How the Sony PlayStation Was Hacked

Playgrounds were the comment sections of their day. Every weekday from exactly 1:17 PM until 1:43 PM there were swings to be swung, rumors to be spread, and debates to be settled by whomever was the loudest (some things never change). Allegiances were formed and battle lines were drawn based solely on what video game console you supported. It was this playground system that perpetuated the urban myths of the time.

For PlayStation fans there was the myth that you could save Aerith from her fate in Final Fantasy VII if you just cast the right spell, or the secret code in Tomb Raider that would let you see all of Lara Croft. There was the myth that no one could possibly copy a PlayStation game because all the bottoms of the discs were black. Even the very existence of the first PlayStation, the Super Nintendo PlayStation prototype, was an urban legend. The difference was that last one turned out to be true.

Let’s jump in and take a look at the cat and mouse game between modchip makers looking to defeat the original PlayStation’s copy protection, and Sony’s efforts to protect their castle.

Gimme Gimme Anime Fighting Games

Sony’s PlayStation was the introduction to games on CD-ROM for many of those playground kids. The format proved to be cheaper on average for both developers and gamers alike, and it had the added benefit of coming in durable, plastic jewel cases. The confluence of the two circumstances led to the increased demand for importing Japan-only titles, but since the PlayStation was region locked from both a hardware and software perspective there was a need or an intermediary device.

PlayStation 1 Gold Finger Cheat Device
Gold Finger game enhancer cheat device for PlayStation.

There were a number of these intermediary devices, colloquially called game enhancers, that allowed users to cheat codes not accessible by in-game menus as well as boot games from other regions. Early production run models of the PlayStation contained parallel I/O ports so game enhancers like the Gold Finger attached directly via the parallel port with no further modifications being necessary to play the latest anime fighting game import.

Later revisions of the PlayStation would remove the parallel port and force import players to adapt, and adapt they did. Probing around the PlayStation’s internals became the only way to circumvent Sony’s region locking, and in the process hackers discovered the secret to allowing import games to boot. Region specific license key data appeared both on software and hardware memory. The two keys had to match in order for discs to boot. Subsequently all region license keys were dumped and flashed onto PIC8 microcontrollers and some of the first PlayStation modchips hit the internet. Now anyone with a properly installed modchip inside their console could play games like Asuka 120% Burning Fest into the midnight hours.

Do The Wobble Groove

Lasers were in, EPROMs were out. Cartridges just weren’t going to cut it any longer in videogames, because all those full motion video cutscenes needed to be stored somewhere. By adopting a standardized format in CD-ROM Sony could not employ the use of the physical region locking mechanisms found on cartridge-based systems. However, they did have control over the disc’s table of contents (TOC).

Along with the region specific license key data, Sony pressed a special pit into the TOC of every disc. This pit, or “the wobble groove” as it would become known, was virtually impossible for consumer grade CD writers to replicate. A CD writer laser would need to be programmed to physically move in three dimensions in order to burn the wobble groove into a CD-R. So the patented pressing process achieved both copy protection and region encoding simultaneously.

A side effect of intertwining the copy protection with the region encoding meant that those users with modchips in their consoles could circumvent both processes at once. CD-based consoles prior to the release of the PlayStation, like the Sega CD and PC Engine CD, did not contain copy protection pressed into the discs. The exorbitant price of a CD writer at the time of release of those consoles was enough to deter any potential pirates. However, thanks to economies of scale in production and the march of time the expectation that duplication technology would be out of reach of PlayStation users could not stand for Sony.

Sony became wise to the modchip scene, and was able to author “anti-mod technology” into the code of popular titles like Grind Session and Dino Crisis 2. Early versions of modchips were always on, and that made them vulnerable to security checks after booting up a copied disc. To counter these extra security checks, PIC12 microcontrollers containing all the license key data were soldered onto the PlayStation lid switch contacts. With that alteration, modchips would only be engaged during boot up and would deactivate outside of that sequence, and thus the “stealth modchip”.

Undetectable modchips were essentially game over for the PlayStation. Their introduction late in the PlayStation’s life cycle meant that only the most dedicated of players were going to install one. Modchips may have been able to defeat the wobble groove and even satiate the need for a little more Dragonball Z in world, but they wouldn’t be able to defeat the PlayStation’s biggest urban myths. Those simply hung around.

Sony did their part to keep a modicum of mystique about the PlayStation’s black bottom discs though. They helped perpetuate the whole “copy-proof black disc” myth in the PlayStation Underground Volume 3 video below:

34 thoughts on “How the Sony PlayStation Was Hacked

    1. I *still* use the swap trick as recent as last week. I also have a modded original with a simple modchip i made myself .

      I think “clever” is dubious here considering all you need to do is inject some serial data at one point and could originally do so blindly.

    1. I think Drew meant in comparison to the disposable cardboard cases most cartridge based games came in which are much harder/more expensive to find in good condition nowadays (on account of many kids throwing out the box after getting the game, or them getting wrecked through the years if the collector didn’t keep them in a protective clear aftermarket slip case). I really wish nes and snes games came in a nice plastic case like genesis games did. It’d be nice to have beautiful oem spine artwork on cases to display games with instead of the shelves of lined carts with minimal end labels.

    2. Good additional video, He does make an assumption though that might not have ended up correct in the alternate reality he proposes. With respect to the 15cm disks, he assumes that they would have been impossible to get because they don’t currently exist in any form I know of. This might not have been the case in reality…

      Had Sony used a 15cm disk, they could have held more data. And… CDs were the de facto long term storage solution at the time. So it’s not only likely, but probable that someone would have made one to quench everyone’s desire for MORE SPACE.

  1. I remember Plextor CD-burners being quite the sought-after commodity, when word got around that they were capable enough to burn PlayStation discs, with certain firmware and other tweaks.

      1. Reliable? Mine weren’t. Long ago I built a 1Ghz P3 based on one of the MaximumPC extreme rigs of the year. Plextor UltraPlex 40Max CD-R and Plextor PlexWriter on an Adaptec SCSI card. I went through a couple of both of them before I ditched them (and the SCSI card) and bought something else.

    1. I used to build high-drive-count CD duplicators (for legal, legitimate use) for my brother back in the day. He would occasionally give me drives he phased out of production. I still have a handful of Plextor 12/10/32S drives around that operate flawlessly. They were (and still are) solid drives and would burn just about anything. I think I’ve also got a 4x SCSI Teac drive that performed similarly to the Plextors.

    2. They were indeed. I worked in copy-protection, and the plex master drives were the dogs balls. Burnt at 1-2x, but could burn data other drives couldn’t.
      Our best bit of kit was a modified plex master withe the laser under direct control of a PC, allowing any pit/land pattern to be burnt.

    1. I did. Recess was right before lunch for grades 1-3 and after lunch for grades 4-6 to keep the 2 groups separated. It was always at the same time every day. However I was an adult by the time PS1 came out, we talked about Atari 2600, Intellivision, and Colecovision back when I was in the playground.

      1. Yep my friend Jon was the only one I knew with a Vectrex console. Most children had Atari 2600, only a limited few had the 5200 at the time. I got the Intellivision around 1979 was one of maybe two people I knew who had that. Of course the Baseball and Football games were the best in their era on the Intellivision.A few years later some friends got the Colecovision. Then the crash hit…Funny historians like to say video games by 1983 had become a bad word and no parents wanted to be associated with it.

  2. I remember doing this. I was one of the hackers that done my own PIC chip. Also having a Philips CD writer that was 2x burner back then and cost me £700 or something like that. Also blank cds cost more back then. I think a blank cd was £5 each or 3 for £10. I know it was cheaper the more you got. God I chpped so many PlayStations I forget how many I did. Also went on to do the PlayStation 2. Got to say that the CD burner by Philips done me well. I burnt 1,000s of discs and it never let me down. It’s lasted years and I sold it off in the end still working.

    1. Yep did it with the demo disk and quickly switch it out for a copied game. I never really got into that. By the time much of that was mature, hard core gamers had moved on to the PS2 and Dreamcast. I got a Dreamcast after Sega announced they were not going to make consoles anymore and the prices dropped like a rock. $100 got me a Dreamcast console and keyboard. By the time I realized there was a broadband adapter to replace the 56K modem they were out of production, expensive and hard to come by. I got a PS2 slim when GT3 came out…

      1. Ah yes I chased the DC network adapter dragon myself for a while. I still want a port of Seaman for the PC now that my DC has found another forever home. I was sad that Seaman 2 never properly materialized. Such an odd and different game. Nimoy’s voice was a hook as well. Great memories :)

  3. I’m probably wrong about this, but I’d always assumed that the ‘black colour prevents piracy’ thing was simply about making it easy to identify a counterfeit disc, down the local market or where ever. That it was yet another thing that would require to be successfully replicated, like the holograms on the inlay cards, such that making a ‘this could pass for official’ counterfeit would be harder to produce. As indicated in the article, home copying was not a concern early on when these decisions were being made, because of the availability and cost of burners – that they were making it hard to mass produce fakes.

  4. After seeing this post yesterday, I decided to break out the old DMS3’d PS2. As I was Googling to figure out how to use the thing again, I noticed the timestamps on many of the forum posts and realized I hadn’t turned the console on in about 10 years. Much to my surprise, the clock was still set correctly.

  5. Sorry Drew, but it reads a little 3rd hand with many assumptions.

    Anyhow, the ‘licence key’ is simply the string ‘SCEx’ – x being one of 3 Sony localities (A, E, I).
    The mod chip would spam the line that decoded the wobble track.

    The ‘wobble’ track is the calibration area for the laser unit to occilate against, but modulated at ~22KHz is the region string.

    Later titles that implemented ‘anti-mod’ techniques, would check that the string wasn’t being decoded still.
    This would be an issue for users with genuine disks in modded consoles too!

    So later chips would also monitor the door switch to re-start the string injection.

    There’s a modern day version using Atmel devices and the Arduino setup (best used re-programming the device without a bootloader) found @ https://github.com/kalymos/PsNee
    This version reads the drive control bus, allowing it to know where the laser is and when its expecting the licence string.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.