psp scene and learn how the copy protection and different security measures on the ps1 worked.

 In this article I will explain how the ps1 security works, so you can understand the methods used back then to bypass it’s security and why those methods don’t work today.
Original security measure: disc region

 First, we must know that the ps1 had region locks, which means a legit bought game from the US won’t work on a EU console. The next thing you should know is that the region lock and the antipiracy check is one and the same, for older models that is (but we’ll get to that later).

 Legit Ps1 games had a marked zone at the beginning of the disc that contained the region information, this information had the letters SCEx, where x was the region of the disc:

 - A for america (SCEA)

 - E for europe (SCEE)

 - I for japan (SCEI)

 - W for Net Yarozee (SCEW)
Imagine you have a european console, this console will have the mark SCEE in it’s BIOS, when you insert an american disk the console will read SCEA on the disc, SCEE != SCEA so the system would refuse to boot.

 Similarly a burned disc does not have any mark on it because conventional CD drives can’t read that portion of the disc, so the system will also refuse to boot that.

 So for a european console, there is no difference between a legit american disc and a burned disc. None of them match what the system wants so the system won’t boot it.

 Modchips got around this by injecting the string the system is looking for into the stream, letting the system think the disc does have the string in it and then accepting to boot it.

 This is for older models of course, newer models (the PSone) have a second check for the region, so a modchip that worked on the fat model will partially work on the newer system.

 New security measure: boot text

 The modchip, like I said, will inject that string into the system, letting the system think it’s legit, but then the system will perform a second check, this check is done to the executable file itself.

 You may be familiar with this screen:
Believe it or not the “Licensed by Sony Computer Entertainment America SCEA TM” text is not found on the system itself, but rather on the disc. That’s right, the system reads this text from the disc and put it on the boot logo, which lead people to create custom boot screens.

 This text was not checked by older fat ps1s but then sony added the text into the newer psone bios, so this time it does check for it. This time, even when the modchip makes the system think it’s a legit game, the simple fact that the boot text is different makes the system reject the disc. This is of course for imports or games with custom text.

 There were two methods to bypass this, the first was using a disc called import player. This disc used an “exploit”, which is nothing more than taking advantage of the system’s ability to play multi-disc games. When you play a game such as Metal Gear Solid or Final Fantasy VII, at some point they will prompt you to change discs. When you change the discs, the system does not enter the boot screen, so the boot text check is not done. The import player took advantage of this, by simply prompting you to change the discs as any of these games do, then the modchip does the first check bypass and since the system doesn’t enter the boot scree, it doesn’t check the boot text.

 The second method is a lot more permanent, it’s the same method as injecting a custom boot, only this time you inject the correct boot text into the cd, allowing you to directly boot the disc.

 Another new Security Measure: modchip detection

 Another measure that was implemented was the detection of modchips. This measure required new hardware so it only available in psone models and on top of that it wasn’t performed by the system but the game, so the code had to be implemented into the game itself, meaning older games would not be able to use the new feature.

 The way a modchip was detected is quite simple, the game would keep asking for the CD’s code (SCEx as we saw above), if there is a modchip in the system it will continually inject such string, while if there is no modchip then no string is injected and thus the game would continue.

 Bypassing this protection could be done using the import player (which has an anti-modcip detection patch) or by patching the game’s iso before burning. Both do the same basically.

 PS1/one Hacking Methods

 These various ways to hack the PS1, but each method got patched along the way, except one method that was never patched (swapping) and another method that was patched but got continuous new releases (modchips).

 AR Method:
This method consisted in inserting an Action Replay “cartridge” in the system’s Parallel Port. This “cartridge” (if we can call it that) bypassed the method used by the system (the SCEx method). This was patched by Sony simply removing the Parallel I/O Port. Some games have anti-AR security measures which can be defeated using Import Player in the same way as defeating the already mentioned Anti-Modchip security.

 Swap Trick:
This method took advantage of the system’s disc read error tolerance policy, this means that when the ps1 can’t read a disc it keeps retrying until a decent amount of time. This is why it takes time for the ps1 to “detect” a burned game or why scratched games can take longer to load. The method consisted of tricking the system into thinking the disc cover is always closed, even when it isn’t, allowing you to swap an original disc with a burned one. This trick is performed differently in the slim and fat models due to the new boot text security, but it’s overall doable in any ps1 console, the only problem I can think of with this method is that it wears out the motor.

 Modchips
Modchips are usually the best method to hack a ps1. They are permanent, games can be booted directly and if installed correctly they don’t have to break the system. I already explained how modchips work, they simply inject what the system wants into the stream, making the system think the disc inserted is a legit game. Different models came out but if you are looking for one that is compatible with all ps1 consoles (fat and slim) then the MultiMode 3 is your bet, although it doesn’t break the PSone boot text security and it’s not a stealth chip (it can be detected by game that have the anti-modchip protection). If you are looking for a good PSone chip then the ONEChip is the one you need, it bypasses all PSone protections, including the anti-modchip one.

 Let’s do a recap of the different copy-protections that the ps1 and psone have.

 PS1:
- The standard region protection (the SCEx thing).
- The Anti-AR protection.
PSone:
- The standard region protection (the SCEx thing).
- The anti custom boot text protection.
- The anti-modchip protection

 Well, now that you know how the Ps1 copy-protection worked, you can go back to the psp scene to wait for frostegater’s ecfw.
Source: Wololo's blog

Comments

Post a Comment

Popular posts from this blog

PRIVACY POLICY

Privacy Policy Last updated: February 20, 2024 This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy has been created with the help of the Free Privacy Policy Generator . Interpretation and Definitions Interpretation The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural. Definitions For the purposes of this Privacy Policy: Account means a unique account created for You to access our Service or parts of our Service. Affiliate means an entity that controls, is con...
Post a Comment
Read more

Child-friendly Galaxy Tab 3 Kids listed in Korean brochure

We're no experts in Korean back-to-school literature, but it looks as if one retailer has tipped Samsung's plans a little early. If the documents above are legitimate, then the company will launch a kiddie-focused Galaxy Tab in short order. The Galaxy Tab 3 Kids is said to be an 8.5-inch slate with a 1.2GHz dual-core CPU, a 1,024 x 600 WSVGA display, 8GB storage, 1GB RAM and Jelly Bean. The company has also seen fit to include 802.11 a/b/g/n WiFi, Bluetooth 3.0, a microSD card slot (no word on capacity) and a 4,000mAh battery. One thing that lends weight to the listing is that the device's model number is SM-T2105, which evleaks tersely described as a "Galaxy Tab for children" a month ago. There's more pictures over at the source, but not a single spec saying that this new device is resistant to jam-smeared fingers. Source: ENGADGET
Post a Comment
Read more

Apple Rejected This Game To Keep You From Killing Your iPhone

Rejected by Apple for “encouraging behavior that could result in damage to the user’s device”, Carrot Pop's Send Me To Heaven arrives on Google Play, because no one cares if your Android device shatters on the pavement. "Throw your phone as high as you can" reads the primary instruction on S.M.T.H., a free game that measures the altitude of your device as it soars (hopefully) gracefully through the air. Catching it isn't a requirement, of course, but if you want your phone to remain intact long enough to compare your height on the leaderboards, it's highly recommended. It's up to the player to balance their competitive nature with the safety of their expensive gadgets, at least that's the idea. The concept has me brainstorming soft, portable landing materials to increase my chances of coming out unscathed during attempts at surpassing the 5.69 meter high score. I might just purchase phone insurance and an air cannon. Source: KOTAKU
Post a Comment
Read more