PsNee: a stealth modchip for all PS1-models

Discussion in 'Modding and Hacking - Consoles and Electronics' started by TheFrietMan, Aug 28, 2015.

  1. master991

    master991 Enthusiastic Member

    Joined:
    Jun 4, 2012
    Messages:
    597
    Likes Received:
    28
    Hi, can you relase a normal hex to use with common programmer?
    I don't have an arduino to burn all the magic XD
     
  2. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    Hi!
    Well, it would be rather impractical to flash an AVR without an Arduino, but it's certainly possible if you've got the hardware lying around anyway. You would however also have to burn the correct fuse bits to use the internal 8MHz oscillator. I just looked it up for you, the correct AVRdude settings for an ATTiny45 would be
    Code:
    -U lfuse:w:0xe2:m -U hfuse:w:0xdf:m -U efuse:w:0xff:m 
    If you know how to burn AVR chips manually, I'm sure you can also compile the source code in the Arduino IDE for the correct chip and locate and program the generated hex file with a programmer, but I recommend the rest of the world to just buy an Arduino and make your life a lot easier. ;-) They are cheaper than an ordinary AVR programmer anyway, and you can use your Arduino as an external programmer as well.
     
    Last edited: Sep 17, 2015
    Mord.Fustang likes this.
  3. master991

    master991 Enthusiastic Member

    Joined:
    Jun 4, 2012
    Messages:
    597
    Likes Received:
    28
    Thanks for all,
    To be honest i don't like much arduino "world", but i must agree that is a great tool ;)
    Plust I hate atmel because of the manual fuse implementation. Plus sometimes there's lot of other troubles, even with the same family of ATMega, unlike the other microcrontroller wich contains all the settings in one hex...
     
  4. Bad_Ad84

    Bad_Ad84 The Tick

    Joined:
    May 26, 2011
    Messages:
    8,619
    Likes Received:
    1,387
    I will be getting some of the chips in at some point. Just waiting until its "done", as it sounds like a V3 is on the way.
     
  5. Mord.Fustang

    Mord.Fustang Fiery Member

    Joined:
    Feb 17, 2013
    Messages:
    824
    Likes Received:
    186
    Thanks for the fuse settings and such for people like me who also only have an AVR programmer. USB AVR programmers can be had for $2 on eBay. I've ordered an ATTiny45 and ATTiny85 to try this out in the future.

    I've also sent TheFrietMan via PM the wiring diagrams I've made so he can look over them first, then I will post them here.

    Any chance in the future to get this on something such as the cheaper ATTiny13? Or would there be limitations preventing it?
     
  6. Bad_Ad84

    Bad_Ad84 The Tick

    Joined:
    May 26, 2011
    Messages:
    8,619
    Likes Received:
    1,387
    See, I was thinking go the other way - get something with more pins to enable more features.

    Maybe when 100x support is added, console might need another pin (sense via a connection to PS1 or even just connect to gnd/vcc if in a scph-100x).
     
    CodeAsm likes this.
  7. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    I'd have to agree with you on using a chip with more pins available, I'm already running into this problem with the current PsNee. I discovered that it isn't quite so simple to use pin 1 on ATTiny45 as this is also used as a reset input. You can disable this by setting your fuse bits properly, but then you lose the ability to program the ATTiny with a low voltage programmer (i.e. Arduino), you'd then have to use an high voltage programmer, which are more expensive than just using a bigger chip.
    Mind you, a bigger chip is just needed for certain Playstation models that require more connections to the Playstation, for example the BIOS patch for PAL SCPH-102. Most of the Playstation models should be fine using ATTiny45. The nice thing about the Arduino platform is that is produces very portable code: I can just make the user define at the start of the code for which chip and type of Playstation PsNee is meant, and Arduino burns the right firmware for the right chip. It's that easy! This certainly is something for PsNeeV3.
    I BTW still haven't been able to test the PAL SCPH-102 BIOS patch on real hardware :-/
     
  8. Mord.Fustang

    Mord.Fustang Fiery Member

    Joined:
    Feb 17, 2013
    Messages:
    824
    Likes Received:
    186
    Last edited: Sep 18, 2015
    Helder likes this.
  9. Michele133

    Michele133 Newly Registered

    Joined:
    Sep 19, 2015
    Messages:
    1
    Likes Received:
    0
  10. TriMesh

    TriMesh Site Supporter 2013-2017

    Joined:
    Jul 3, 2008
    Messages:
    2,373
    Likes Received:
    785
    Dino crisis is a useful stealth test disc for two reasons - the first is that the protection check is carried out pretty much immediately after boot so it's good for checking chips that are turning the data off slightly too late (note that it also checks the protection before it calls InitPad(), which completely defeats the old stealth chips that used pad startup to disable the chip) - the second reason is that the modchip detection code still runs on PAL machines, which is not the case with some of the later protections - they detect a PAL boot ROM and bypass the tests. As a result, it's always best to use a machine with a NTSC:U/C boot ROM for stealth testing. Strange as it may seem, this behavior was added at the insistence of SCEE, who thought that the way the modchip detection prevented people from booting original discs was stupid.

    @TheFrietMan

    OK, I don't think your BIOS patching is going to work - you can't just look for XLAT/ - you have to start looking for it at the right time.

    What XLAT/ does is indicate that the command just sent by the mechacon CPU to the CD DSP is complete and should be executed - so there is a lot of activity on this line during normal operation. What you actually have to do is work out where you are in the boot process and only start watching for XLAT at the right point.

    Without going into too much detail, this is what happens when the drive starts checking a disc (so run this either from power up if the door is closed, or door close if it was open).

    0) Optical pickup is set to home position
    1) The focus servo is put in search mode (disc is kicked here with later mechacon code)
    2) The focus servo detects zero-crossing
    3) The focus servo is put in track mode w/low gain
    4) The tracking servo is engaged with low gain (disc is kicked here with old mechacon code)
    5) Tracking servo locks, EFM data recovery begins
    6) Focus / tracking gain is bumped, spindle servo is engaged with a long time constant
    7) Spindle servo is switched to normal mode.

    Note that all these steps involve sending commands to the DSP - so if you monitor XLAT/ at this point there will be a lot of activity - in fact, you should have the chip turned off entirely during this period, so it doesn't inferfere with this process. At this point, everything is tracking, and the mechacon is reading the ToC (which is stored in the Q subcode) - this is also the point it arms the SCEx detection logic. At this point, there is no activity on XLAT/ because the drive is just reading and doesn't need to be told anything else.

    Once it has a valid ToC for the disc and the protection check is passed, it seeks to the start of track 1 and reads the license data. This does involve sending commands to the DSP, and this is the XLAT/ pulse you are interested in. You then have to wait for a bit (for the read to complete), wait a bit more for the address line to go high, and then pull the output low to patch the ROM data.

    I honestly can't remember the numbers (this was 15 years ago, and my memory might be good, but it's not THAT good) - but if you hook up a scope or LA to the CD DSP command bus you should be able to work it out pretty quickly.

    The basic sequence is as follows:

    a) On power up or door close wait a few seconds with the outputs floating
    b) Start sending SCEx strings, blindly (this is to allow for variation in the time it takes for the servos to lock up)
    c) After a few seconds, carry on sending SCEx, but now monitor XLAT/ and kill the output if you see it
    d) After this, wait a bit longer
    e) Wait for the address to go high
    d) Wait a few uS
    e) Pull the output pin low
    f) Wait a very short time
    g) Let it go high again.

    Oh, and the PM41(2) has slightly different timing - if you have problems with the chip being detected then try moving the wire from XLAT/ to XCLK/ - this basically triggers the detection at the start of the command frame rather than at the end.
     
  11. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    Wow, that is some great information! :)
    I'll hook up the logic analyzer to XLAT and log it's results when reading a disc. If the signal pattern is reasonably repeatable, I can make a counter to count at which XLAT-change the BIOS patch should be applied, otherwise I'll think of something else.
     
    porchmonkey likes this.
  12. Mord.Fustang

    Mord.Fustang Fiery Member

    Joined:
    Feb 17, 2013
    Messages:
    824
    Likes Received:
    186
    I'm having some issues getting this onto a ATTiny85... got the chip and a programmer. Installed Arduino IDE, installed the Flash library like it says to:
    Code:
    #include <Flash.h>  //Include the Flash library to conveniently store the SCExData-arrays in PROGMEM, see http://arduiniana.org/libraries/flash/
    But whenever I try and compile it I get a bunch of errors like this (and more):
    Code:
    In file included from PsNeeEnglishV2.ino:141:0:
    C:\Program Files (x86)\Arduino\libraries\Flash/Flash.h:70:23: error: 'prog_char' does not name a type
      _FLASH_STRING(const prog_char *arr);
    Ideas?
     
  13. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    I've just updated my Arduino IDE to the latest version and got the same errors. Arduino 1.5.x and up give some problems with libraries written for Arduino 1.0.x, apparently some types are different. I would suggest using an older version of the Arduino IDE (1.0.5), that hould work. I'll look into using the Flash library with Arduino 1.5.x and up.
     
    porchmonkey and Helder like this.
  14. MottZilla

    MottZilla Champion of the Forum

    Joined:
    Feb 1, 2006
    Messages:
    5,073
    Likes Received:
    112
    Spyro 3 will boot if the first simpler check is passed but the game will not be fully playable if later less apparent checks are failed. Are you sure Spyro 3 is fully functional/playable? Because it booting and getting into the game apparently was not made to be too difficult. It made pirates and crack groups release incomplete cracks that they thought worked at a glance but when players actually played through the game they found things were not working as intended.

    So are you sure it's functioning fully?
     
    Mord.Fustang likes this.
  15. Mord.Fustang

    Mord.Fustang Fiery Member

    Joined:
    Feb 17, 2013
    Messages:
    824
    Likes Received:
    186
    Thanks, downloaded 1.0.5 and it compiled with no errors.
     
  16. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    It's been a while, but I've finally managed to get my hands on a PAL SCPH-102 and capture some signals with the logic analyzer. I've included them all with this post. I've tried to test backups and originals from PAL NTSC-U and NTSC-J-regions. The files can be read with Logic from Saleae Logic, which is free. :)
    I've uploaded everything to Google Drive, download, analyze and share the files as much as you can! :) They're here.
    I'll try fooling around with the code a bit to get NTSC games to work now that I have easy access to the needed signals.
     
    porchmonkey likes this.
  17. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    I've looked at all the logic captures and the behaviour of A18 is the same in all cases. So... for which edge of A18 should I look? I've circled them for your convenience ;-)
    I've captured 50 secs and A18 never goes high again in that period.
    [​IMG]
     
  18. TriMesh

    TriMesh Site Supporter 2013-2017

    Joined:
    Jul 3, 2008
    Messages:
    2,373
    Likes Received:
    785
    It's the rising edge, and it's much later than that - about 10-12s after the start of boot. The point you are looking for is just before the black PSX screen comes up with a correct territory disc, or you get dumped back to the BIOS with one with the wrong license data.
     
  19. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    Hmm, I've checked all the captures again and I can't find any pulse on A18 at about the 10 sec mark... maybe my capture speed needs to be higher, I've now sampled everything up to 1MHz. Or I've soldered a wire to the wrong pin...
     
  20. TheFrietMan

    TheFrietMan Active Member

    Joined:
    Aug 28, 2015
    Messages:
    30
    Likes Received:
    15
    Oy matey, I've found something :D
    The increased resolution really helped. Which is weird, because the pulse is very long.
    [​IMG]
     
    porchmonkey likes this.

Share This Page