How the Sony PlayStation PS1 Security was defeated | MVG

We are in 1994 and a change was approaching. Sony had launched the PlayStation and with it came a wave of innovation for a Sony engineering team that opted for the CD-ROM format, the cartridge format that was used by Nintendo and Sega for many years. before. It wasn't even considered an option. CD ROMs allowed for cheaper and simplified development. A development bill could be burned to a CD and played back on a test kit without too much trouble, much easier than the old cartridge format, according to Sony president Jim Ryun. Disks gave people the desire to take more risks, although it certainly wasn't the first CD ROM-based system.

With the launch of Sony Playstation, it introduced CD ROMs to many gamers before the PlayStation, many of us used cartridges or floppy disks. Sony took full advantage of the CD-ROM format and marketed the PlayStation to a different audience than Nintendo or Sega in the US. Extreme sports fighting and racing games were very popular from the beginning and featured punk soundtracks. rock metal, rap and R&B licensed on record in the UK. Sony targeted system for the 20-something with disposable income the underground club scene and PlayStation went hand in hand with Sony creating dedicated PlayStation areas in over 50 UK underground clubs this no longer were just video games, the popular game was removed made by Psygnosis would include songs by The Chemical Brothers that were very popular in clubs at the time when the CD-ROM was essential to the success of the PlayStation 1.

On the Nintendo 64, many They wondered why Nintendo stuck with the PlayStation cartridge format. the system that had from the biggest game to 100+ hour RPGs, long cutscenes to moving video sequences and incredible soundtracks, everything was bigger and better, but as they say, every action has an equal reaction and opposite and, as a result of the successful CD. The -rom format arose from piracy. Sonne knew that crackers would be snooping around inside the system and in trying to find ways to hack games to combat this, they came up with a simple but clever method to protect their software from any form of backup that they also protected. the console in different regions discs are inserted at first glance if you insert a PlayStation 1 disc into a PC you can easily read and dump the contents of the disc and even make a backup, there was no obfuscation or encryption on these discs at all

sony

I used the table of contents on the disk to store the game region information, but then at the mastering plant a sophisticated technique pressed this data with what is known as a wobble slot.

The swing slot was read at boot to determine the game region encoding. game, in addition to forcing copy protection on the disc, a consumer CD burner was not capable of replicating the wobble groove during the recording process, so any backup made would be missing the wobble groove. oscillation and would simply be rejected by the PlayStation and any different region discs would also be rejected when removed from the oscillation channel, the new region encoding would not match what was in the machine's PlayStation BIOS, although it was a very protective simple, the problem was that it wasn't very good with a With a quick hand, you could perform what was known as the swap trick, whereby you forced open the lid of the PlayStation with a pen and could boot from a game original and when the disk authenticated the Wobble data and started booting into the game, you could quickly replace it. the disc with a backup, since PlayStation thinks you have passed the region check, it will boot into the game that is on the disc and by quickly swapping the discs with a backup, you could get a backup for load on a Playstation.

This was a crude method. but it worked without a mod chip and speaking of mod ships, it wasn't long until mod ships started appearing that automated this process with a backup disk that was inserted into the PlayStation 1 with a mod ship, the license chain or the Region information will be sent back to authenticate automatically. This was a very simple and effective method because the PlayStation 1 only wants to know if it received a valid region string. Sony's mistake here is that they relied heavily on CD burners, which were too expensive for most consumers. but they fell out when prices started to plummet, the PlayStation 1 was the birth of the mod as we know it, they were absolutely everywhere, everyone had a mud ship installed on their ps1 and even to this day, if You go to a thrift store or eBay and buy a used PlayStation, there's a pretty good chance that there is actually a mudboat installed in the device.

Sony realized they had a problem, the cost was cheap and pretty soon anyone who had a PlayStation wanted to install a chip in their system, you could even go to your local blockbuster rent some PS1 games burn them keep the copies and return the originals , also meant that cracking release groups began to appear and release games on bulletin boards and FTP sites around the world, groups like Callisto Paradox Mops. bad and many others not only released games but also released trainers or the ability to cheat in games. Adding cheat codes to most PlayStation 1 games was easy to do because there was no

security

or memory protection, certain trainers' memory locations could easily be tapped or updated.

They were easy to develop on the PlayStation 1, all it took was a simple interrupt to refresh specific memory locations. This was achieved using an event handler at a memory address; Essentially, this was the same method as the action play cartridge on the PS1, but it was installed with the game complete with a menu introduction to configure options by the time the cracking and launching groups were quite experienced, many of them came from Amiga, so cracking training and releasing games was nothing new with excellent encoders, the teams quickly became familiar with the PlayStation hardware. and in some countries around the world you could buy high-quality pirated PlayStation 1 games that ran without a mud chip and were obviously not original copies, but used custom firmware and a certain type of CD burner to replicate the rhythm of oscillation. and allowing you to play backups or illegal copies of PlayStation 1 games for a few years sludge shipping and piracy were synonymous with the PlayStation 1, it seemed like nothing could be done, but in 1998 suddenly newer games that were coming out stopped working. on mud ships sometimes just with a black screen or frieze or sometimes with this message Sonne had discovered a method to detect the presence of a mod ship, this was easy enough to do because the chip was always enabled by simply running a code to check if there was one. if it returned data when it normally shouldn't have it meant that an external device was installed and Sony added extra checks in many of their games to stop this, but this in turn allowed mod makers to come up with the idea of ​​a Stealth Mod, one that would activate at boot time after authentication verification and then disable itself, but this is not all Sony had implemented.

The second part of this protection used a 16-bit key that was stored in the subchannel data of a game CD-ROM, this protection was known as Lib crypt and there were four different protection methods that used Lib crypt in some way. The protection itself works as follows, somewhere in the game the code is executed to detect the presence of a mod chip and the second part. will decrypt the necessary 16-bit code from the lip crypt subchannel data in order to play. If the first check fails, the game crashes completely if the Lib check fails. An anti-piracy screen may be displayed, but in some cases games will have features removed such as Theme Park disabled the new game feature in the main menu.

Look, I couldn't even play the game. Lib crypt was difficult to duplicate with a CD burner because many CD burners at the time didn't even support writing subchannel data and the ones that did made it almost impossible to make a one-to-one copy of that subchannel data, a Even though stealth mod chips existed, it was now necessary to crack the games and remove the Lib crypt protection, this again wasn't too difficult for the experience. deciphering groups, but it was an additional step in the process. Sony's options were limited and the Lib crypt was completely

defeated

very soon after its appearance.

It was not difficult to identify and then extract the 16-bit key from the Lib crypt subchannel. tracks on the CD and then just completely patch the protection itself and this was something that was quite easy to do and many cracking groups were skilled enough to remove the liquid protection, it became clear that if the game developer and Sony had any possibility of defeating the Pirates would not be at the hardware level but had to be done as part of the game in one of the best documented cases of anti-piracy Spyro the Dragon three years of the Dragon implemented lip crypt but also an additional layer Protection developer Insomniac knew that there was a wild Siddhi party going on on PlayStation and their previous game Spyro 2 implemented a Lib crypt that was quickly removed by cracking the group paradox for Spyro 3.

They came up with something even more ingenious. Spyro 3 would allow you to play the game, but when you got to Zoey early on, she informed you that you were playing a pirated copy of the game, but the interesting thing was that the game didn't kick you out, it continued to allow you to play, but after a while, Strange things started happening on the PAL copies, the games randomly switched between English, French, German and Spanish and several enemies didn't give gems and sometimes gems found on the ground were removed, but there was a lot more to the game.

Sometimes I gave you back. to the homeworld or ROM level and if you managed to reach the fountain or a boss fight, the player would be sent back to Sunrise Spring with all of their save data erased. Insomniac had implemented a series of CRC checksums into the code, this meant that even if a single bit was changed, an incorrect checksum would be generated and the game would fail its anti-piracy measure. Well, let's get technical for a second. What is a CRC checksum? Well, in simple terms, it is something that is used for error detection and has many use cases, for example, if you want to guarantee the result of a set of bytes over a network or if you want to ensure that a file does not has been tampered with, you can use a CRC process.

It was a perfect solution for Spyro. 3 because the algorithm is fast, there is no apparent slowdown or disk access to run the check, the CRC will take an input string or byte array and apply it against a magic number or divisor and the output will be a value that matches the same number of bits as the input value (this is important to remember because it means that a cracker could easily manipulate the divisor or magic number to make it the same as what the game expected, but sleepless programmer Gavin Dog knew this could be a weak point and obfuscated the CRC checks by adding additional checks in the same code frame but at different offsets and to further complicate things even used the value of the checksum result as part of the data that were being verified.

Additionally, there was also no call to the CRC check function which again, would have been easy to detect and fix using crackers, rather than the checks being lined up in the code so the compiler would simply apply it to the main block of code that was running with just one byte difference in code, one or any number of CRC checks would fail and crack protection would kick in. Gavin knew that crackers would have to patch the Lib crypt, which invalidated the copy and that was enough to activate the protection when the game was released, a few different scene groups released their crack. game, including the bad one, which patched the Lib crypt to protect it and then paradox also released a crack of the game, but both of them didn't work, the crack protection was still in place.

It took almost two months for paradox to release an updated Spyro 3. that was 100% patched. I contacted the cracker known as baby doc to learn more about this crack. His method was to write code to connect it to the game and after the game had loaded, he injected a bypass protection and then reapplied the original. data forThat when the checksum was done the test would be correct sounds simple enough, but it was far from 1999, it was a different time, there wasn't as much knowledge base information about PlayStation hardware, so they had to learn things and they shared information themselves, however, paradox used an official development kit that had a homebrew loader to launch retail games, this meant they had access to snoop's memory and this is how Spyro 3 was able to be

defeated

.

Baby Doc spent two weeks extracting all the data. When comparing core dumps from an original copy of the game and repackaging it into a new file system, he had to identify all checksums and had to be sure that all checksums were detected, ignored, and reapplied. with the original data. This was a long and complicated task. process when I asked him why go to the trouble for him, it was a challenge, it was fun, there was no money involved, just knowing that you could crack complicated protection would make you one of the best crackers in the world for Sony and make you sleepless this protection.

After all, the first two or three weeks are where most of the money is made selling the game on our shelves to someone new. The game would eventually be correct, but it held its own when necessary, but there are actually only a small handful of games that had additional crack protection had a cost associated with it and were sent to the development house and in most cases There wasn't enough time, money and resources to consider doing so, while the PlayStation 1 sold over 100 million systems and was a worldwide success, it was also the games console that started the mudboat craze and brought them to the homes, so there you go guys, that's the story of anti-piracy on the Sony PlayStation 1.

Sony came into that generation, they didn't really understand the

security

mechanisms very well and it wasn't really their fault. I think at the time things were very different than they are today, they felt they had done enough to stop casual copying of games and I suppose in some ways it did, but it certainly relied too much on CD burners being out out of most consumers' purchasing price range, but quickly tried to pivot and come up with different ways to stop piracy when recorders started dropping in price significantly and then suddenly everyone who had a PC they had a CD burner on their PC and they could quickly and easily copy games from PlayStation 1 and with the reason they were able to run those games easily in the end they certainly learned a lot of lessons from the PlayStation 1 and reinforced security on PlayStation 2 and I have made a video on security on PS2, so if you are interested, I will leave a link to that video in the comments below, I hope you have a good understanding of what Sony did.

Through each generation of this system, they will gain a good understanding of what was happening with security and their thought process on that particular topic. Well, guys, we'll leave it here for this video. Thank you very much for watching. you liked it you know what to do leave me a thumbs up and as always don't forget to like and subscribe and I'll see you in the next video, bye for now.