How PS1 security works.
With all the exploit related news and the upcoming ecfw by frostegater, we barely see articles that have nothing to do with the vita, so lets take a step away for brief moment from the psp scene and learn how the copy protection and different security measures on the ps1 worked.
In this article I will explain how the ps1 security works, so you can understand the methods used back then to bypass its security and why those methods don’t work today.
Original security measure: disc region
First, we must know that the ps1 had region locks, which means a legit bought game from the US won’t work on a EU console. The next thing you should know is that the region lock and the antipiracy check is one and the same, for older models that is (but we’ll get to that later).
Legit Ps1 games had a marked zone at the beginning of the disc that contained the region information, this information had the letters SCEx, where x was the region of the disc:
– A for america (SCEA)
– E for europe (SCEE)
– I for japan (SCEI)
– W for Net Yarozee (SCEW)
Imagine you have a european console, this console will have the mark SCEE in it’s BIOS, when you insert an american disk the console will read SCEA on the disc, SCEE != SCEA so the system would refuse to boot.
Similarly a burned disc does not have any mark on it because conventional CD drives can’t read that portion of the disc, so the system will also refuse to boot that.
So for a european console, there is no difference between a legit american disc and a burned disc. None of them match what the system wants so the system won’t boot it.
Modchips got around this by injecting the string the system is looking for into the stream, letting the system think the disc does have the string in it and then accepting to boot it.
This is for older models of course, newer models (the PSone) have a second check for the region, so a modchip that worked on the fat model will partially work on the newer system.
New security measure: boot text
The modchip, like I said, will inject that string into the system, letting the system think it’s legit, but then the system will perform a second check, this check is done to the executable file itself.
You may be familiar with this screen:
Believe it or not the “Licensed by Sony Computer Entertainment America SCEA TM” text is not found on the system itself, but rather on the disc. That’s right, the system reads this text from the disc and put it on the boot logo, which lead people to create custom boot screens.
This text was not checked by older fat ps1s but then sony added the text into the newer psone bios, so this time it does check for it. This time, even when the modchip makes the system think it’s a legit game, the simple fact that the boot text is different makes the system reject the disc. This is of course for imports or games with custom text.
There were two methods to bypass this, the first was using a disc called import player. This disc used an “exploit”, which is nothing more than taking advantage of the system’s ability to play multi-disc games. When you play a game such as Metal Gear Solid or Final Fantasy VII, at some point they will prompt you to change discs. When you change the discs, the system does not enter the boot screen, so the boot text check is not done. The import player took advantage of this, by simply prompting you to change the discs as any of these games do, then the modchip does the first check bypass and since the system doesn’t enter the boot scree, it doesn’t check the boot text.
The second method is a lot more permanent, it’s the same method as injecting a custom boot, only this time you inject the correct boot text into the cd, allowing you to directly boot the disc.
Another new Security Measure: modchip detection
Another measure that was implemented was the detection of modchips. This measure required new hardware so it only available in psone models and on top of that it wasn’t performed by the system but the game, so the code had to be implemented into the game itself, meaning older games would not be able to use the new feature.
The way a modchip was detected is quite simple, the game would keep asking for the CD’s code (SCEx as we saw above), if there is a modchip in the system it will continually inject such string, while if there is no modchip then no string is injected and thus the game would continue.
Bypassing this protection could be done using the import player (which has an anti-modcip detection patch) or by patching the game’s iso before burning. Both do the same basically.
PS1/one Hacking Methods
These various ways to hack the PS1, but each method got patched along the way, except one method that was never patched (swapping) and another method that was patched but got continuous new releases (modchips).
AR Method:
This method consisted in inserting an Action Replay “cartridge” in the system’s Parallel Port. This “cartridge” (if we can call it that) bypassed the method used by the system (the SCEx method). This was patched by Sony simply removing the Parallel I/O Port. Some games have anti-AR security measures which can be defeated using Import Player in the same way as defeating the already mentioned Anti-Modchip security.
Swap Trick:
This method took advantage of the system’s disc read error tolerance policy, this means that when the ps1 can’t read a disc it keeps retrying until a decent amount of time. This is why it takes time for the ps1 to “detect” a burned game or why scratched games can take longer to load. The method consisted of tricking the system into thinking the disc cover is always closed, even when it isn’t, allowing you to swap an original disc with a burned one. This trick is performed differently in the slim and fat models due to the new boot text security, but it’s overall doable in any ps1 console, the only problem I can think of with this method is that it wears out the motor.
Modchips
Modchips are usually the best method to hack a ps1. They are permanent, games can be booted directly and if installed correctly they don’t have to break the system. I already explained how modchips work, they simply inject what the system wants into the stream, making the system think the disc inserted is a legit game. Different models came out but if you are looking for one that is compatible with all ps1 consoles (fat and slim) then the MultiMode 3 is your bet, although it doesn’t break the PSone boot text security and it’s not a stealth chip (it can be detected by game that have the anti-modchip protection). If you are looking for a good PSone chip then the ONEChip is the one you need, it bypasses all PSone protections, including the anti-modchip one.
Let’s do a recap of the different copy-protections that the ps1 and psone have.
PS1:
– The standard region protection (the SCEx thing).
– The Anti-AR protection.
PSone:
– The standard region protection (the SCEx thing).
– The anti custom boot text protection.
– The anti-modchip protection
Well, now that you know how the Ps1 copy-protection worked, you can go back to the psp scene to wait for frostegater’s ecfw.
cool article
nice to have something off topic once in a while
oh and continuing the tradition, first 😉
Ah, god times. Care to document some game antipiracy, such as Spyo soon?
Great story Acid_Snake. Remember like it was yesterday doing the swap trick at such a young age.
Crash Bandicoot 2 is the game that comes to mind thinking back to the PS1 days.
haha I remember doing the swap trick too.. Used the old gameshark method with a spring to hold the button down that fooled the ps1 to thinking the lid was closed. For the ps2 I used the cog-swap method.. once again another gameshark, and a nail filer taped to a broken plastic spoon to pull to the left/right to eject the ps2 tray. Good times
Good article, but I have one question – how come these kind of methods don’t work today? I have a general idea, but was hoping for the “and why those methods don’t work today” part of the article to fill the gaps in my knowledge.
mainly because there are other more secure methods implemented.
Those days, you didn’t have much processing power for complex security, nowadays it is different, there are all of these encrypted signatures which would take AGES to crack, think of it as trying to calculate every single move possible in chess, the only reason there isn’t a move using which you will always win in chess is because there are too many combinations, that is only 64 boxes with 32 pieces, now compare it to the 255 characters there are in modern signatures and that we don’t know how many of them are checked!
Physical security still exists on all the disk based consoles. The wobble used on the PS1 was also used on the PS2, at least for CD based games (DVDs can’t use that copy protection method). The XBOX and XBOX360 use a encrypted second volume on the DVD for security. Gamecube and Wii disks are fully encrypted and can’t be read in regular DVD-rom drives at all. I’m not sure how the PS2 DVD or PS3 Blu-ray physical security works.
as others have told you, better methods have been found, for example, on the ps2 you can’t just inject data into the live stream as you do with ps1, you have to modify functions of the bios, etc
for consoles like the gamecube the disc is basically physically damaged so the TOC is unreadable (remember how the dreamcast had two TOCs? well the gamecube is similar, only the PC readable TOC is damaged intentionally so for a PC there is no disc inserted)
Huh? The problem was in cdrom lead-in wobble which calibrates the cdrom tracking and speed. On cd-r’s the wobble is pre-cut and not modifiable. On PS1 disks (and PS2 disks also), which are pressed. the wobble is modulated in such a way to encode the protection code. Therefore, CD writers can’t add the protecton code to burned disks.
yes I know there is a more technical side to this but I try to keep it as simple as possible
Always interesting to read, thank you very much.~
cool.. I learned alot! thanks
keep it up snake, your blogs keep me entertained xD
I don’t understand this.
The way I have understood it, cd’s and dvd’s consist’s of lots of “blocks” that are either burned or not. These blocks then represents 1 (a burned block) or 0 (an untouched block).
Why is it not possible to just simply copy the physical “combination of burned blocks” onto another disk and have an exact copy?
as I said, PS1 CDs have a block unreadable by normal PC readers, this block contains the region information and since normal CD players can’t read this part then they can’t reproduce it
Great times
I love those articles – I’ll take it a look tomorrow
can we just copy to the vita??no need exploit a game or what….make a converter….
are you being serious? that will never happen.
Interesting article, of course, this was YEARS too late for me lol.
Actually, there is more to the original PS1 than meets the eye. If you’re lucky enough to own an original SCPH1001 PS1 (I got mine from a friend, since he already had one), then in addition to the AV Multi port, you also had component-out (RCA). This is unique only to the original models, and here’s the kicker:
Apparently, the sound quality from those component-out connectors were so good, they were better than a $6000 dollar sound system, when you hook them up to some good old fashioned Hi-Fi speakers. Imagine, having something that rivals a Bose sound system, but built from second-hand electronics for a fraction of the price (or even free)!
