github.com/kalymos.PsNee
1
0
Fork 0
mirror of https://github.com/kalymos/PsNee.git synced 2026-03-06 11:23:28 +00:00
Code Issues Releases Wiki Activity

PsNee latest updates / fixes (#14)

Browse Source 
* add a loop delay so it doesn't catch old SUBQs, fixed missing flags in Q control field check - used by a few old titles
This commit is contained in:
Robert Neumann
2018-03-27 22:01:38 +02:00
committed by GitHub
parent 119a9bb5d9
commit d24b118d27
3 changed files with 295 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
PsNee.ino
View File

@@ -215,9 +215,9 @@ void setup()
#if defined(PSNEEDEBUG) && defined(USINGSOFTWARESERIAL)
pinMode(debugtx, OUTPUT); // software serial tx pin
mySerial.begin(115200); // 13,82 bytes in 12ms, max for softwareserial. (expected data: ~13 bytes / 12ms)
mySerial.begin(115200); // 13,82 bytes in 12ms, max for softwareserial. (expected data: ~13 bytes / 12ms) // update: this is actually quicker
#elif defined(PSNEEDEBUG) && !defined(USINGSOFTWARESERIAL)
Serial.begin(500000); // 60 bytes in 12ms (expected data: ~26 bytes / 12ms)
Serial.begin(500000); // 60 bytes in 12ms (expected data: ~26 bytes / 12ms) // update: this is actually quicker
DEBUG_PRINT("MCU frequency: "); DEBUG_PRINT(F_CPU); DEBUG_PRINTLN(" Hz");
DEBUG_PRINTLN("Waiting for SQCK..");
#endif
@@ -240,7 +240,7 @@ void setup()
//
// WFCK: __-_-_-_-_-_-_-_-_-_-_-_- // this is a PU-22 or newer board!
unsigned int highs, lows = 0;
unsigned int highs = 0, lows = 0;
unsigned long now = millis();
do {
if (digitalRead(gate_wfck) == 1) highs++;
@@ -288,6 +288,10 @@ void loop()
static byte bitpos = 0;
byte scpos = 0; // scbuf position
// start with a small delay, which can be necessary in cases where the MCU loops too quickly
// and picks up the laster SUBQ trailing end
delay(1);
noInterrupts(); // start critical section
start:
// Capture 8 bits for 12 runs > complete SUBQ transmission
@@ -356,16 +360,17 @@ start:
// Hysteresis is used because older drives exhibit more variation in read head positioning.
// While the laser lens moves to correct for the error, they can pick up a few TOC sectors.
static byte hysteresis = 0;
boolean isDataSector = (((scbuf[0] & 0x40) == 0x40) && (((scbuf[0] & 0x10) == 0) && ((scbuf[0] & 0x80) == 0)));
if (
(scbuf[0] == 0x41 && scbuf[1] == 0x00 && scbuf[6] == 0x00) && // [0] = 41 means psx game disk. the other 2 checks are garbage protection
(isDataSector && scbuf[1] == 0x00 && scbuf[6] == 0x00) && // [0] = 41 means psx game disk. the other 2 checks are garbage protection
(scbuf[2] == 0xA0 || scbuf[2] == 0xA1 || scbuf[2] == 0xA2 || // if [2] = A0, A1, A2 ..
(scbuf[2] == 0x01 && (scbuf[3] >= 0x98 || scbuf[3] <= 0x02) ) ) // .. or = 01 but then [3] is either > 98 or < 02
) {
hysteresis++;
}
else if ( hysteresis > 0 &&
((scbuf[0] == 0x01 || scbuf[0] == 0x41) && (scbuf[1] == 0x00 /*|| scbuf[1] == 0x01*/) && scbuf[6] == 0x00)
((scbuf[0] == 0x01 || isDataSector) && (scbuf[1] == 0x00 /*|| scbuf[1] == 0x01*/) && scbuf[6] == 0x00)
) { // This CD has the wobble into CD-DA space. (started at 0x41, then went into 0x01)
hysteresis++;
}
@@ -415,4 +420,4 @@ start:
#endif
}
// keep catching SUBQ packets forever
}
}

264
README.md
View File

@@ -1,132 +1,132 @@
# PsNee
PsNee, an open source stealth modchip for the Sony Playstation 1
PPPPPPPPPPPPPPPP P P
P P PP P
P P P P P
P P P P P
P P P P P
P P P P P
P P P P P
PPPPPPPPPPPPPPPP PPPPPPPPPPP P P P PPPPPPPPPPP PPPPPPPPPPP
P P P P P P P
P P P P P P P
P P P P P P P
P P P P P P P
P PPPPPPPPPPPPPP P PP PPPPPPP PPPPPPP
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P PPPPPPPPPPPP P P PPPPPPPPPPP PPPPPPPPPPP
---------------------------------------
This version is from
http://www.psxdev.net/forum/viewtopic.php?f=47&t=1262&start=40
Is developed by the psxdev team
-------------------------------------------------
This PsNee version is meant for Arduino boards.
- Arduino Pro Mini @8Mhz and @16Mhz (supported, tested)
- Arduino Uno @8Mhz and @16Mhz (supported, tested)
- Arduino Pro Micro has a different pin assignment and needs some easy porting. (ToDo)
- ATtiny85: Should work the same as ATtiny45 (supported, untested)
- ATtiny45: LFUSE 0xE2 HFUSE 0xDF > internal oscillator, full 8Mhz speed (supported, tested)
- ATtiny25: Should work the same as ATtiny45 but doesn't have enough Flash nor RAM for PSNEEDEBUG (supported, untested)
---------------------------------------------------------------------------
Beware to use the PSX 3.5V / 3.3V power, *NOT* 5V! The installation pictures include an example.
-----------------------------------------------------------------------------
Some extra libraries might be required, depending on the board / chip used.
This code defaults to multi-region, meaning it will unlock PAL, NTSC-U and NTSC-J machines.
You can optimize boot times for your console further. See "// inject symbols now" in the main loop.
----------------------------------------------------------------------
BIOS patch for PM-41
For now it only supports Arduino boards (ATmega chips).
Also, the Arduino must either be powered on first or have no bootloader present (flashed using SPI) since I expect a signal ~1 second after power on.
8Mhz boards are also supported.
-------------------------------------------------------------------
Choose your hardware!
You must uncomment the line that corresponds to your cips.
2 main branches are available:
- ATmega based: easy to use, fast and nice features for development
- ATtiny based: fewer features, internal clock has 10% variation
This code is multi-region, meaning it will unlock PAL, NTSC-U and NTSC-J machines.
-----------------------------------------------------
Pin assignments
PSNee psxdev PlayStation
Arduino Atinny name ps pin Name
pin-vin = VCC = 3.5v 3.5v = supply
3 = debugtx
pin-9 = 4 = gate_wfck IC732.Pin-5 = WFCK
pin-8 = 2 = data IC732.Pin-42 = CEO
pin-7 = 1 = subq IC304.Pin-24 = SUBQ
pin-6 = 0 = sqck IC304.Pin-26 = SQCK
pin 5 = BIOS D2 IC102.Pin-15 = D2
pin 4 = BIOS A18 Ic102.Pin-31 = A18
Pin-Gnd = GND = gnd GND = gnd
## General Info
### PLAYSTATION 1 SECURITY - HOW IT DOES ITS THING:
Sony didn't really go through great lenghts to protect its precious Playstation
from running unauthorised software: the main security is based on a simple ASCII
string of text that is read from a part of an original Playstation disc that cannot
be reproduced by an ordinary PC CD burner.
As most of you will know, a CD is basically a very long rolled up (carrier) string in which very
little pits and ehm... little not-pits are embedded that represent the data stored on the disc.
The nifty Sony engineers did not use the pits and stuff to store the security checks for
Playstation discs, but went crazy with the rolled up carrier string. In an ordinary CD, the
string is rolled up so that the spacing between the tracks is as equal as possible. If that
is not the case, the laser itself needs to move a bit to keep track of the track and
reliably read the data off the disc.
If you wonder how the laser knows when it follows the track optimally: four photodiodes, light
intensity measurement, difference measurements, servo. There.
To the point: the Sony engineers decidedly "fumbled up" the track of sector 4 on a Playstation
disc (the track was modulated, in nerd-speak) so that the error correction circuit outputs a
recognisable signal, as the laser needs to be corrected to follow the track optimally.
This output signal actually is a 250bps serial bitstream (with 1 start bit and 2 stop bits) which
in plain ASCII says *SCEA* (Sony Computer Entertainment of America), *SCEE* (Sony Computer Entertainment
of Europe) or *SCEI* (Sony Computer Entertainment of Japan), depending on the region of the disc inserted.
The security thus functions not only as copy protection, but also as region protection.
The text string from the disc is compared with the text string that is embedded in the Playstation
hardware. When these text strings are the same, the disc is interpreted to be authentic and from
the correct region. Bingo!
### The master branch is completely redesigned!
The original code doesn't have a mechanism to turn the injections off. It bases everything on a timer.
After power on, it will start sending injections for some time, then turns off.
It also doesn't know when it's required to turn on again (except for after a reset), so it gets detected by anti-mod games.
### The mechanism to know when to inject and when to turn it off.
This is the 2 wires for SUBQ / SQCK. The PSX transmits the current subchannel Q data on this bus. It tells the console where on the disk the read head is. We know that the protection symbols only exist on the earliest sectors, and that anti-mod games exploit this by looking for the symbols elsewhere on the disk. If they get those symbols, a modchip must be generating them!
So with that information, my code knows when the PSX wants to see the unlock symbols, and when it's "fake" / anti-mod. The chip is continously looking at that subcode bus, so you don't need the reset wire or any other timing hints that other modchips use. That makes it compatible and fully functional with all revisions of the PSX, not just the later ones. Also with this method, the chip knows more about the current CD. This allows it to not send unlock symbols for a music CD, which means the BIOS starts right into the CD player, instead of after a long delay with other modchips.
This has some drawbacks, though:
* It's more logic / code. More things to go wrong. The testing done so far suggests it's working fine though.
* It's not a good example anymore to demonstrate PSX security, and how modchips work in general.
# PsNee
PsNee, an open source stealth modchip for the Sony Playstation 1
PPPPPPPPPPPPPPPP P P
P P PP P
P P P P P
P P P P P
P P P P P
P P P P P
P P P P P
PPPPPPPPPPPPPPPP PPPPPPPPPPP P P P PPPPPPPPPPP PPPPPPPPPPP
P P P P P P P
P P P P P P P
P P P P P P P
P P P P P P P
P PPPPPPPPPPPPPP P PP PPPPPPP PPPPPPP
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P P P P P P
P PPPPPPPPPPPP P P PPPPPPPPPPP PPPPPPPPPPP
---------------------------------------
This version is from
http://www.psxdev.net/forum/viewtopic.php?f=47&t=1262&start=40
Is developed by the psxdev team
-------------------------------------------------
This PsNee version is meant for Arduino boards.
- Arduino Pro Mini @8Mhz and @16Mhz (supported, tested)
- Arduino Uno @8Mhz and @16Mhz (supported, tested)
- Arduino Pro Micro has a different pin assignment and needs some easy porting. (ToDo)
- ATtiny85: Should work the same as ATtiny45 (supported, untested)
- ATtiny45: LFUSE 0xE2 HFUSE 0xDF > internal oscillator, full 8Mhz speed (supported, tested)
- ATtiny25: Should work the same as ATtiny45 but doesn't have enough Flash nor RAM for PSNEEDEBUG (supported, untested)
---------------------------------------------------------------------------
Beware to use the PSX 3.5V / 3.3V power, *NOT* 5V! The installation pictures include an example.
-----------------------------------------------------------------------------
Some extra libraries might be required, depending on the board / chip used.
This code defaults to multi-region, meaning it will unlock PAL, NTSC-U and NTSC-J machines.
You can optimize boot times for your console further. See "// inject symbols now" in the main loop.
----------------------------------------------------------------------
BIOS patch for PM-41
For now it only supports Arduino boards (ATmega chips).
Also, the Arduino must either be powered on first or have no bootloader present (flashed using SPI) since I expect a signal ~1 second after power on.
8Mhz boards are also supported.
-------------------------------------------------------------------
Choose your hardware!
You must uncomment the line that corresponds to your cips.
2 main branches are available:
- ATmega based: easy to use, fast and nice features for development
- ATtiny based: fewer features, internal clock has 10% variation
This code is multi-region, meaning it will unlock PAL, NTSC-U and NTSC-J machines.
-----------------------------------------------------
Pin assignments
PSNee psxdev PlayStation
Arduino Atinny name ps pin Name
pin-vin = VCC = 3.5v 3.5v = supply
3 = debugtx
pin-9 = 4 = gate_wfck IC732.Pin-5 = WFCK
pin-8 = 2 = data IC732.Pin-42 = CEO
pin-7 = 1 = subq IC304.Pin-24 = SUBQ
pin-6 = 0 = sqck IC304.Pin-26 = SQCK
pin 5 = BIOS D2 IC102.Pin-15 = D2
pin 4 = BIOS A18 Ic102.Pin-31 = A18
Pin-Gnd = GND = gnd GND = gnd
## General Info
### PLAYSTATION 1 SECURITY - HOW IT DOES ITS THING:
Sony didn't really go through great lenghts to protect its precious Playstation
from running unauthorised software: the main security is based on a simple ASCII
string of text that is read from a part of an original Playstation disc that cannot
be reproduced by an ordinary PC CD burner.
As most of you will know, a CD is basically a very long rolled up (carrier) string in which very
little pits and ehm... little not-pits are embedded that represent the data stored on the disc.
The nifty Sony engineers did not use the pits and stuff to store the security checks for
Playstation discs, but went crazy with the rolled up carrier string. In an ordinary CD, the
string is rolled up so that the spacing between the tracks is as equal as possible. If that
is not the case, the laser itself needs to move a bit to keep track of the track and
reliably read the data off the disc.
If you wonder how the laser knows when it follows the track optimally: four photodiodes, light
intensity measurement, difference measurements, servo. There.
To the point: the Sony engineers decidedly "fumbled up" the track of sector 4 on a Playstation
disc (the track was modulated, in nerd-speak) so that the error correction circuit outputs a
recognisable signal, as the laser needs to be corrected to follow the track optimally.
This output signal actually is a 250bps serial bitstream (with 1 start bit and 2 stop bits) which
in plain ASCII says *SCEA* (Sony Computer Entertainment of America), *SCEE* (Sony Computer Entertainment
of Europe) or *SCEI* (Sony Computer Entertainment of Japan), depending on the region of the disc inserted.
The security thus functions not only as copy protection, but also as region protection.
The text string from the disc is compared with the text string that is embedded in the Playstation
hardware. When these text strings are the same, the disc is interpreted to be authentic and from
the correct region. Bingo!
### The master branch is completely redesigned!
The original code doesn't have a mechanism to turn the injections off. It bases everything on a timer.
After power on, it will start sending injections for some time, then turns off.
It also doesn't know when it's required to turn on again (except for after a reset), so it gets detected by anti-mod games.
### The mechanism to know when to inject and when to turn it off.
This is the 2 wires for SUBQ / SQCK. The PSX transmits the current subchannel Q data on this bus. It tells the console where on the disk the read head is. We know that the protection symbols only exist on the earliest sectors, and that anti-mod games exploit this by looking for the symbols elsewhere on the disk. If they get those symbols, a modchip must be generating them!
So with that information, my code knows when the PSX wants to see the unlock symbols, and when it's "fake" / anti-mod. The chip is continously looking at that subcode bus, so you don't need the reset wire or any other timing hints that other modchips use. That makes it compatible and fully functional with all revisions of the PSX, not just the later ones. Also with this method, the chip knows more about the current CD. This allows it to not send unlock symbols for a music CD, which means the BIOS starts right into the CD player, instead of after a long delay with other modchips.
