Reverse Engineering the PSX Copy Protection (Wobble Groove)

Members research, findings and information that can be useful towards the PlayStation 1.
Zyo117
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: May 23, 2022
PlayStation Model: SCPH-101
Location: Canada

Post by Zyo117 » May 23rd, 2022, 11:24 am

Now I know that it's sort of bad form both to necro a topic as a first post, and also to continue to perpetuate a somewhat unbelieved bit of hearsay in the PSX world, but I started reading Sony's patent application for their copy protection, and it lead me down a somewhat interesting rabbit hole. According to their patent, the wobble groove is located in the TOC (table of contents) area of the disc, which on a standard CD, is between 23 and 25 millimetres from the centre point.

Now the part that interested me, is that on a standard CD-R, there is a section called the PMA, just before the TOC, at around 22.35mm to 23mm from centre. The PMA is a program memory area, used to store a temporary table of contents until the session is closed (the disc is burned) when the PMA is copied to the lead-in. Knowing the way CD-Rs work, this wouldn't have been able to be erased afterwards.

Now for the speculation section. I don't have a standard Ps1 disc to check with, but my thinking is that the wobble groove is pressed into the area where the PMA is on a CD-R. And now the part that's really interesting. According to the bloke from Paradox who gave MVG his info, a custom firmware was being run on the CD burner, which leads me to think they may have changed the burning process to eliminate the PMA cache, leaving that area of the disc open to modification. I'm not sure if you can burn a wobble groove into a disc, but perhaps the reason there was a specific model of burner chosen was for the strength of the laser.

Now speculation (mostly) aside, if anyone was planning to put a ps1 CD under a microscope, my guess is to look around the 22.35-23mm mark for the groove. According to Sony, as well, the groove should repeat the information several times.

User avatar
Shadow
Verified
Admin / PSXDEV
Admin / PSXDEV
Posts: 2563
Joined: Dec 31, 2012
PlayStation Model: H2000/5502
Discord: Shadow^PSXDEV

Post by Shadow » May 23rd, 2022, 8:14 pm

Zyo117 wrote: May 23rd, 2022, 11:24 am Now I know that it's sort of bad form both to necro a topic as a first post, and also to continue to perpetuate a somewhat unbelieved bit of hearsay in the PSX world, but I started reading Sony's patent application for their copy protection, and it lead me down a somewhat interesting rabbit hole. According to their patent, the wobble groove is located in the TOC (table of contents) area of the disc, which on a standard CD, is between 23 and 25 millimetres from the centre point.

Now the part that interested me, is that on a standard CD-R, there is a section called the PMA, just before the TOC, at around 22.35mm to 23mm from centre. The PMA is a program memory area, used to store a temporary table of contents until the session is closed (the disc is burned) when the PMA is copied to the lead-in. Knowing the way CD-Rs work, this wouldn't have been able to be erased afterwards.

Now for the speculation section. I don't have a standard Ps1 disc to check with, but my thinking is that the wobble groove is pressed into the area where the PMA is on a CD-R. And now the part that's really interesting. According to the bloke from Paradox who gave MVG his info, a custom firmware was being run on the CD burner, which leads me to think they may have changed the burning process to eliminate the PMA cache, leaving that area of the disc open to modification. I'm not sure if you can burn a wobble groove into a disc, but perhaps the reason there was a specific model of burner chosen was for the strength of the laser.

Now speculation (mostly) aside, if anyone was planning to put a ps1 CD under a microscope, my guess is to look around the 22.35-23mm mark for the groove. According to Sony, as well, the groove should repeat the information several times.
I'm certain it's not located where the TOC is. Every CD has a TOC. It's located where the ATIP is. CD-R's have a pre-recorded ATIP where as pressed PlayStation CD-ROM's have instead the wobble data. At least, that's my understanding.

The PMA sounds interesting and if a custom burner firmware was made it might be something which is possible. We'd have to look under a microscope or SEM. My theory is the PlayStaton CD-ROM mechanics might have a design flaw in them which results in the servos drifting and then finding and reading the 4 character string which makes the HC05 firmware pass validation.

Yes, the wobble repeats.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Zyo117
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: May 23, 2022
PlayStation Model: SCPH-101
Location: Canada

Post by Zyo117 » May 24th, 2022, 7:09 am

Shadow wrote: May 23rd, 2022, 8:14 pm
I'm certain it's not located where the TOC is. Every CD has a TOC. It's located where the ATIP is. CD-R's have a pre-recorded ATIP where as pressed PlayStation CD-ROM's have instead the wobble data. At least, that's my understanding.