I love collecting old stuff and finding new uses for them, don’t you?
knowledge article. Thanks
I werember when my uncle had 1 it was kool cuz I played smakdown wit him on it all da time now I play ps2 more den I playz ps3 bcuz is more fun and I like how it look.
good read!!!
please do PS2 next
haha, we’re needing some articles like that to refresh our head for a while xD
nice article man
.
I love these articles, thanks for taking the time to write it. Read the dreamcast one and also the wii? one. Keep up the great work.
psx mean i guess the music upgrade in the psone slim was thks to the psx getting jackedi also remeber the loop read in the psx we used to jump start the game with the disk cover opean ….or take time to wipe disk will it was still trying the play the game .miss umd dont no what sony doing with dis nintendo game cards…but a 120gb memory card for the vita would be cool..if anything.oooh jus think psp n vita umd streeam to the vita by usb? bluthooth? wifi? jus thinking…
or is the acceceries port with the psp usb possible?
(what i thought i do was i through a psp into a jet engine..)..
cool,i like ps1 games.
so why dosent sony let the ps3 have backwords capability with psone n ps2 game unless they jus want to make money on download copy since used game probly dont get them that much dough game stop shelves be pack with old school games…
any ps3 is backwards compatible with ps1 games, both cd and psn format
Gunblade The PS3 Has the capability with PS1 titles but not NTSC-J (Japan)but for the PS2 games you need a 80GB or 60GB PS3 to run them i have a first gen uncharted drake’s fortune Limited Edition 160GB PS3 and i can run PS1 titles but not Japan PS1 titles nor PS2 NTSC PS2 titles or NTSC-J Japan titles
thought the choice was ps3 os or backwords play …man sony wont to do more with the ps3 then just download n play ps3 games…(more apps)free realm..
Interesting article
Keep them coming!
Kudo’s
Ps1 is beautiful we play it here more than ps3 and xbox better than vital too!
I have my Breaker Pro disc but i usually play on PS2 so there is no need to have extra disc, just one original (with high TOC) and the program itself, pretty simple.
ahhh psx 🙂 best console ever
There is also FreeMCBoot, which is installed on the Memory Card, and it’s free as the name suggests. Google it.
Scratch that, FreeMCBoot is PS2 only eheh. My bad.
yo se que no va esto aqui y que ya es muy tarde para lo que voy a pedir pero podrian hacer un sofware que podria reconocer el ps1 para correr juegos copias asi como lo hicieron con el ps2. yo tengo un ps1 y varios juegos del mismo descargados y me gustaria jugarlos en la misma consola.
Espero respuesta de wololo
saludos…
i remeber back in 1997 i got my first ps1..i buy a game shark to play pirate ps1 games..if original disk got a black disk
Back when I had a psx, I knew nothing of being able to modify a console, nor did I know anything about burned games. I remember when sony took that port for the gameshark out of the newer models. And to think, I always thought it was because they didn’t want people to cheat on their console. lol how small minded I was back then.
Nice read by the way. Very interesting.
Hundroques espolicas biblicus oportior
Excellent text! I loved it, thanks.
Could you make a video/article showing how to install a modchip? That’d be pretty awesome.
yeah I was thinking about that but sadly, I already installed the only modchip I have and I don’t really like de-soldering modchips and re-soldering them since they can end up breaking.
I have however posted the diagrams here: http://www.consoleheaven.de/viewtopic.php?f=11&t=70
If I ever get to mod another ps1 then I’ll make a video
I have the old little white PSOne with a modchip, as a kid it was the coolest to be able to play every game, even if it was from a different region.
It was a nice and funny childhood 😀
I Can’t beleive it , i just got 3 working PSN Codes: youtu.be/W-Y3xHDTTe8
I used to do the swap trick all the time until I got my PS1, then I just backed up a lot of my PS1 collection to my PSP 🙂 I still use Free McBoot though and even got component cables because I got a neat little app that runs pretty much every one of my PS2 games in HD. Of course not nearly as sharp as the HD remasters, but playing Kingdom Hearts II Final Mix +, Dragon Quest VIII, and Final Fantasy XII in HD from my PS2 is pretty awesome! 😀
I meant until I got my PSP, lol. Oops ^_^
Oh, and not to mention having the ability to play games strait from my 32GB Flash Drive or from a Hard Drive, though I use my flash drive more, lol :p