As most of you know, the BIOS of most Japanese and some later EU machines checks the license data on each game and only boots the software if that license data is of the correct region.
To quote nocash's docs:
I want to develop a modchip routine that ideally skips these checks and behaves like a regular NTSC-U or earlier EU BIOS.CDROM ISO Volume Descriptors
System Area (prior to Volume Descriptors)
The first 16 sectors on the first track are the system area, for a Playstation disk, it contains the following:
Sector 0..3 - Zerofilled (Mode2/Form1, 4x800h bytes, plus ECC/EDC)
Sector 4 - Licence String
Sector 5..11 - Playstation Logo (3278h bytes) (remaining bytes FFh-filled)
Sector 12..15 - Zerofilled (Mode2/Form2, 4x914h bytes, plus EDC)
Of which, the Licence String in sector 4 is,
000h 32 Line 1 (" Licensed by ")
020h 32+6 Line 2 (EU) ("Sony Computer Entertainment Euro"," pe ") ;\either
020h 32+1 Line 2 (JP) ("Sony Computer Entertainment Inc.",0Ah) ; one of
020h 32+6 Line 2 (US) ("Sony Computer Entertainment Amer"," ica ") ;/these
041h 1983 Empty (JP) (filled by repeating pattern 62x30h,1x0Ah, 1x30h)
046h 1978 Empty (EU/US) (filled by 00h-bytes)
The Playstation Logo in sectors 5..11 contains data like so,
0000h .. 41h,00h,00h,00h,00h,00h,00h,00h,01h,00h,00h,00h,1Ch,23h,00h,00h
0010h .. 51h,01h,00h,00h,A4h,2Dh,00h,00h,99h,00h,00h,00h,1Ch,00h,00h,00h
0020h .. ...
3278h 588h FF-filled (remaining bytes on sector 11)
the Logo contains a header, polygons, vertices and normals for the "PS" logo (which is displayed when booting from CDROM). Some BIOS versions are comparing these 3278h bytes against an identical copy in ROM, and refuse to boot if the data isn't 1:1 the same:
- US/ASIA BIOS always accepts changed logos.
- PAL BIOS accepts changed logos up to v3.0E (and refuses in v4.0E and up).
- JP BIOS never accepts changed logos (and/or changed license strings?).
To do this, I need some help finding the routine in a BIOS dump, then figuring out on which pins of the BIOS IC this code is transferred, and when.
Ideally, there is a simple conditional branch that I can just NOP, but who knows.
Note: This is essentially similar to what the OneChip code does on later EU machines, connecting to A18 and D2 and dragging D2 down at a precise time. I want to patch bypass the entire region check routine though.
I hope one of you knows how to tackle this. Logic analyzer and previous experience (designing / coding my modchip) is there