This has some drawbacks, though:
* It's more logic / code. More things to go wrong. The testing done so far suggests it's working fine though.
* It's not a good example anymore to demonstrate PSX security, and how modchips work in general.

302
changelog
View File

@@ -1,151 +1,151 @@
-------------------------------------------------
VERSION 2! :D
-------------------------------------------------
What has changed?
- Thanks to TriMesh, the gate-pin is now also used to determine in which model of
Playstation PsNee is installed. The modchip algorithm thus can be optimized for
optimal performance on specific Playstation revisions. This works by monitoring
whether a clock signal is present on this pin - when there is one, the modchip is
installed in a PU-22, PU-23 or PSOne Playstation, else it is installed in an older
model Playstation. In this version of PsNee, nothing is actually done with this information.
- Thanks to -again- TriMesh, NTSC support for PAL SCPH-102 Playstations is added! This uses
the same method the OneChip modchip used for achieving this:
1. Monitor the XLAT signal from the CD mechanism controller chip. This requires
another connection to the Playstation. When this signal is 0, the first CD copy
protection is passed! After this, there is another one.
2. After this, watch the Address18-pin (pin 31) on the BIOS-chip. When this signal
is high, this means the second CD copy protection is about to run.
3. Wait a short time.
4. Pull the Data2-pin (pin 15) on the BIOS-chip to 0. This effectively blocks the
execution of the region check of the inserted disc.
5. The Playstation plays the inserted disc and doesn't care whether it's PAL or NTSC!
6. Release the 0 of the Data2-pin.
To correctly output a PAL video color signal for a PAL TV on a PAL PSOne with an NTSC disc
inserted, Pin 3 of IC502 must be grounded with an external switch. The modchip also could do
this, although we would need a device with more pins available.
- The outputted data signal is now "sliced up" to improve (or less distort) the tracking
signal from the CD mechanism: later Playstations use the CD tracking signal for transmitting
the SCEx-string to the Playstation instead of using a seperate connection, so when the modchip
forces a 0 on the data-pin, the tracking signal also is gone temporarily. By slicing the data-
signal up in little pieces at least some of the tracking signal remains and the Playstation can
read discs more easily.
- The two big for-loops are combined into one with an OR-statement describing the two conditions
modchip should be active: when flagFirstCycle = 0 or when flagFirstCycle = 1 and the lid is opened
and closed again. This makes code maintenance easier.
- The pin-out of the modchip is changed slightly to be able to use an interrupt for the PAL=>NTSC
BIOS-patch for PAL SCPH-102. Please use the revised pin-out found below with this code.
~TheFrietMan, The Netherlands
--------------------------------------------------------------
New in this version! V6
--------------------------------------------------------------
A lot!
- The PAL SCPH-102 NTSC BIOS-patch works flawlessly! For speed reasons this is implemented in bare
AVR C. It is functionally identical to the OneChip modchip, this modchip firmware was disassembled,
documented (available on request, but written in Dutch...) and analyzed with a logic analyzer to
make sure PsNee works just as well.
- The code now is segmented in functions which make the program a lot more maintable and readable
- Timing is perfected, all discs (both backups and originals of PAL and NTSC games) now work in the
PAL SCPH-102 test machine
- It was found out that the gate signal doesn't havbe to be hooked up to a PAL SCPH-102 Playstation
to circumvent the copy protection. This is not tested on other Playstation models so the signal still
is available
- The /xlat signal is no longer required to time the PAL SCPH-102 NTSC BIOS-patch
- Only AVR PORTB is used for compatibility reasons (almost all the AVR chips available have PORTB)
-------------------------------------------------------------
A minor detail: The lid detection is missing its digitalRead() ;p
psxdev
-------------------------------------------------------------
Update 7th of May 2017
Branched and tweaked for use with the Position 0 switch on a PSX laser.
(Requires a bit of sticky tape at the point where the switch touches the laser assembly.)
This allows deterministic SCEX injections, without relying on timing. Also gets rid of connection wires for LID and RESET.
WIP!
psxdev
--------------------------------------------------------------
Update 15th of May 2017
PSNee now watches the subchannel data and looks at the position information contained within.
This allows deterministic SCEX injections. It knows (almost) exactly when to inject the SCEX string.
Therefore it is now a stealth modchip :)
Required connections: GND, VCC, data, gate, SQCL, SUBQ
No more need to watch the PSX reset or lid open signals or any other typical modchip points (like "sync")
WIP! Only tested on PU-18 board. Should work fine on PU-7, PU-8, PU-18 and PU-20.
Will need adaption for PU-22 to PU-41 (SCPH-750x, 900x and PSOne).
Note: Once this is installed in a PSX, mind the Pin13 LED that many Arduino boards have. Do not upload new sketches while the PSX is on!
(If the PSX is on while uploading a sketch (making the LED blink), a voltage will be fed back into the SCLK pin on the HC-05 in the PSX.
This didn't break my PSX in testing but it does stun the chip and halt CD operation. I'm thinking of a better method to do this but for now I need Arduino pin13..)
Very much recommended to install a 3.3V chip!
psxdev
-------------------------------------------------------------
Update 27th of May 2017
This version is compatible with 8Mhz and 16Mhz ATmega328 / Arduino boards.
It uses polling to grab the SUBQ packets. This works better than relying on interrupts.
I even have a few cycles to spare on a 8Mhz chip!
psxdev
------------------------------------------------------------
Update 31st May 2017
- supports all motherboard versions except PU-41 (PAL) (will get to it!)
- WFCK modulated injection method for PU-22 and up, just like the last multimode 3 chips
- minimized CD controller interference: PsNee only ever speaks when it has to (also: full stealth)
- not relying on BIOS delays: perfect boot disregarding extension cards etc
- might not be bug free! I'm just one guy and testing on a dozen consoles takes time ;)
psxdev
------------------------------------------------------------
Update 4 June 2017
- unified SCEX injection function / easier to read code
- PU-22+ now work without the WFCK wire (but depends on tight timings, tested on 8 and 16Mhz mcu)
- interrupts disabled while sampling SUBQ > much better performance capturing all events correctly
- now blinks the built-in LED on injections for debugging
psxdev
-------------------------------------------------------------
Updat 29 June 2017
- final modchip function I / Os: SQCK, SCLK, data, gate_wfck
- hysteresis for injections, fixes anti-mod occasionally triggering when using worn drives
- optimized injection timing for multi-region, multi BIOS versions (Sony added more protection checks over time)
- first attempt to make it more portable to other Arduino variants
- auto console detection works reliably, with and without Arduino bootloader present
- pin assignments changed for practical / installation reasons (ICSP capability, wire routing)
- so many changes, it surely contains all new bugs ;)
Pin assignments are finalized. We can start producing final installation images / help!
As always, I appreciate code reviews and bug fixes. I'm sorry some of it got so messy ;p
psxdev
---------------------------------------------------------------
Update 9 July 2017
Sure. Consider it work in progress quality ;)
Main changes:
- figured out ATtiny pin assignments :p
- RAM use reduced by only storing the "SCE" part of the license string once. Using a somewhat farfetched method. Maybe someone can make it nicer, without the recursion and over engineering? :p
- tried getting debug prints but it doesn't look like it'll happen (on ATtiny45), too little RAM > the chip crashes
- SUBQ sampling timing reverted to sample while clock is low, instead of right after it goes high
--------------------------------------------------------------
Update: 10 July 2017
- finished porting to ATtinyX5 (25,45,85 although the 25 has too little resources. for now.)
- store the licensing symbols in flash again, frees a lot of RAM
- bit retrieval code lifted from AttyNee (Nice work guys!)
- extra RAM allows SoftwareSerial debugging prints on an ATtiny45!
- nicer intro readme ;p
--------------------------------------------------------------
Update: 16 July 2017
-The BIOS patch works!
For now it only supports Arduino boards (ATmega chips).
Also, the Arduino must either be powered on first or have no bootloader present (flashed using SPI) since I expect a signal ~1 second after power on.
8Mhz boards are also supported.
------------------------------------------------------------
Update: 16 August 2017
-changed the timing for the PAL PM-41 patch to make it more reliable (I had it failing occasionally).
Also I added a warning for people not to use 5V.
-------------------------------------------------
VERSION 2! :D
-------------------------------------------------
What has changed?
- Thanks to TriMesh, the gate-pin is now also used to determine in which model of
Playstation PsNee is installed. The modchip algorithm thus can be optimized for
optimal performance on specific Playstation revisions. This works by monitoring
whether a clock signal is present on this pin - when there is one, the modchip is
installed in a PU-22, PU-23 or PSOne Playstation, else it is installed in an older
model Playstation. In this version of PsNee, nothing is actually done with this information.
- Thanks to -again- TriMesh, NTSC support for PAL SCPH-102 Playstations is added! This uses
the same method the OneChip modchip used for achieving this:
1. Monitor the XLAT signal from the CD mechanism controller chip. This requires
another connection to the Playstation. When this signal is 0, the first CD copy
protection is passed! After this, there is another one.
2. After this, watch the Address18-pin (pin 31) on the BIOS-chip. When this signal
is high, this means the second CD copy protection is about to run.
3. Wait a short time.
4. Pull the Data2-pin (pin 15) on the BIOS-chip to 0. This effectively blocks the
execution of the region check of the inserted disc.
5. The Playstation plays the inserted disc and doesn't care whether it's PAL or NTSC!
6. Release the 0 of the Data2-pin.
To correctly output a PAL video color signal for a PAL TV on a PAL PSOne with an NTSC disc
inserted, Pin 3 of IC502 must be grounded with an external switch. The modchip also could do
this, although we would need a device with more pins available.
- The outputted data signal is now "sliced up" to improve (or less distort) the tracking
signal from the CD mechanism: later Playstations use the CD tracking signal for transmitting
the SCEx-string to the Playstation instead of using a seperate connection, so when the modchip
forces a 0 on the data-pin, the tracking signal also is gone temporarily. By slicing the data-
signal up in little pieces at least some of the tracking signal remains and the Playstation can
read discs more easily.
- The two big for-loops are combined into one with an OR-statement describing the two conditions
modchip should be active: when flagFirstCycle = 0 or when flagFirstCycle = 1 and the lid is opened
and closed again. This makes code maintenance easier.
- The pin-out of the modchip is changed slightly to be able to use an interrupt for the PAL=>NTSC
BIOS-patch for PAL SCPH-102. Please use the revised pin-out found below with this code.
~TheFrietMan, The Netherlands
--------------------------------------------------------------
New in this version! V6
--------------------------------------------------------------
A lot!
- The PAL SCPH-102 NTSC BIOS-patch works flawlessly! For speed reasons this is implemented in bare
AVR C. It is functionally identical to the OneChip modchip, this modchip firmware was disassembled,
documented (available on request, but written in Dutch...) and analyzed with a logic analyzer to
make sure PsNee works just as well.
- The code now is segmented in functions which make the program a lot more maintable and readable
- Timing is perfected, all discs (both backups and originals of PAL and NTSC games) now work in the
PAL SCPH-102 test machine
- It was found out that the gate signal doesn't havbe to be hooked up to a PAL SCPH-102 Playstation
to circumvent the copy protection. This is not tested on other Playstation models so the signal still
is available
- The /xlat signal is no longer required to time the PAL SCPH-102 NTSC BIOS-patch
- Only AVR PORTB is used for compatibility reasons (almost all the AVR chips available have PORTB)
-------------------------------------------------------------
A minor detail: The lid detection is missing its digitalRead() ;p
psxdev
-------------------------------------------------------------
Update 7th of May 2017
Branched and tweaked for use with the Position 0 switch on a PSX laser.
(Requires a bit of sticky tape at the point where the switch touches the laser assembly.)
This allows deterministic SCEX injections, without relying on timing. Also gets rid of connection wires for LID and RESET.
WIP!
psxdev
--------------------------------------------------------------
Update 15th of May 2017
PSNee now watches the subchannel data and looks at the position information contained within.
This allows deterministic SCEX injections. It knows (almost) exactly when to inject the SCEX string.
Therefore it is now a stealth modchip :)
Required connections: GND, VCC, data, gate, SQCL, SUBQ
No more need to watch the PSX reset or lid open signals or any other typical modchip points (like "sync")
WIP! Only tested on PU-18 board. Should work fine on PU-7, PU-8, PU-18 and PU-20.
Will need adaption for PU-22 to PU-41 (SCPH-750x, 900x and PSOne).
Note: Once this is installed in a PSX, mind the Pin13 LED that many Arduino boards have. Do not upload new sketches while the PSX is on!
(If the PSX is on while uploading a sketch (making the LED blink), a voltage will be fed back into the SCLK pin on the HC-05 in the PSX.
This didn't break my PSX in testing but it does stun the chip and halt CD operation. I'm thinking of a better method to do this but for now I need Arduino pin13..)
Very much recommended to install a 3.3V chip!
psxdev
-------------------------------------------------------------
Update 27th of May 2017
This version is compatible with 8Mhz and 16Mhz ATmega328 / Arduino boards.
It uses polling to grab the SUBQ packets. This works better than relying on interrupts.
I even have a few cycles to spare on a 8Mhz chip!
psxdev
------------------------------------------------------------
Update 31st May 2017
- supports all motherboard versions except PU-41 (PAL) (will get to it!)
- WFCK modulated injection method for PU-22 and up, just like the last multimode 3 chips
- minimized CD controller interference: PsNee only ever speaks when it has to (also: full stealth)
- not relying on BIOS delays: perfect boot disregarding extension cards etc
- might not be bug free! I'm just one guy and testing on a dozen consoles takes time ;)
psxdev
------------------------------------------------------------
Update 4 June 2017
- unified SCEX injection function / easier to read code
- PU-22+ now work without the WFCK wire (but depends on tight timings, tested on 8 and 16Mhz mcu)
- interrupts disabled while sampling SUBQ > much better performance capturing all events correctly
- now blinks the built-in LED on injections for debugging
psxdev
-------------------------------------------------------------
Updat 29 June 2017
- final modchip function I / Os: SQCK, SCLK, data, gate_wfck
- hysteresis for injections, fixes anti-mod occasionally triggering when using worn drives
- optimized injection timing for multi-region, multi BIOS versions (Sony added more protection checks over time)
- first attempt to make it more portable to other Arduino variants
- auto console detection works reliably, with and without Arduino bootloader present
- pin assignments changed for practical / installation reasons (ICSP capability, wire routing)
- so many changes, it surely contains all new bugs ;)
Pin assignments are finalized. We can start producing final installation images / help!
As always, I appreciate code reviews and bug fixes. I'm sorry some of it got so messy ;p
psxdev
---------------------------------------------------------------
Update 9 July 2017
Sure. Consider it work in progress quality ;)
Main changes:
- figured out ATtiny pin assignments :p
- RAM use reduced by only storing the "SCE" part of the license string once. Using a somewhat farfetched method. Maybe someone can make it nicer, without the recursion and over engineering? :p
- tried getting debug prints but it doesn't look like it'll happen (on ATtiny45), too little RAM > the chip crashes
- SUBQ sampling timing reverted to sample while clock is low, instead of right after it goes high
--------------------------------------------------------------
Update: 10 July 2017
- finished porting to ATtinyX5 (25,45,85 although the 25 has too little resources. for now.)
- store the licensing symbols in flash again, frees a lot of RAM
- bit retrieval code lifted from AttyNee (Nice work guys!)
- extra RAM allows SoftwareSerial debugging prints on an ATtiny45!
- nicer intro readme ;p
--------------------------------------------------------------
Update: 16 July 2017
-The BIOS patch works!
For now it only supports Arduino boards (ATmega chips).
Also, the Arduino must either be powered on first or have no bootloader present (flashed using SPI) since I expect a signal ~1 second after power on.
8Mhz boards are also supported.
------------------------------------------------------------
Update: 16 August 2017
-changed the timing for the PAL PM-41 patch to make it more reliable (I had it failing occasionally).
Also I added a warning for people not to use 5V.