10 Days of Hacking, Day 2: The PS1
The PS1 was not only a very successful console, it also marked the first mainstream hacked console that led to the creation of hombrews and downloadable pirated games. But how did the security work and which methods were used to hack it?
The PS1, much like the NES and SNES before it, used one single security measure for both preventing unauthorized games and imported games from playing.
The PS1 however did it differently, and although I’ve already reviewed its security measures some time ago, I will briefly go over it again.
HOW SECURITY WORKS
Many thought the PS1 security was based on the discs being black rather than white/yellowish like most recordable CDs, but we all know that’s bullsh*t. These games had one thing different from conventional CDs: they have a special water-mark that can only be produced when pressing them and contained the regional code of the CD. The region code was also hardcoded into the system. When the PS1 reads this watermark from the game it compares it to the one it internally has, if it matches, the system boots the game, otherwise, it refuses to boot anything from it. This prevented games from other regions to be played, but it also prevented unlicensed copies of the game as these do not have a watermark at all, so in the eyes of the PS1, an imported game is no different from a pirated game.
CIRCUMVENTING THE SECURITY
Although there are a few ways to circumvent this security, like the expansion port on early PS1 models that was later removed, there are two other mainstream ways I will review here.
The first and most popular one was by means of modchips. We all know today what modchips are, but it wasn’t until the PS1 that they became widely popular, mainly due to the ease of installation and little risk they presented to the system, you barely needed any soldering skills to install them, and even if you couldn’t, installation by a professional was dirt cheap.
Modchips work by simply injecting the system’s region into the live stream, bypassing all checks on the CD drive, so it doesn’t matter what the CD drives report from the CD, the region code will always reach the system, so it will give a green light and boot the CD.
Although modchips where really clever there was an even cleverer hack that exploited one of the system’s CD “features”.
When encountering a disc read error the PS1 didn’t give up so easily, it retried reading the disc over and over again for a few seconds before giving up, this allowed many games with small scratches to still be playable and eliminated any timed issue.
To understand why this was hacked first we need to understand how the PS1 reads the disc.
First, the PS1 does the region check on the disc, once that check has passed, it goes on to reading the TOC (Table Of Contents) on the disc, then proceeds to do another check on the system region, once that check is met, it goes on to read the game executable. So the reading process gets summed up to this:
- – check
- – TOC read
- – check
- – execute disc
If you remember the NES there was hacked cartridges that took in a licensed game and replaced all but the checks with an unlicensed game, the goal here is to do the same, so we pass from this:
- – check on original disc
- – read TOC of original disc
- – check on original disc
- – execute original disc
to this:
- – check on original disc
- – read TOC of unlicensed disc
- – check on original disc
- – execute unlicensed disc
We can’t of course replace the game data on the original disc, but since the PS1 retries to read the disc for a few seconds before giving up we have a more than enough margin to swap the original disc with an unlicensed one, the only thing we have to do is trick the PS1 into thinking the CD lid is closed even if we open it, and that can be done by pressing down on a button in the motherboard, which the PS1 uses to know when the lid is open or close, if the lid is closed, it pushes down that button, so we just gotta fix that button so it’s always down, ducktape will do.
CONCLUSION
With the birth and rise of the Sony PlayStation we saw not only the birth and rise of modern hacks like modchips, we also saw some pretty clever hacks that were born from stupid mistakes made by Sony, but again, this was their first time to they were bound to make stupid mistakes, I doubt we see another Sony device fall victim in the hands of disc swappers, but that won’t stop them from making more mistakes. Stay tuned for more!
Liked This Article? Check Day 3:The PS2, and Day 1: the NES
the good old days, i miss the classic consoles
yeah ps2 was my first true console and i had it modded when i bought it itself way back in 2000
still have it and still works never spent a dime on the console till date and it still runs like a boon
This was fun back in the days..Anyone remember the spring that came with it instead of the duck tape. That *** was priceless..
the swop trick still works on ps2 and ps3 for ps1 games, and both ps1/ps2 games on the ps3 bc models
though far easier on ps2 slim models then the launch ones….
not sure if the ps4 will have such mistakes though sense they dropped all disc based compatibility other then select ps3 games with digital upgrade packs
im sure in the end PSVita is been hacked soon……
I used 2 methods for booting backups on the PS1.
The first was this Gameshark that plugged into the expansion port. That thing was a thing of beauty. You could edit data on the fly and create your own codes. Not to mention of course booting “imports”.
The 2nd was a disc based Gameshark, that and a spring from a pen (to keep the lid button pressed) allowed for many hours of bootleg Diablo (and it’s awesome loading bar that would eventually go off the screen)
Ah the good ol days.
I remember when some of the later PSX games had to be patched as the game had extra anti-piracy checks. Some would halt the game right away but some more clever ones let you think you were successful and then at a critical part of the game the game would halt.
I also remember the newer GameShark 4.0 that you could use as a boot disc. I never used a ModChip in my PSX. I only ever used Boot Discs.
I forgot to mention that some games had anti-modchip measures, just to clarify how it was done since I forgot to mention it in the post: the game continues to ask for the game region of the code, since the disc has already booted up and the CD drive is not reading the region anymore, under normal circumstances the game is unable to retrieve this information, thus passing the check and continuing normally, but since modchips continue to feed the system with this info, the game enters an infinite loop, in pseudocode it would look like this:
while (region){
do_nothing();
}
These are great, very interesting reads.
wow, never heard any modchip method for PS1 before.. I want to try it but I guess it’s too late for now.
not that much, I grabbed myself a PS1 modchip about a year ago
There’s actually a really funny exploit that was patched on early in the PS1’s life called the audio menu exploit.
It still required the lid sensor to be “blocked” but it was a less destructive method than the double swaps and such… basically you would boot the PS1 without disc and enter audio menu, put legit PS1 disc in and press play ( it’ll spin the disc, check it and stop the disc ), swap legit disc for import or backup and exit audio menu… it’ll boot the backup/import.
Like I said though sony patched the exploit quite early on so you either need a early model JAP PS1 or a early US PS1 ( 1001 with extremely early SN )
This trick worked on UK consoles also, probably for about the first year if the PS1’s life, I worked in a video games shop at the time and you got to know the serial numbers if the ones that would work, they always got sold for a little more :p
As a side nite, multiple disc games that didn’t let you save before asking you to switch discs ( Chrino Cross, I’m looking at YOU!! ) were pretty pointless.
Killzone Mercenary ps vita $17.99 ps store
What? All I needed was a blank CD and I just downloaded the game and burned it. It worked fine.
BTW This is pretty interesting: http://en.wikipedia.org/wiki/List_of_best-selling_game_consoles
As always, excellent read ! Although there’s something I don’t get : according to this, you’d have to swap the discs three times, right ? So it’d have to go like this :
– insert original disc=> check on original disc
– swap with unlicensed disc=>read TOC of unlicensed disc
– swap with original disc=> check on original disc
– swap with unlicensed disc=> execute unlicensed disc
But in my experience, I’ve only ever had to swap just once. The simple method went like this :
-go to CD player, insert licensed disc and fake-close the lid
-wait a few sec for the check (1 track appears in the player, don’t press play)
-swap with unlicensed disc
-exit the CD player
That’s how I played Ergheiz 😉
There was an alternative method, a bit trickier but much more effective on some more recent PS models (never had to use it myself as I have a EU launch model) :
-fake-close the lid and run the licensed disc
-wait for the check
-when the disc slows down swap with the unlicensed disc and that’s it
The only time I had to use 2 swaps was with Parasite Eve, when you had to change disc and there was no save point … right after a boss battle … I’d just beat it, my cousin and I were still tense from the battle, then the game asked me to change disc … that’s when I realised I’d have to use a method I’d never attempted before : the double swap while the disc was still spinning. It went like this :
-lid was fake-closed, US licensed disc 1 had just stopped spinning
-I opened the lid, placed the EU licensed disc and fake-closed the lid
-the EU licensed disc started spinning
-when it slowed down I swapped with the US licensed disc 2
-disc started to spin faster … and the game continued
We were SO relieved… got it on my first try and didn’t have to replay through the boss battle 😀 I realise now that’s not even a “proper” double swap as the disc wasn’t even spinning during the first swap (if I remember well, could have been, that was back in 1999 and my memory is failing me. A bit.)
Anyway, I don’t understand why more than 1 swap would be needed ? The only time I had to use more than 1 was with Parasite Eve and that can’t even count as the game required me to change disc anyway.
Double post, sorry :
I started to write my post HOURS ago and only just finished, now I see someone already talking about the CD player trick :p
Thanks again for this post. It’s allways interesting how many idead they have to cheat on the manufacturers. I’m sure the battle between manufacturer and hacker will never end. It’s only a matter of time.
i miss those days.good memories.i owned all my friends lol.games now days is not the same feelings as those good old days!!
Such a great article… it shows how good are these times 🙂
Later models of the PS1 actually had different check methods, one model even required you to start with the ‘imported’ disc in the drive, my one goes.
1 – Official Disc
Speed Change
2 – Imported Disc
Speed Change
3 – Official
Speed Change (x2)
4 – Import
Speed Change (2x)
5 – Official
Speed Change
6 – Import – Play time!
(For those unfamiliar with disc swapping the PS1 featured a 2x speed disc drive and the swaps were timed at the moment when the disc changed between high and low speeds).
I used to swap disc all the time. You just had to listen for the sound when the disc speed changed. Did it all the time to play DDR and Chrono Cross =]
Before this there were disc swap methods on the sega saturn happening as well, there was only a single check in the beginning of trying to load the disc but not another one after which is where I believe Sony may’ve learned that they should use two checks.
Regardless, I guess you may only be covering Nintendo and Sony on this 10 days of hacking :P.
I think you should extend it into circumventing the Sega CD, Saturn, And Dreamcast as well…
I feel the Dreamcast was kind of important to the history of things as well.
I remember that time when my old playstation(the one that has expansion port at the back)able to run games from other region. I was experimenting that time on my console trying to play games from other region that usually not playable on my playstation’s region. when I insert this something like “Gameshark” external hardware on the extension port then placing the unplayable game, I was shocked that it runs the game. I have no idea what going on that time until i read this tread realizing that it was a bug/mistake made by Sony.
It feels like i was transported into my childhood days. POAHF =)
The Sega Dreamcast was pretty great. Just burn a disk and boot. The Dreamsnes emulaion disk was great!
Anychance you guys will dive into the “Backup copiers” soon like SNES’s Game Doctor SF3, 4 & 6 plus also the Sega Genesis’s Super Magic Drive units? if some of ya’s have grown up with them before in the past 😉
coool