The PMA sounds interesting and if a custom burner firmware was made it might be something which is possible. We'd have to look under a microscope or SEM. My theory is the PlayStaton CD-ROM mechanics might have a design flaw in them which results in the servos drifting and then finding and reading the 4 character string which makes the HC05 firmware pass validation.

Yes, the wobble repeats.
The idea that it's around (not in exactly the same place but in the general area) the TOC actually comes from Sony's patent application for their anti-piracy. They might have been purposely vague on specifics, but that was the location they referenced.
In the preferred embodiment of the present invention, the system performs an initial check to determine whether or not the disc contains a “wobbled” code in the TOC (Table of Contents) area of the disc. In an authorized disc, the security code is repeated several times in order to ensure that it is properly detected without the need to add error correction bits to the security code. The system initially checks to determine whether the disc contains wobbling of the data in the TOC area of the disc before actually checking the actual code. If the disc does not contain a wobbled code, the system then determines if the disc is actually an audio disc. If it is an audio disc the system proceeds to play the audio disc and provide an audio output. If it is not an audio disc then the system shuts down.
If the disc does contain a “wobbled” code in the TOC area of the disc, the player proceeds to decode the wobbled code and transmit this decoded data to a mechanical controller. If the wobbled code matches a predetermined security code, then the system performs a second check on the disc for verifying authenticity. If the wobbled code does not match, the player then checks to see if the disc is an audio disc as noted above. If the disc passes the first code verification, the disc player then proceeds to verify that the disc contains a logo which matches a logo stored in the system. This second verification is performed to verify that the disc is actually authorized.
In the preferred embodiment of the present invention, the data bits which define the TOC (Table of Contents) area of the disc are stored such that a wobbled security code is embedded in the TOC track as a modulation of a physical positional offset from a nominal track location. The security code is stored by a process in which a 22.05 kHz signal is used as the modulation carrier wave which is digitally modulated in NRZ (Non Return to Zero) format to encode the security code.
According to the patent, the TOC bits on the disc are wobbled from a nominal track position, that wobble is the 'wobble groove', but its embedded directly into the TOC. Not to necessarily say you're wrong in thinking it's in a different place, but it seems to me that based on Sony's documentation that the understanding of how this all works is a little flawed? If the wobble groove is just a offsetting of the pits in the CD from the centre line, that should be entirely reproducible. It's not a groove, per say, as much as the information bits being intentionally not lined up.

Zyo117
What is PSXDEV?
What is PSXDEV?
Posts: 3
Joined: May 23, 2022
PlayStation Model: SCPH-101
Location: Canada

Post by Zyo117 » May 26th, 2022, 9:09 am

After studying the patent (US 6304971) several times, I think I have some idea how this works, now, and I'll just post it all in the one post to make it easy to understand. Basically, the wobble 'groove' doesn't exist. I don't know where that idea came from, maybe it was a suggestion early in in the PSX modding community and just stuck, but the term is a misnomer. The CDs aren't special other than being black. There's no data written to unwriteable parts of the disc.

Strictly according to the patent that Sony filed (and expired in 2015 by the way, so happy reverse engineering) the disc uses Sony's standard guide groove with a wobble of 22.05kHz (half of the standard audio sample rate of 44.1kHz). The game data is all written normally, however the TOC content is written in a special way. The bits that are written to the disc to comprise the TOC are burned in such a way that they don't line up with the centre of the guide groove. They mention using "22.05kHz modulation", which to my ears sounds like they essentially vibrate the laser opposite to the vibrations of the guide groove as the bits are being written. The laser, while reading the disc, does double duty: it checks if the data for the Table Of Contents wobbles, and if it does, proceeds to read the table of contents data, and read the 'wobble' of said data at the same time. These are read in NRZ (non return to zero) format: Areas where the data wobbles are a 0, areas where the data doesn't wobble is a 1. This is the 'wobble groove'. The system then checks for the presence of a logo as a second verification.

I want to be clear in saying that this is my simplified understanding strictly based on Sony's patent, with reference to Sony's patent for the CD guide groove, and throwing out everything I've 'learned' about it from YouTube and basic internet 'research'. This may not be exactly the implementation that Sony used in the PSX but given that they went into such specifics, I'd imagine they wouldn't deviate far from it for fear of being copied and not being able to legally defend their patent. If this can be verified by somebody with an IR microscope and a PS1 disc (IR can see through the dark purple plastic), well, that'll basically be the most public progress on reverse engineering the security in 28 years. No pressure, lol.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests