How PS1 security works.

With all the exploit related news and the upcoming ecfw by frostegater, we barely see articles that have nothing to do with the vita, so lets take a step away for brief moment from the psp scene and learn how the copy protection and different security measures on the ps1 worked.

In this article I will explain how the ps1 security works, so you can understand the methods used back then to bypass it’s security and why those methods don’t work today.

 

Original security measure: disc region

First, we must know that the ps1 had region locks, which means a legit bought game from the US won’t work on a EU console. The next thing you should know is that the region lock and the antipiracy check is one and the same, for older models that is (but we’ll get to that later).

 

Legit Ps1 games had a marked zone at the beginning of the disc that contained the region information, this information had the letters SCEx, where x was the region of the disc:

- A for america (SCEA)

- E for europe (SCEE)

- I for japan (SCEI)

- W for Net Yarozee (SCEW)

 

Imagine you have a european console, this console will have the mark SCEE in it’s BIOS, when you insert an american disk the console will read SCEA on the disc, SCEE != SCEA so the system would refuse to boot.

Similarly a burned disc does not have any mark on it because conventional CD drives can’t read that portion of the disc, so the system will also refuse to boot that.

So for a european console, there is no difference between a legit american disc and a burned disc. None of them match what the system wants so the system won’t boot it.

Modchips got around this by injecting the string the system is looking for into the stream, letting the system think the disc does have the string in it and then accepting to boot it.

This is for older models of course, newer models (the PSone) have a second check for the region, so a modchip that worked on the fat model will partially work on the newer system.

New security measure: boot text

The modchip, like I said, will inject that string into the system, letting the system think it’s legit, but then the system will perform a second check, this check is done to the executable file itself.

You may be familiar with this screen:

Believe it or not the “Licensed by Sony Computer Entertainment America SCEA TM” text is not found on the system itself, but rather on the disc. That’s right, the system reads this text from the disc and put it on the boot logo, which lead people to create custom boot screens.

This text was not checked by older fat ps1s but then sony added the text into the newer psone bios, so this time it does check for it. This time, even when the modchip makes the system think it’s a legit game, the simple fact that the boot text is different makes the system reject the disc. This is of course for imports or games with custom text.

There were two methods to bypass this, the first was using a disc called import player. This disc used an “exploit”, which is nothing more than taking advantage of the system’s ability to play multi-disc games. When you play a game such as Metal Gear Solid or Final Fantasy VII, at some point they will prompt you to change discs. When you change the discs, the system does not enter the boot screen, so the boot text check is not done. The import player took advantage of this, by simply prompting you to change the discs as any of these games do, then the modchip does the first check bypass and since the system doesn’t enter the boot scree, it doesn’t check the boot text.

The second method is a lot more permanent, it’s the same method as injecting a custom boot, only this time you inject the correct boot text into the cd, allowing you to directly boot the disc.

Another new Security Measure: modchip detection

Another measure that was implemented was the detection of modchips. This measure required new hardware so it only available in psone models and on top of that it wasn’t performed by the system but the game, so the code had to be implemented into the game itself, meaning older games would not be able to use the new feature.

The way a modchip was detected is quite simple, the game would keep asking for the CD’s code (SCEx as we saw above), if there is a modchip in the system it will continually inject such string, while if there is no modchip then no string is injected and thus the game would continue.

Bypassing this protection could be done using the import player (which has an anti-modcip detection patch) or by patching the game’s iso before burning. Both do the same basically.

PS1/one Hacking Methods

These various ways to hack the PS1, but each method got patched along the way, except one method that was never patched (swapping) and another method that was patched but got continuous new releases (modchips).

AR Method:
This method consisted in inserting an Action Replay “cartridge” in the system’s Parallel Port. This “cartridge” (if we can call it that) bypassed the method used by the system (the SCEx method). This was patched by Sony simply removing the Parallel I/O Port. Some games have anti-AR security measures which can be defeated using Import Player in the same way as defeating the already mentioned Anti-Modchip security.

Swap Trick:
This method took advantage of the system’s disc read error tolerance policy, this means that when the ps1 can’t read a disc it keeps retrying until a decent amount of time. This is why it takes time for the ps1 to “detect” a burned game or why scratched games can take longer to load. The method consisted of tricking the system into thinking the disc cover is always closed, even when it isn’t, allowing you to swap an original disc with a burned one. This trick is performed differently in the slim and fat models due to the new boot text security, but it’s overall doable in any ps1 console, the only problem I can think of with this method is that it wears out the motor.

Modchips
Modchips are usually the best method to hack a ps1. They are permanent, games can be booted directly and if installed correctly they don’t have to break the system. I already explained how modchips work, they simply inject what the system wants into the stream, making the system think the disc inserted is a legit game. Different models came out but if you are looking for one that is compatible with all ps1 consoles (fat and slim) then the MultiMode 3 is your bet, although it doesn’t break the PSone boot text security and it’s not a stealth chip (it can be detected by game that have the anti-modchip protection). If you are looking for a good PSone chip then the ONEChip is the one you need, it bypasses all PSone protections, including the anti-modchip one.

Let’s do a recap of the different copy-protections that the ps1 and psone have.

PS1:
- The standard region protection (the SCEx thing).
- The Anti-AR protection.
PSone:
- The standard region protection (the SCEx thing).
- The anti custom boot text protection.
- The anti-modchip protection

Well, now that you know how the Ps1 copy-protection worked, you can go back to the psp scene to wait for frostegater’s ecfw.

  1. hgoel0974’s avatar

    cool article
    nice to have something off topic once in a while
    oh and continuing the tradition, first ;)

    Reply

  2. BakaOsaka’s avatar

    Ah, god times. Care to document some game antipiracy, such as Spyo soon?

    Reply

  3. samstrand’s avatar

    Great story Acid_Snake. Remember like it was yesterday doing the swap trick at such a young age.
    Crash Bandicoot 2 is the game that comes to mind thinking back to the PS1 days.

    Reply

  4. Kiz’s avatar

    haha I remember doing the swap trick too.. Used the old gameshark method with a spring to hold the button down that fooled the ps1 to thinking the lid was closed. For the ps2 I used the cog-swap method.. once again another gameshark, and a nail filer taped to a broken plastic spoon to pull to the left/right to eject the ps2 tray. Good times

    Reply

  5. StormPooper’s avatar

    Good article, but I have one question – how come these kind of methods don’t work today? I have a general idea, but was hoping for the “and why those methods don’t work today” part of the article to fill the gaps in my knowledge.

    Reply

    1. hgoel0974’s avatar

      mainly because there are other more secure methods implemented.

      Those days, you didn’t have much processing power for complex security, nowadays it is different, there are all of these encrypted signatures which would take AGES to crack, think of it as trying to calculate every single move possible in chess, the only reason there isn’t a move using which you will always win in chess is because there are too many combinations, that is only 64 boxes with 32 pieces, now compare it to the 255 characters there are in modern signatures and that we don’t know how many of them are checked!

      Reply

    2. me’s avatar

      Physical security still exists on all the disk based consoles. The wobble used on the PS1 was also used on the PS2, at least for CD based games (DVDs can’t use that copy protection method). The XBOX and XBOX360 use a encrypted second volume on the DVD for security. Gamecube and Wii disks are fully encrypted and can’t be read in regular DVD-rom drives at all. I’m not sure how the PS2 DVD or PS3 Blu-ray physical security works.

      Reply

    3. Acid_Snake’s avatar

      as others have told you, better methods have been found, for example, on the ps2 you can’t just inject data into the live stream as you do with ps1, you have to modify functions of the bios, etc
      for consoles like the gamecube the disc is basically physically damaged so the TOC is unreadable (remember how the dreamcast had two TOCs? well the gamecube is similar, only the PC readable TOC is damaged intentionally so for a PC there is no disc inserted)

      Reply

  6. me’s avatar

    Similarly a burned disc does not have any mark on it because conventional CD drives can’t read that portion of the disc, so the system will also refuse to boot that.

    Huh? The problem was in cdrom lead-in wobble which calibrates the cdrom tracking and speed. On cd-r’s the wobble is pre-cut and not modifiable. On PS1 disks (and PS2 disks also), which are pressed. the wobble is modulated in such a way to encode the protection code. Therefore, CD writers can’t add the protecton code to burned disks.

    Reply

    1. Acid_Snake’s avatar

      yes I know there is a more technical side to this but I try to keep it as simple as possible

      Reply

  7. Leires’s avatar

    Always interesting to read, thank you very much.~

    Reply

  8. jrazorman’s avatar

    cool.. I learned alot! thanks

    Reply

  9. rafael707’s avatar

    keep it up snake, your blogs keep me entertained xD

    Reply

  10. robert’s avatar

    I don’t understand this.
    The way I have understood it, cd’s and dvd’s consist’s of lots of “blocks” that are either burned or not. These blocks then represents 1 (a burned block) or 0 (an untouched block).
    Why is it not possible to just simply copy the physical “combination of burned blocks” onto another disk and have an exact copy?

