How PS1 security works.

December 9, 2012

With all the exploit related news and the upcoming ecfw by frostegater, we barely see articles that have nothing to do with the vita, so lets take a step away for brief moment from the psp scene and learn how the copy protection and different security measures on the ps1 worked.

In this article I will explain how the ps1 security works, so you can understand the methods used back then to bypass it’s security and why those methods don’t work today.

Original security measure: disc region

First, we must know that the ps1 had region locks, which means a legit bought game from the US won’t work on a EU console. The next thing you should know is that the region lock and the antipiracy check is one and the same, for older models that is (but we’ll get to that later).

Legit Ps1 games had a marked zone at the beginning of the disc that contained the region information, this information had the letters SCEx, where x was the region of the disc:

- A for america (SCEA)

- E for europe (SCEE)

- I for japan (SCEI)

- W for Net Yarozee (SCEW)

Imagine you have a european console, this console will have the mark SCEE in it’s BIOS, when you insert an american disk the console will read SCEA on the disc, SCEE != SCEA so the system would refuse to boot.

Similarly a burned disc does not have any mark on it because conventional CD drives can’t read that portion of the disc, so the system will also refuse to boot that.

So for a european console, there is no difference between a legit american disc and a burned disc. None of them match what the system wants so the system won’t boot it.

Modchips got around this by injecting the string the system is looking for into the stream, letting the system think the disc does have the string in it and then accepting to boot it.

This is for older models of course, newer models (the PSone) have a second check for the region, so a modchip that worked on the fat model will partially work on the newer system.

New security measure: boot text

The modchip, like I said, will inject that string into the system, letting the system think it’s legit, but then the system will perform a second check, this check is done to the executable file itself.

You may be familiar with this screen:

Believe it or not the “Licensed by Sony Computer Entertainment America SCEA TM” text is not found on the system itself, but rather on the disc. That’s right, the system reads this text from the disc and put it on the boot logo, which lead people to create custom boot screens.

This text was not checked by older fat ps1s but then sony added the text into the newer psone bios, so this time it does check for it. This time, even when the modchip makes the system think it’s a legit game, the simple fact that the boot text is different makes the system reject the disc. This is of course for imports or games with custom text.

There were two methods to bypass this, the first was using a disc called import player. This disc used an “exploit”, which is nothing more than taking advantage of the system’s ability to play multi-disc games. When you play a game such as Metal Gear Solid or Final Fantasy VII, at some point they will prompt you to change discs. When you change the discs, the system does not enter the boot screen, so the boot text check is not done. The import player took advantage of this, by simply prompting you to change the discs as any of these games do, then the modchip does the first check bypass and since the system doesn’t enter the boot scree, it doesn’t check the boot text.

The second method is a lot more permanent, it’s the same method as injecting a custom boot, only this time you inject the correct boot text into the cd, allowing you to directly boot the disc.

Another new Security Measure: modchip detection

Another measure that was implemented was the detection of modchips. This measure required new hardware so it only available in psone models and on top of that it wasn’t performed by the system but the game, so the code had to be implemented into the game itself, meaning older games would not be able to use the new feature.

The way a modchip was detected is quite simple, the game would keep asking for the CD’s code (SCEx as we saw above), if there is a modchip in the system it will continually inject such string, while if there is no modchip then no string is injected and thus the game would continue.

Bypassing this protection could be done using the import player (which has an anti-modcip detection patch) or by patching the game’s iso before burning. Both do the same basically.

PS1/one Hacking Methods

These various ways to hack the PS1, but each method got patched along the way, except one method that was never patched (swapping) and another method that was patched but got continuous new releases (modchips).

AR Method:
This method consisted in inserting an Action Replay “cartridge” in the system’s Parallel Port. This “cartridge” (if we can call it that) bypassed the method used by the system (the SCEx method). This was patched by Sony simply removing the Parallel I/O Port. Some games have anti-AR security measures which can be defeated using Import Player in the same way as defeating the already mentioned Anti-Modchip security.

Swap Trick:
This method took advantage of the system’s disc read error tolerance policy, this means that when the ps1 can’t read a disc it keeps retrying until a decent amount of time. This is why it takes time for the ps1 to “detect” a burned game or why scratched games can take longer to load. The method consisted of tricking the system into thinking the disc cover is always closed, even when it isn’t, allowing you to swap an original disc with a burned one. This trick is performed differently in the slim and fat models due to the new boot text security, but it’s overall doable in any ps1 console, the only problem I can think of with this method is that it wears out the motor.

Modchips
Modchips are usually the best method to hack a ps1. They are permanent, games can be booted directly and if installed correctly they don’t have to break the system. I already explained how modchips work, they simply inject what the system wants into the stream, making the system think the disc inserted is a legit game. Different models came out but if you are looking for one that is compatible with all ps1 consoles (fat and slim) then the MultiMode 3 is your bet, although it doesn’t break the PSone boot text security and it’s not a stealth chip (it can be detected by game that have the anti-modchip protection). If you are looking for a good PSone chip then the ONEChip is the one you need, it bypasses all PSone protections, including the anti-modchip one.

Let’s do a recap of the different copy-protections that the ps1 and psone have.

PS1:
– The standard region protection (the SCEx thing).
– The Anti-AR protection.
PSone:
– The standard region protection (the SCEx thing).
– The anti custom boot text protection.
– The anti-modchip protection

Well, now that you know how the Ps1 copy-protection worked, you can go back to the psp scene to wait for frostegater’s ecfw.

Tweet this!Tweet this!

Previous post:

Next post: