Reverse Engineering the PSX Copy Protection (Wobble Groove)

Members research, findings and information that can be useful towards the PlayStation 1.
Post Reply
User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by Shadow » May 5th, 2017, 4:35 am

Well I thought I'd open a topic here to contain all relevant information in regards to the PlayStation copy protection which is the infamous wobble groove.

One theory I have is to get CD-R's manufactured with the wobble pressed in where the ATIP would normally be, but the rest of the disc is recordable. Problem is, now there is no timing data for the writer, so the disc will actually be invisible to the drive and un-recordable. However, if a custom bit of firmware was written to ignore such a thing and the wobble was somehow used as a timing key for the drive, then it might be possible. Almost like how 'Clone-CD' has a 'Hide ATIP' function. Issue is, 140.6 kHz is the frequency of a normal ATIP, but the PSX wobble is 22 kHz.

Another theory I have is that the PSX simply doesn't care WHAT the wobble consists of so long as it find the correct license string (seen below) somewhere in the ATIP (IE: it will attempt to just read it at some point and thus the HC05 acquires the magic key). This means that the both the ATIP data and wobble data can be present in the ATIP on a CD-R itself thus the disc is still recordable, or, the wobble can just be simply burnt to the lead-in section and the PSX will effectively 'lock-on' to it. The first idea can be done by putting a PSX disc under a SEM and checking where exactly the wobble is versus a CD-R. The disc can't just be placed under it directly though. The AL sputtered coating needs to be removed as a thin film, thus the polypropylene coating needs to be eaten off by acid. However, one idea is to glue on strips of tape and literally 'rip' the coating directly off of the disc and place those under the SEM to get a mapping of the disc itself. I found a company which will let me do such a task, but it costs several hundred dollars to 'rent' their machine. The second idea requires custom burner firmware to do such a task, but in order to even burn a wobble, you need to make the laser physically wobble as it's burning.

PSX Disc Coating:
Image

Example CD-ROM: (if this were a wobble groove, the pits would be slanted)
Image

Wobble Data:

Code: Select all

©=+¥´   0x09 A9 3D 2B A5 B4 = SCEI
©=+¥ô   0x09 A9 3D 2B A5 F4 = SCEA
©=+¥t   0x09 A9 3D 2B A5 74 = SCEE

SCEI:    1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01101101 00
binary: 1001 10101001 00111101 00101011 10100101 10110100
hex:      09       A9       3D       2B       A5       B4

SCEA:   1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01111101 00
binary: 1001 10101001 00111101 00101011 10100101 11110100
hex:      09       A9       3D       2B       A5       F4

SCEE:   1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01011101 00
binary: 1001 10101001 00111101 00101011 10100101 01110100
hex:      09       A9       3D       2B       A5       74


SCEA: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01111101 00
SCEI:  1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01101101 00
SCEE: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01011101 00

XOR: One start bit and two stop bits per byte.
A byte is 8 bits, so (1 + 8) + 2 =  11 bits "per byte".
EG: SCEE 1 00110101 00 = 00110101

Least significant bit first it...
10101100

Now invert it...
01010011 (here is your physical wobble data on the CD-ROM visible by an oscilloscope at 22 KHz).
If you've ever listened very closely to a PSX disc booting, you can actually hear it reading the wobble. These audio clips might make you remember if you take a listen...

Audio Files:
download/file.php?mode=view&id=1159
download/file.php?mode=view&id=1160
download/file.php?mode=view&id=1161
download/file.php?mode=view&id=1162
download/file.php?mode=view&id=1163
download/file.php?mode=view&id=1164

You do not have the required permissions to view the files attached to this post.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
gwald
1997 Yaroze Enthusiast
1997 Yaroze Enthusiast
Posts: 256
Joined: September 18th, 2013, 8:44 am
I am a: programmer/DBA
PlayStation Model: Net Yaroze
Location: Australia
Contact:

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by gwald » May 5th, 2017, 3:01 pm

impressive research Shadow!
I thought the beep was a motor/track sound
I think if you made the cdr's and we could be burnt to it, many here would buy them, I know I would get some for sure :D

rama3
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 508
Joined: April 16th, 2017, 10:54 pm

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by rama3 » May 6th, 2017, 1:07 am

So that's that "boot" sound!
I distinctively remember noticing it back as early as '98 and I would never have made the connection to the copy protection.
So yea, this is an audio signal almost. Hmmm.

Thanks Shadow :)

User avatar
nocash
PSX Aficionado
PSX Aficionado
Posts: 306
Joined: November 12th, 2012, 2:36 pm
Contact:

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by nocash » May 24th, 2017, 7:02 am

Seeing a PSX disc under microscope would be really interesting. Are you sure that one needs a Scanning Electron Microscope for that? A high-resolution Optical Microscope might work, too. As long as it can deal with the black surface of PSX discs, which aren't entirely black, in fact the PSX discs are transparent (you can use them as sunglasses and still see something when looking through them). I have absolutely no experience with microscopy, but I would imagine that a microscope with strong back-light could work, or an infra-red microscope (if any such thing exists), from what I've gathered shorter wave-length (like UV light) would be better for higher resolutions, but I don't know how that would work with the black disc surface.

The wobble audio/wav recordings are a bit confusing... I guess you don't mean that it's audible through sound output/speaker, but rather from the drive mechanics... the wobble causing the drive head to shake back'n'forth?

rama3
/// PSXDEV | ELITE ///
/// PSXDEV | ELITE ///
Posts: 508
Joined: April 16th, 2017, 10:54 pm

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by rama3 » May 24th, 2017, 7:46 am

By the way, this is the subchannel Q readout while the PSX looks for the key:

Code: Select all

41 0 A1 1 31 30 0 1 0 0 9F 7F 
41 0 A2 1 31 34 0 58 35 35 9F 7F 
41 0 A0 1 36 60 0 1 20 0 AB 9F 
41 0 A1 1 36 63 0 1 0 0 9F 7F 
41 0 A2 1 36 66 0 58 35 35 FC FF 
41 0 A2 1 36 68 0 58 35 35 FC FF 

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by Shadow » May 24th, 2017, 3:56 pm

nocash wrote:Seeing a PSX disc under microscope would be really interesting. Are you sure that one needs a Scanning Electron Microscope for that? A high-resolution Optical Microscope might work, too. As long as it can deal with the black surface of PSX discs, which aren't entirely black, in fact the PSX discs are transparent (you can use them as sunglasses and still see something when looking through them). I have absolutely no experience with microscopy, but I would imagine that a microscope with strong back-light could work, or an infra-red microscope (if any such thing exists), from what I've gathered shorter wave-length (like UV light) would be better for higher resolutions, but I don't know how that would work with the black disc surface.

The wobble audio/wav recordings are a bit confusing... I guess you don't mean that it's audible through sound output/speaker, but rather from the drive mechanics... the wobble causing the drive head to shake back'n'forth?
I'm fairly sure a regular microscope can't see the CD-ROM pits and lands. The first problem is that a scope that the public could have access to that can see 16,000 times would be extremely expensive. The second problem is the light. Getting a light strong enough to shine through the back of the disc and through the black (well, deep purple/blue because like you said, if you hold it up to the light it is transparent and some light does pass through, but only on platinum titles does it do this (images below)) poly-carbonate would be another challenge, yet alone to also pass through the aluminium coating too. Now while the image below is quite bright and you can see the SONY and Naughty Dog logo, under a regular microscope at 16,000 times, this would be extremely dim because of all the lenses it would need to reflect/refract through.

Best thing to do is grab some sticky tape, place it over the wobble and just rip it right off. Then, this can be placed in a SEM chamber and scanned. If the tape isn't strong enough, the surface can be lightly sanded with fine sandpaper, cleaned with alcohol and then a thin coating of epoxy can be layered on a section of the wobble and a piece of tape can then be meshed with it to create an even stronger bond that tape could do.

Platinum copy of Crash 3:
Image

Viewing it under an 2000 lumin 6500k LED light (so bright it's almost like looking at the sun):
Image

Yeah, those recordings are from the drive mechanics.
You do not have the required permissions to view the files attached to this post.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

clavicus
Curious PSXDEV User
Curious PSXDEV User
Posts: 10
Joined: June 6th, 2017, 9:23 pm

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by clavicus » June 6th, 2017, 9:38 pm

You might be interested in knowing that the Biohazard 15th anniversary box comes with pressed discs of Resident Evil 1-3 which don't feature the black coating. Not sure if it would help in their case.

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by Shadow » December 11th, 2017, 1:55 am

Ken Kutaragi Patent

Image
You do not have the required permissions to view the files attached to this post.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

User avatar
CodeAsm
Active PSXDEV User
Active PSXDEV User
Posts: 65
Joined: January 13th, 2012, 12:41 am
I am a: Programmer, Student
IRC: codeasm
Steam: codeasm
Location: The Netherlands
Contact:

Re: Reverse Engineering the PSX Copy Protection (Wobble Groo

Post by CodeAsm » December 11th, 2017, 7:50 pm

This is a very intresting topic :D
also note that an electron microscope might need some prepping, and you better get a large one or know infront where the intresting wobble is located before cutting ;)

https://youtu.be/GuCdsyCWmt8?t=444 (at 7:24 minutes) one of my favorite youtubers shows how he "tried" reading a CD-rom under his selfmade electron microscope.
Development Console: SCPH-102, unkown clone Modchip, PAL , FTDI board build into the case (microUSB) for Serial I/O.
Development Computer: GNU/Linux, Arch x86_64 Linux 4.20.3, i7-3632QM [8x3.2GHz], 11,8GiB, 1366x768 GeForce GT 630M (Optimus tech), lots of gig of storage

yaroze
Interested PSXDEV User
Interested PSXDEV User
Posts: 9
Joined: June 7th, 2016, 6:40 am

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by yaroze » March 10th, 2020, 7:54 am

For what it's worth, the "Modern Vintage Gamer" posted a video about PS1 security onto YouTube earlier today, and he mentioned at the ~6:15 mark that there were certain CD writers that could actually write the wobble sectors once flashed with custom firmware - followed by a photograph of a Plextor 12/10/32S CD writer at the ~6:28 mark

His video is here: https://youtu.be/7HOBQ7HifLE?t=375

I also found some discussion about custom Plextor CD writers that could write any pit pattern in the 'Comments' section of a PS1 Hackaday article: https://hackaday.com/2018/11/05/how-the ... as-hacked/

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by Shadow » March 10th, 2020, 12:34 pm

'Hack a Day' took some of the information from this topic (including those audio recordings I posted). 'Modern Vintage Gamer' seems to have got the majority of his sources from 'Alien^PDX' (that's Alien of Paradox, a long time member of Paradox).

I genuinely believe it is not possible to burn a wobble groove which is why I came up with the theory in my prior remarks of this topic. Everything people post about being able to do so are uneducated and are just spreading false information on the Internet without any proper citation or point of reference. Just because someone says something doesn't mean it's true. So, until someone can explain how they managed to write to the ATIP (where the wobble would be on a pressed disc) on a CD-R and then get the drive burner to track and still burn a PlayStation game, then I will be interested. Until then, people need to stop spreading false information on the Internet like this because it's not professional and makes researching information a minefield.

https://club.myce.com/t/tracking-coil-m ... n/87361/73
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

bennvenn
What is PSXDEV?
What is PSXDEV?
Posts: 2
Joined: March 16th, 2020, 6:09 pm

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by bennvenn » March 16th, 2020, 6:54 pm

The wobble...

First up, apologies posting to a very old thread. This seems like the place to post what I'm about to attempt - unless it has been done and there's a link I could read up on? Watching MVG's video last week sparked an interest in this that i've had for a while now. I wen't to an opshop and picked up a few CD players and burners to begin experimenting with.

I wanted to *see* this wobble, not only to see where it is on this particular disk I'm working with, but its amplitude compared to average wobble noise.

The correct term for this wobble is Tracking Error. The lasers primary purpose is to track the spiral data track, this is done (on my particular setup) by watching above and below the data track, if the laser wonders off, it'll pick this imbalance up and move the lens/sled to keep on track. The amount it moves is the result of a signal called Tracking Error (TE).

Attached is a signal recording of this TE signal as it reads the TOC of a PS1 disk - This is in an audio cd player so full TOC data isn't read but enough to visibly see the data.

It is also important to note that the TE during reading a track is around 100mv PP where the wobble data is 1.1v PP. This is the limit of the servo controller IC in this cd player I'm using so the wobble could be greater than that, it is just being clipped. The wobble is significant in size.

My thoughts are - If we are to produce a bootable CD, we need to inject this signal during burning. We need to know *how much* wobble we need to inject for the detector in the PS1 to demodulate it, if we can inject it at all.

I'll be perusing two more tests before making up my mind if a commercial burner ever did exist that could burn this track, or not. Those are, inject TE into the PS1 during playback of an audio CD. I'd like to know how much TE is required to get an output from the demodulator.

Second is to inject TE during burning an audio CD at 1x speed. This will need to be done at a hardware level. My thoughts are, if we can ever so slightly defocus the laser and move the lens during burning we can cause an amplified TE when we play back the track while keeping the data itself largely undamaged. Defocusing may not even be required. If I can add a 1khz tone to the TE signal, and recover it during playback, I have absolutely no doubt that a purpose built burner could do this too.

So! That's my idea. Happy to be told its stupid/crazy but I'd like to follow it to its end all the same.

I'm happy to hear your thoughts, opinions and ideas!

-Ben

Edit: File is too large to upload, I'll host it elsewhere and post the link if anyone is interested (and it doesn't breach the rules here)

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by Shadow » March 16th, 2020, 11:27 pm

My original experiment was that burning the wobble right after the ATIP on a CD-R might cause the PSX tracking servo to lock-on and track that injected 22KHz wobble. It's all just theory though and an experiment I was interested to try which is why I wanted to scan the physical wobble pits and lands under a SEM to see exactly what they look like, where on the disc they exactly are and how long the track is so we have some sort of reference to what we should be aiming for.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

bennvenn
What is PSXDEV?
What is PSXDEV?
Posts: 2
Joined: March 16th, 2020, 6:09 pm

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by bennvenn » March 17th, 2020, 8:37 am

This 22khz modulation, do you have more info on it? The TE signal I'm monitoring doesn't modulate, it is simply serial data. There is no demodulation going on in this CD player I'm using either, it is just amplified E - F optical pickup data right before it is fed back into the lens servo circuit.

Unless the roll off frequency of the servo is below the 22khz so it's demodulating automatically... Which is possibly the case as an FFT of the sample shows a small peak at 22khz...

Here's a chirp in the TE signal that occurs only during the TOC read, and only on PS1 disks.
You do not have the required permissions to view the files attached to this post.

User avatar
Shadow
Admin / PSXDEV
Admin / PSXDEV
Posts: 2379
Joined: December 31st, 2012, 5:37 pm
PlayStation Model: H2000/5502

Re: Reverse Engineering the PSX Copy Protection (Wobble Groove)

Post by Shadow » March 17th, 2020, 12:46 pm

What you've read is probably demodulated already. In order to re-master the wobble on a CD-R, a burner needs to write it at a 22KHz frequency.
Development Console: SCPH-5502 with 8MB RAM, MM3 Modchip, PAL 60 Colour Modification (for NTSC), PSIO Switch Board, DB-9 breakout headers for both RGB and Serial output and an Xplorer with CAETLA 0.34.

PlayStation Development PC: Windows 98 SE, Pentium 3 at 400MHz, 128MB SDRAM, DTL-H2000, DTL-H2010, DTL-H201A, DTL-S2020 (with 4GB SCSI-2 HDD), 21" Sony G420, CD-R burner, 3.25" and 5.25" Floppy Diskette Drives, ZIP 100 Diskette Drive and an IBM Model M keyboard.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest