PSNee further development

General information to do with the PlayStation 1 Hardware. Including modchips, pinouts, rare or obscure development equipment, etc.
daywalker
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: Oct 28, 2018

Post by daywalker » November 11th, 2018, 6:37 am

superg wrote: November 7th, 2018, 3:30 am
rama3 wrote: October 29th, 2018, 12:45 am You inject the license symbols 6 times. That could be too much for some anti mod games. It's possible that you're still in the sending loop while the game has long moved the laser, and thus it becomes detectable.
Just my observation, I experience a delay in boot on my test PAL PSOne if I do inject_SCEX('E') just twice. When increased back to 6 times (the default in kalymos master branch) it's fast again. I think my test PU-18 board was fast regardless of this setting (2 or 6).
On my PU-22, i have also a delay if i inject only twice, i now changed my code to 3 injections(only the correct region) and that gets rid of the delay for me. Also played around with the hysteresis setting when injecting, but (injection_threshold-3) seems to be ideal.

For anybody who's interested in my Tiny25 trials:
Installed the Attiny25 today. Also added an external 4.19MHz clock that i found on IC304, Pin 14 for more precise time keeping without crystal oscillator. The voltage levels are 3.8V peak-to-peak but they seem to work nicely as a clock souce with a ~3.5V supply(i replaced all electrolytic caps in my power supply). Also i'm now using brown out detection(not really neccesary), a watchdog for emergency reset(not really neccesary) and Timer0 for some of the timing. Timer0 was primarily to make the code faster because i "only" have about 4MHz left. I also had to move the packing of the individual SUBQ bits into bytes into the small gap between the bytes(at the expense of some memory) because of the slower clock.
This is my SUBQ sniffing, adjusted for the lower clock speed:

Code: Select all

start:
wdt_reset();	//Reset Watchdog, to show that we are still alive
scpos = 0;	//reset SUBQ packet position
//Capture bytes without larger gap in between ==> complete SUBQ transmission
while(scpos < NUMBER_OF_BYTES_IN_PACKET){
	for (uint8_t bitpos = 0; bitpos < 8; bitpos++) {
				
		TCNT0 = 0;
		while (READ(SQCK)) {	//Wait for clock to go low
			//Timeout resets capture during bootup and in between packages
			if (TCNT0 >= MICROSECONDS_TO_TIMER_TICKS(US_SUBQ_TIMEOUT)){
				goto start;
			}
		}

		while (!READ(SQCK));	//Wait for clock to go high

		bitbuf[bitpos] = READ(SUBQ);
	}
	//8 bits read, now combining them into bytes
	//This is done to have the bits read as fast as possible and have the copying happen between bytes
	scbuf[scpos] = bitbuf[0];
	for (uint8_t bitpos = 1; bitpos < 8; bitpos++) {
		scbuf[scpos] |= (bitbuf[bitpos] << bitpos);
	}
	scpos++;
}
Ah yes, the Tiny25 is installed in my Playstation on an 8x8mm PCB, i will upload the gerbers soon. The code and PCB are neither nice nor optimized or anything but they work for me.
I'd be glad if anybody finds bugs or can suggest improvements!
https://github.com/danielheinrich/PsNee ... ter/main.c

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » November 12th, 2018, 2:35 am

Interesting approach, both on getting the code / RAM use down and using a console provided clock.
Using a console clock means routing a fast clock signal wire around, of course.
People often don't realize that care must be taken here, so it's best to mention this in an install diagram or similar.

While the external clock is interesting, I don't think it provides any real benefit over the internal oscillator ;p

The timer0 use is very nice!
I always struggle to use hardware timers in my projects, so it's nice seeing one here.

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » November 12th, 2018, 2:40 am

TriMesh wrote: May 5th, 2017, 2:09 pm
nocash wrote: Asking because rama just told me that nobody knows how "MultiMode3 and Mayumi4" modchips are working - as far as I understood they can defeat a special protection in Dino Crisis - and knowing where the pins are connected to would certainly help to understand how it works.
It's pretty much a hack. Mayumi (and MM3, since it appears to have been largely copied from Mayumi) there are two different operating modes depending on which sort of board the chip is installed in.

On PU-7 / PU-8 / PU-18 / PU-20, the code attempts to work out where in the boot sequence the console is by monitoring the X1/X2 speed control line. It's not as simple as just switching the data on and off - there are a series of delays for each part of the boot, and the speed line is basically used just as a hint to know exactly where the boot is right now. You can't just gate the data using the speed line because the anti-modchip test is carried out using CD-Audio play mode, and that's X1 too.

Basically the logic is:

After reset or door close, delay for a bit (two different delays for reset or door close) then start looking for the speed to switch to X1 (first protection check) - after this is detected, wait for the speed to switch back to X2 and start another timer. Then wait for the speed line to go back to X1 again (second protection check - this is also why it screws up on the very early boot ROM, since that doesn't have this check). At this point, it just waits for the door switch and then the whole cycle repeats.
That's the basic process - the code also has some code to detect the situation where you are booting using something like Caetla rather than the boot ROM, since that changes the timing and using the same timing as the original boot ROM would make the console fail the second protection check.

On PU-22/PU-23, it's a lot simpler. This is a special mode that's enabled when the chip is installed in a newer console (what used to be the modchip gate line is connected to WFCLK on the newer boards, and the code looks for a clock on this pin and if found enables PU22/PU-23 mode). In this mode, the chip monitors the XLAT line between the control MCU and the servo amp chip and cuts of the SCEx strings when it detects a pulse on it. There is also an initial delay so that it isn't triggered by the setup phase when the chipset is reset. It's basically relying on the fact that the MCU doesn't talk to the servo amp during the read TOC phase, but does as soon as it's finished. Despite (or maybe because of) it's simplicity, this mode works really well.
Fat quote, I know :p
If there's any way to free up a GPIO, then PsNee could make use of X1/X2 or XLAT for additional cues on what the Mechacon is doing.
We could early abort sending, get rid of hysteresis and more! ;p

superg
Active PSXDEV User
Active PSXDEV User
Posts: 47
Joined: Sep 22, 2018

Post by superg » November 12th, 2018, 5:41 am

rama3 wrote: November 11th, 2018, 3:43 am I'm undecided what would be best here, but some thoughts:

- automatic BIOS patching:
If it's going to be automatic, then we have to know the logic level for the involved pins.
They will have to be connected either to A18 / D2, or to Gnd / Vcc.
Once this is known, we can look at D2 or A18 for level changes.
As soon as we see one, we can assume BIOS patching is necessary.

The early NTSC patch routine can be within a timeout handler for that.
If there's no level change on A18 / D2, then abort the patch routine before it would go on to disable interrupts.
This way there's no need for a jumper. Just declare the pins must be connected.
Yeah, I meant exactly that. I wanted to create a jumper on my small PCB between BIOS_A12 pin and ground not to add an extra wire for everybody, so if it's installed to PAL PSOne it has to be open, and shorted for the other revisions. No need to do anything about D2 as we don't monitor it.

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » November 12th, 2018, 6:19 am

Right about D2. I really should build a test rig again and actually work with the code.
Going with the PCB and a jumper on it is fine. It's the same as directing users (without a PCB) to solder a link wire.

On my other post, I think that on PU-22+, we can monitor the WFCK duty cycle / speed and extract the "X1 / X2" status from that.
It'd be a little delayed and it should probably use a hardware timer with interrupt.
Anyone up for a concept? :p

daywalker
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: Oct 28, 2018

Post by daywalker » November 15th, 2018, 2:57 am

Hi, so since i already had recordings of my PU-22, i extracted the WFCK frequency and plotted it over time in the attached image(ignore the jitter). I never noticed before that it was changing because the first time it doubles it's speed from ~7.25kHz to ~14.5kHz, the injections are already over.
wfck-speed.png
You can see the injections in the DATA signal(in this case 2 times 3 injections, then a larger delay and another injection consisting of 3 repetitions). So the WFCK signal seems to change just after the last injection, the one that i am assuming made the console accept the CD.

Not sure that this is at all related, but i let the CD spin up, then it slowed down shortly, spun up again and finally slowed down before the recording ended. If i would have to plot a signal that indicated if the CD is in the slower or faster rotation mode, it would pretty much match the WFCK clock frequency signal.

Edit: I checked other recordings and it's always the same. The frequency changes shortly after successful injection and never in the recordings where the chip did not successfully unlock the console.
You do not have the required permissions to view the files attached to this post.

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » November 15th, 2018, 9:00 pm

WFCK probably means word clock or frame clock or similar.
It should be feedback loop bound to the CD rotation, so your readings make sense :)

In machines where PsNee is already hooked up to this signal, we know that the Mechacon has accepted the disk once WFCK speeds up.
When that happens, any current or pending injections should stop.
Likewise, if an injection fails (timeout, Mechacon was busy, etc), WFCK staying low indicates we should do more attempts.

Thinking about it, maybe this can be done using the subcodes for timing..
That'd work on all consoles.
Using a timer interrupt might work well here ;)

daywalker
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: Oct 28, 2018

Post by daywalker » November 15th, 2018, 11:31 pm

and you would start injection whenever you see any clock on WFCK or do we need another delay?

For time-keeping, I would probably use a pin change interrupt and just read the timer value when the pin changes. If we only need to differentiate between two clock speeds where one is twice the frecuency of the other, deciding which one we are looking at should only take two edges in WFCK.

superg
Active PSXDEV User
Active PSXDEV User
Posts: 47
Joined: Sep 22, 2018

Post by superg » November 16th, 2018, 1:57 am

Those are very good findings guys! Would be perfect if we can get speed changes directly from WFCK bus without connecting anything else, we're don't have more gpio's on attinyX5, nice observation daywalker! Didn't have much time to look into it, busy with other stuff.

daywalker
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: Oct 28, 2018

Post by daywalker » November 16th, 2018, 4:00 am

culexus wrote: June 29th, 2017, 11:01 pm
rama3 wrote:These mini Arduino boards have excellent power regulation for what little they consume. I don't think you have a power problem.
You said "some games stops loading" and you use a PAL PM-41. I don't have the region patch stuff for these consoles yet, so it will only boot PAL licensed disks.

I have no idea what's going on with your Wip3out.
So I found the problem :) my old memmory card was corrupted, after deleting everrything on it and cleaning contacts it works. Now wip3out loads fine on the psone.

I did also mod the PU-23 and it`s up and running:) did thake some pictures of the main board before and after the mod. If interrested I can make a guide for this board with your newest code that I will test later :)
I tried multiple games already and had 0 problems with any yet, until i just now tried Wip3out.
The original disk works without any problems. The backup boots and lets me select mode, track etc. I just click though by pressing x. When the race starts, i press x again and hold it pressed. As soon as i reach the first blue line, the screen freezes but the music continues to play.
I tried burning the CD again, just to rule out some defects on the first backup.
What i tried successfully as well is swapping out the original disk for the cloned one after i passed this checkpoint. If i do this, i can keep playing the game without problems. I can also exit the race, start a new one and pass the checkpoint where i had problems at first.

I read that some people had a similar problem using emulators. Does anybody have a clue if this could also be related to copy protection? Does the game already have a modchip-detection that the software is somehow not dealing with correctly?

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » November 16th, 2018, 6:42 am

Quick Google search gives me a few mentions of the game hanging as described.
It's doing this on emulators and official hardware in backwards compat mode.

The ngemu thread has a mention of getting it to work by using a CD plugin that allows for a separate subchannel data file.
This is a hint towards copy protection or glitchy code (it happens ;p) tripping on bad subchannel data.
PsNee only monitors the subcodes (at least I hope there aren't any dropped bits from maybe the extra wiring).
So the issue is probably a form of copy protection that relies on specific subchannel data that's missing on a bin/cue burn, for example.


I would only add the CD speed monitor to complement the existing setup.
PsNee should still monitor subcodes and decide when to start injecting.
With the added CD speed information, it can make a better decision on when to stop injecting early, or when not to start injecting (in case the drive picked up early TOC sectors by accident).
Right now, it's possible to cause a read error / retry condition, and that would tell PsNee to inject, no matter what the console is actually trying to do.

User avatar
Trombas
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: Dec 08, 2018

Post by Trombas » December 8th, 2018, 11:29 am

Hello everyone! A newb here!

Glad I found you guys. Here's my story: a few years ago I bought an old PsOne Slim NTSC SCHP-101, PM-41(2) modded with an old 12c508P chip. Two days ago I decided to play Dino Crisis in that console, but for my surprise I had an error ("software terminated")

Searching in the web I found that my PsOne had an installation "without stealth". Now, I want to proced and install PSnee in my console using an Arduino UNO but I have not found any installation diagram for the SCHP-101 PM-41(2) mobo (I found the diagram for a SCHP-102 and PM-41) I hope someone could advice me and helpe me.

Here's a photo of my current PsOne with a 12c508/P

https://i.ibb.co/mv1643w/IMG-20181206-140701.jpg

superg
Active PSXDEV User
Active PSXDEV User
Posts: 47
Joined: Sep 22, 2018

Post by superg » December 13th, 2018, 9:45 am

Trombas wrote: December 8th, 2018, 11:29 am Hello everyone! A newb here!

Glad I found you guys. Here's my story: a few years ago I bought an old PsOne Slim NTSC SCHP-101, PM-41(2) modded with an old 12c508P chip. Two days ago I decided to play Dino Crisis in that console, but for my surprise I had an error ("software terminated")

Searching in the web I found that my PsOne had an installation "without stealth". Now, I want to proced and install PSnee in my console using an Arduino UNO but I have not found any installation diagram for the SCHP-101 PM-41(2) mobo (I found the diagram for a SCHP-102 and PM-41) I hope someone could advice me and helpe me.

Here's a photo of my current PsOne with a 12c508/P

https://i.ibb.co/mv1643w/IMG-20181206-140701.jpg
Installation diagrams are here: https://github.com/kalymos/PsNee
You will have to compile and flash Arduino code with the right settings. In my branch I'm making some improvements but it's not ready for the general public.

Finally I finished psnee board design:
Image
20x16mm board, as small as I could get. Decided to go with letters A-H as these are smaller than full pin functional names, ordered the same as ATtiny pins. ISP header added as convenience to program the chip when it's installed. I will be using pogo pins to have fully flat surface at the bottom layer but the usual 0.1 pitch header can be installed if needed. Also added 0603 decoupling cap and "J" convenience jumper which has to be shorted if psnee is compiled with bios patching code but used in PlayStation which doesn't need it. Kind of an effort to make everything universal. I still have to align my github branch with this approach before it can be used, hopefully will have more time on holidays to get it done. Also will add fuse check code and maybe will look into 1x 2x cd speed details.
For now I'm ordering some boards from my manufacturer.

User avatar
sy-pha
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: Dec 31, 2018
I am a: CS Student
PlayStation Model: 1002 PAL

Post by sy-pha » December 31st, 2018, 10:32 am

Hi Guys, new here. Was modding my first PS1 the last week and I just can't get it to work :'(
I tried with two different Arduino Nano clones (one 168 and one 328) both at internal 8MHz. and one ATtiny85. Couldn't get any of them to work on my PAL SCPH-1002 PU-8 board. All of the sketches were burnt using an ISP programmer.

Now I flashed one of the Nanos with a DEBUG build. Reading the Serial Monitor it just never begins injecting.

First of all it's not consistent with the board detection, sometimes it "detects" (wrongly) a PU22 board and sometimes not. Then it mostly it prints a ton of FF's and once I insert a CD some other HEX values.

Any ideas what I can try next? is trying different clock speeds worth it? here's a picture of the wiring. I'm starting to run out of microcontrollers and ideas to try.

Cheers Phil

EDIT: is there a way I can modify to force it injecting all the time (non-stealth) so I could at least verify that the CD's are not the problem?

superg
Active PSXDEV User
Active PSXDEV User
Posts: 47
Joined: Sep 22, 2018

Post by superg » December 31st, 2018, 1:11 pm

sy-pha wrote: December 31st, 2018, 10:32 amis there a way I can modify to force it injecting all the time (non-stealth) so I could at least verify that the CD's are not the problem?
There is a hysteresis limit variable, you can try to lower the constant and see if that helps.

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » December 31st, 2018, 1:23 pm

Hey,
the problem is with the installation or the Arduino board for sure.
It already fails on the PU-22 detection, so the chip is seeing jumping voltages there when it shouldn't.
Are the pin assignments correct? If not sure, try to focus on debugging the PU-22 detection pin first.

Edit:
And since tests where done using ISP, what were your fuse settings?

User avatar
sy-pha
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: Dec 31, 2018
I am a: CS Student
PlayStation Model: 1002 PAL

Post by sy-pha » January 9th, 2019, 11:06 pm

I think my wires were to long. Since I disassembled and reassembled the PS so many times I decided to take my kynar wires outside the console for debugging .. but apparently that doesn't work .. I guess that caused jumping voltages @rama3

Now I soldered in the ATtiny with a debug build and short wires but when I was flashing I didn't know the ATtiny would only support SOFTWARESERIAL so I can't really debug that either.

I always used the standard settings for fusebits when flashing since 8MHz is said to be supported. do I need to set other fusebits?

How can I lead 2 wires Tx and GND out of the console for debugging the ATtiny? will it work with a bigger strand?

Thanks for the help. I don't have a lot of time atm but appreciated your answers!

EDIT: what other means of communication do you guys use? #PSXDEV IRC is down?

superg
Active PSXDEV User
Active PSXDEV User
Posts: 47
Joined: Sep 22, 2018

Post by superg » January 10th, 2019, 12:14 am

sy-pha wrote: January 9th, 2019, 11:06 pm I think my wires were to long. Since I disassembled and reassembled the PS so many times I decided to take my kynar wires outside the console for debugging .. but apparently that doesn't work .. I guess that caused jumping voltages @rama3
That's what I do and I haven't encountered a problem yet. I have 3 different controllers on a breadboard with what I call "header" - 8 pins single row and I have those headers out of several playstation models so every time I want to try different console / different controller I just replug it. Same for debug output, my serial wires are pretty long, they go through USB serial converter and I monitor that using PuTTY. Although I don't use kynar wires, I repurpose (cut and solder) those 0.1" header wires they sell with arduino kits - those are stranded and a bit thicker than kynar wires.

User avatar
sy-pha
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: Dec 31, 2018
I am a: CS Student
PlayStation Model: 1002 PAL

Post by sy-pha » January 10th, 2019, 11:05 pm

superg wrote: January 10th, 2019, 12:14 am That's what I do and I haven't encountered a problem yet. I have 3 different controllers on a breadboard with what I call "header" - 8 pins single row and I have those headers out of several playstation models
thanks a lot for elaborating .. I'm gonna set up a similar environment the next time I get to work on it and report back. In the meantime I ordered some more microcontrollers and an OG PAL Game to test the PS with.

rama3
Verified
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 510
Joined: Apr 16, 2017

Post by rama3 » January 12th, 2019, 3:44 am

Long wires aren't usually a problem.
Fuses should be documented somewhere :p

Afaik, we only use this board for PsNee talk.
I have another huge project that takes most of my time (gbscontrol).

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 6 guests