    Reply

    1. Acid_Snake’s avatar

      as I said, PS1 CDs have a block unreadable by normal PC readers, this block contains the region information and since normal CD players can’t read this part then they can’t reproduce it

      Reply

  11. CHINESEchocolateSauce’s avatar

    Great times

    Reply

  12. dimy93’s avatar

    I love those articles – I’ll take it a look tomorrow

    Reply

  13. muhd’s avatar

    can we just copy to the vita??no need exploit a game or what….make a converter….

    Reply

    1. nero’s avatar

      are you being serious? that will never happen.

      Reply

  14. c-zero’s avatar

    Interesting article, of course, this was YEARS too late for me lol.

    Actually, there is more to the original PS1 than meets the eye. If you’re lucky enough to own an original SCPH1001 PS1 (I got mine from a friend, since he already had one), then in addition to the AV Multi port, you also had component-out (RCA). This is unique only to the original models, and here’s the kicker:

    Apparently, the sound quality from those component-out connectors were so good, they were better than a $6000 dollar sound system, when you hook them up to some good old fashioned Hi-Fi speakers. Imagine, having something that rivals a Bose sound system, but built from second-hand electronics for a fraction of the price (or even free)!

    I love collecting old stuff and finding new uses for them, don’t you?

    Reply

  15. notder’s avatar

    knowledge article. Thanks

    Reply

  16. BLACKkidWithBoogerRunningNOSE’s avatar

    I werember when my uncle had 1 it was kool cuz I played smakdown wit him on it all da time now I play ps2 more den I playz ps3 bcuz is more fun and I like how it look.

    Reply

  17. ???’s avatar

    good read!!!
    please do PS2 next

    Reply

  18. Hex_cz’s avatar

    haha, we’re needing some articles like that to refresh our head for a while xD
    nice article man
    .

    Reply

  19. 7thpandaren’s avatar

    I love these articles, thanks for taking the time to write it. Read the dreamcast one and also the wii? one. Keep up the great work.

    Reply

  20. gunblade’s avatar

    psx mean i guess the music upgrade in the psone slim was thks to the psx getting jackedi also remeber the loop read in the psx we used to jump start the game with the disk cover opean ….or take time to wipe disk will it was still trying the play the game .miss umd dont no what sony doing with dis nintendo game cards…but a 120gb memory card for the vita would be cool..if anything.oooh jus think psp n vita umd streeam to the vita by usb? bluthooth? wifi? jus thinking…

    Reply

  21. gunblade’s avatar

    or is the acceceries port with the psp usb possible?

    Reply

  22. gunblade’s avatar

    (what i thought i do was i through a psp into a jet engine..)..

    Reply

  23. vhblfans’s avatar

    cool,i like ps1 games.

    Reply

  24. gunblade’s avatar

    so why dosent sony let the ps3 have backwords capability with psone n ps2 game unless they jus want to make money on download copy since used game probly dont get them that much dough game stop shelves be pack with old school games…

    Reply

    1. Acid_Snake’s avatar

      any ps3 is backwards compatible with ps1 games, both cd and psn format

      Reply

    2. Viper2343’s avatar

      Gunblade The PS3 Has the capability with PS1 titles but not NTSC-J (Japan)but for the PS2 games you need a 80GB or 60GB PS3 to run them i have a first gen uncharted drake’s fortune Limited Edition 160GB PS3 and i can run PS1 titles but not Japan PS1 titles nor PS2 NTSC PS2 titles or NTSC-J Japan titles

      Reply

  25. gunblade’s avatar

    thought the choice was ps3 os or backwords play …man sony wont to do more with the ps3 then just download n play ps3 games…(more apps)free realm..

    Reply

  26. Dev’s avatar

    Interesting article
    Keep them coming!
    Kudo’s

    Reply

  27. RUSSIANorthKOREAwillruleUSA’s avatar

    Ps1 is beautiful we play it here more than ps3 and xbox better than vital too!

    Reply

  28. Stranno’s avatar

    I have my Breaker Pro disc but i usually play on PS2 so there is no need to have extra disc, just one original (with high TOC) and the program itself, pretty simple.

    Reply

  29. quetz’s avatar

    ahhh psx :) best console ever

    Reply

  30. Johnny’s avatar

    There is also FreeMCBoot, which is installed on the Memory Card, and it’s free as the name suggests. Google it.

    Reply

  31. Johnny’s avatar

    Scratch that, FreeMCBoot is PS2 only eheh. My bad.

    Reply

  32. Byron’s avatar

    yo se que no va esto aqui y que ya es muy tarde para lo que voy a pedir pero podrian hacer un sofware que podria reconocer el ps1 para correr juegos copias asi como lo hicieron con el ps2. yo tengo un ps1 y varios juegos del mismo descargados y me gustaria jugarlos en la misma consola.

    Espero respuesta de wololo

    saludos…

    Reply

  33. darkcrows’s avatar

    i remeber back in 1997 i got my first ps1..i buy a game shark to play pirate ps1 games..if original disk got a black disk

    Reply

  34. bogusflow’s avatar

    Back when I had a psx, I knew nothing of being able to modify a console, nor did I know anything about burned games. I remember when sony took that port for the gameshark out of the newer models. And to think, I always thought it was because they didn’t want people to cheat on their console. lol how small minded I was back then.

    Nice read by the way. Very interesting.

    Reply

  35. wululu is muslim’s avatar

    Hundroques espolicas biblicus oportior

    Reply

  36. Vicsidious’s avatar

    Excellent text! I loved it, thanks.

    Reply

  37. asmith906’s avatar

    Could you make a video/article showing how to install a modchip? That’d be pretty awesome.

    Reply

    1. Acid_Snake’s avatar

      yeah I was thinking about that but sadly, I already installed the only modchip I have and I don’t really like de-soldering modchips and re-soldering them since they can end up breaking.
      I have however posted the diagrams here: http://www.consoleheaven.de/viewtopic.php?f=11&t=70

      If I ever get to mod another ps1 then I’ll make a video

      Reply

  38. The Z’s avatar

    I have the old little white PSOne with a modchip, as a kid it was the coolest to be able to play every game, even if it was from a different region.

    It was a nice and funny childhood :D

    Reply

  39. Chita’s avatar

    I Can’t beleive it , i just got 3 working PSN Codes: youtu.be/W-Y3xHDTTe8

    Reply

  40. IgnusArmagadan’s avatar

    I used to do the swap trick all the time until I got my PS1, then I just backed up a lot of my PS1 collection to my PSP :) I still use Free McBoot though and even got component cables because I got a neat little app that runs pretty much every one of my PS2 games in HD. Of course not nearly as sharp as the HD remasters, but playing Kingdom Hearts II Final Mix +, Dragon Quest VIII, and Final Fantasy XII in HD from my PS2 is pretty awesome! :D

    Reply

    1. IgnusArmagadan’s avatar

      I meant until I got my PSP, lol. Oops ^_^

      Reply

    2. IgnusArmagadan’s avatar

      Oh, and not to mention having the ability to play games strait from my 32GB Flash Drive or from a Hard Drive, though I use my flash drive more, lol :p

      Reply

  41. Hex_cz’s avatar

    Well, i’ve sucessfully transfered my psp and ps1 saves from my psp ms to my vita. I think i can do the same thing with the games. Well, i’m thinking to upload my resident evil 3 backup folder to anyone with a backup folder in you pc to paste in it and tranfer to your vita just to see if works. Do you agree???

    Reply

  42. miguel angel’s avatar

    Ahora si, Maestro, he ilumunado mi memoria ya que siempre utilice estos metodos pero desconocia la seguridad y la forma de hackearla. buen tema.

    Reply

  43. SNEAKYChinaman’s avatar

    PS1 kicks ass I used to make backups like crazy in 96 in HK selling it to tourists those were the days :) economy was better than now this time corporations want to see us killed in jail for giving to people what they deserve in wholesale instead of rip off price of 70.00 110.00 Usa dollars a game at the time.

    Reply

  44. Patrick Vogt’s avatar

    Hi there,

    back in the days there where Modchips which claimed that they would only allow imports to be booted (so burned discs/gold discs still failed to boot with these multinorm chips).

    How did they work?

    My guess is that they took the SCEx string on the disc (so they actually checked that string or they did not bypass this check) and converted it into the string of the corresponding bios of the PS1?

    Does anybody know how exactly those multinorm chips works?

    PS: Which discs got the SCEW string? These discs would only boot on Net Yaroze consoles (and on chipped PS1s). The only disc I could think of is the Net Yaroze boot disc in the Net Yaroze dev kit? Are there any other Net Yaroze exclusive discs

    Reply

  45. D4RKD3V1L’s avatar

    The good old days of the ps1…..

    http://tinypic.com/r/2a9xqwk/6

    Reply

  46. fatcaall’s avatar

    Great article, just want to say you are an awesome writer, would love to read more like this.

    Reply

  47. PSLover14’s avatar

    My Cousin had a PS1 with some blue thing in the back of it, and every time you booted it up, a screen would come up saying START and you had to press X on it.

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>