Reverse Engineering the PSX Copy Protection (Wobble Groove)

[Davide_G]

I can't wait to be able to use the black CDs I bought!
https://www.nierle.com/en/article/1001/ ... ieces.html

[Shadow]

Try a PU-7 or PU-8 board with the analog servos and adjust the laser power slightly since CD-R's require more gain

[kylemn]

Hello gentlemen. Following the discussion about disk security here. I want to help in some way, but I don't have all the methods, but I have an important one. I can manufacture it in my industry, on pressing machines. However, I only have the machines. I receive the stampers (master disc for pressing machine) from someone in the USA. I send the DDP (game or music image) ready for them to manufacture the stamper and send it to me to reproduce the discs in polycarbonate and bla bla bla. Should all ATIP or TE information be inserted into the stamper? Can they be inserted into an iso previously? How would this be done? any software? Does it have to be done when creating the Stamper? Do you know what the process of creating a Stamper is like? What software are you using? If you discover this, we can be partners in these experiences.
You can contact me whenever you want.

[david4599]

Hey, that's quite nice that you are in this industry!

The idea for replicating the copy protection was explained quickly in a youtube comment of a former Datel engineer that I mentioned earlier in this thread.
It's not something that we can insert into an iso file, it's basically made the same way as the ATIP but with a different modulation and data.

At the glass mastering step, we would "simply" need to replace the ATIP generating machine by a modchip that will send or not the 22kHz signal to the disc depending on the SCEx data.
This way, the pregroove will just be a 22kHz amplitude-modulated signal of the 250bit/s SCEx serial data instead of the ATIP.

I'm not totally sure but I think there are actually 2 ways to do it. Either by a modulated pregroove like the ATIP or directly the pits/lands that are shifted radially without any pregroove.
But how easy would it be to create a CD-ROM stamper with oscillating pregroove (usually for CD-R/RW process) or oscillating pits/lands?

However, from what I understand, you just receive the already-made stampers, so is it something that you would be able to do? Do you even have access to the ATIP and pits/lands generating machines?

[cunningfellow]

Hi David,

Fantastic work.

I think you might be referring to me when you said "was done 20 years ago on a private forum" I am guessing it was Mr Lau that told you those two decade old stories.

The method was to increase the disc rotational speed so that the 20Khz wobble became a 60Khz wobble.

If you are actually able to boot to a game and play then you have done better than me. I was able to inject the wobble to make the SCEE string and get the CD Controller into data mode. Other things happened in my life that made me not pursue it further. I'd done what I thought was the hardest part of the challenge so I was happy with myself even if I didn't end up with a 100% useful result.

I may still have the hardware sitting in some cardboard boxes somewhere. The burner was a HP4020i (rebrand of philips CDD2000 I think). I did not modify the firmware at all. I am not smart enough to do that kind of thing. It just had blue wires and lifted pins so I could change the rate at which the EFM data was being spat out.

If those forums got archived anywhere you should search for the string "Violently Colliding Peramelidae 2"

[david4599]

Hi, thanks!

That's great to get more information on the origins of the project!
I don't know Mr Lau but I will check with the guy that told me the story.

I guessed that increasing the disc speed was your solution too.
60kHz seems a bit extreme to me but at least the original wobble is not an issue anymore.

I'm a bit worried to go far beyond the supported speeds knowing that the disc may leave its support. Also the spindle hubs are old and some of them come to pieces with time. Reading game data in 2x mode would be scary at this speed.

[gwald]

This is probably the only way going forward to get a PSX booting CD.
I noticed the screenshot of the Detal guy mentions also modifying a CDR ATIP track.
Can a glass master be made direct from the CDR?

If I understand this correctly:
1) You would modify a CD burner to burn with the laser turning on and off at the frequency of 22kHz or speeding up (or slowing down) the disc motor speed.
2) Using #1 you would only would burn a single ATPI track, is this like opening a multisession CD? And the data is the TOC or just 1's?
3) In a normal burner, (burn TOC again?) finished the burn with the reset of CD data/audio tracks (and close multisession?)

I've never tried PSX multisession: viewtopic.php?t=1014

I would like to give this a go, I know I don't have the skills.
I can get a R. Pico, USB Logic Analyzer and a few old IDE CD burners.
And try to find where the laser is controlled and try it out.

If someone could confirm or correct me, I would appreciate it.
I'm following you on twitter, it's a good thread.

I can't find any good pictures that are showing how the normal CDR wobble should look like... now I am wondering if that's the same kind of wobbling at all (especially as the PSX wobble appears to generate that audible sound in the drive mechanics, I guess regular CDRs won't do such things).

On the ECMA-394, it is said the wobble has an amplitude of only 30nm and a spatial period of 54 to 64um.
So, even with excellent pictures, I guess it would be impossible to see it to the eye.

Yes, the PS1 discs have the same wobble, just the modulation is changing.
FYI, Datel did modify factory machines not to use the ATIP generating machine but a microcontroller to switch on and off the 22kHz. As simple as that.
https://www.youtube.com/watch?v=XUwSOfQ ... omF4AaABAg
Comment on how Datel produced PS1 discs.png

I've dug into the cdrdao source code quite a bit, and I do wonder something. The lead in data is written as zero data (per spec), but it doesn't actually have to be zero data. It could be hacked on to write anything during the burn. Since 80 minute CD-Rs have tighter spiral windings, and there is the possibility of servo drift, I really wonder.

Don't waste discs and time on that.
Changing the sectors data in the lead-in by choosing the EFM symbols will not disturb the tracking signal of the PS1 pickup enough if at all. EFM is used to avoid synchronization errors and it is impossible to write tens or hundreds of 1 at once using this encoding. Also, the EFM conversion is done in the burner, possibly hard-coded in the DSP itself, not in the firmware. The burning softwares, even set in raw mode, have no control on that.

I remember the cdimage project that is able to draw images on CDs using only 4 EFM symbols that have a different numbers of 1 (from what I understood) allowing to create 4 shades (I guess, not tested) visibles to the eye. The created file just needs to be burned in audio mode i.e. without scrambling. That's the best we can do using the conventional way.
https://github.com/arduinocelentano/cdimage

Instead I found another solution. Usually I don't post until something is mostly finished but I already teased a bit on Twitter so here we go:

To change the tracking signal, like nocash said, we indeed have to either take control on the laser and burn longer non-EFM pits/lands or input a foreign signal into the tracking coils of a burner.
In both cases, we also need to "remove" the original 22kHz wobble of a CD-R otherwise the signal will still be 1. This can be done by increasing the pits and lands length meaning that the disc will spin faster natively and the 22kHz will not be detected anymore by the PS1 when the custom pattern will be read.

I worked quite hard on that crazy project trying to experiment these ideas and I have finally great news!
2 months ago, I succeed in simulating the SCEx wobble and thus creating a self-bootable CD-R by using the first way I mentioned!



(The reading struggle when loading the game I'm talking about is mostly due to the disc spinning faster than usual, combined with this Verbatim CD-R and also the pickup itself I think)

For now, it works only on one of my 5502 and it is really not stable (maybe 1 of 20-30 tries).
I'm still trying to improve that but it's really dfficult to modify the burner's firmware, know what the code is doing, figure out the unknown DSP commands (many of them will never be known because the datasheet is not public) in order to properly adjust some code without killing another laser diode. Ideally, a software mod would be nice but maybe a hardware mod can be easier to achieve a better result. I think I will try to solder some wires soon.

And I still have to write these blog posts... But I'm lazy...

Oh btw I was informed that this was done 20 years ago on a private forum! I was not the only one to achieve it and I was convinced about that, though it was also unreliable apparently. I don't know the method they used but probably one of the two said before.