PsNeeV6

1. //                    PPPPPPPPPPPPPPPP                  P            P      
2. //                   P              P                  PP           P        
3. //                  P              P                  P P          P        
4. //                 P              P                  P  P         P          
5. //                P              P                  P   P        P          
6. //               P              P                  P    P       P            
7. //              P              P                  P     P      P            
8. //             PPPPPPPPPPPPPPPP  PPPPPPPPPPP     P      P     P  PPPPPPPPPPP  PPPPPPPPPPP
9. //            P                 P               P       P    P  P            P
10. //           P                 P               P        P   P  P            P  
11. //          P                 P               P         P  P  P            P  
12. //         P                 P               P          P P  P            P    
13. //        P                 PPPPPPPPPPPPPP  P           PP  PPPPPPP      PPPPPPP    
14. //       P                              P  P            P  P            P      
15. //      P                              P  P            P  P            P      
16. //     P                              P  P            P  P            P        
17. //    P                              P  P            P  P            P        
18. //   P                              P  P            P  P            P      
19. //  P                              P  P            P  P            P        
20. //                     PPPPPPPPPPPP  P            P  PPPPPPPPPPP  PPPPPPPPPPP   VERSION 6!
21.  
22. //UPDATED AT MAY 14 2016, CODED BY THE FRIENDLY FRIETMAN :-)
23.  
24. //PsNee, an open source stealth modchip for the Sony Playstation 1, usable on
25. //all platforms supported by Arduino, preferably ATTiny. Finally something modern!
26.  
27.  
28. //--------------------------------------------------
29. //                    TL;DR
30. //--------------------------------------------------
31. //Look for the "Arduino selection!" section and verify the target platform. Hook up your target device and hit Upload!
32. //BEWARE: when using ATTiny45, make sure the proper device is selected (Extra=>Board=>ATTiny45 (internal 8MHz clock))
33. //and the proper fuses are burnt (use Extra=>Burn bootloader for this), otherwise PsNee will malfunction. A tutorial on
34. //uploading Arduino code via an Arduino Uno to an ATTiny device: http://highlowtech.org/?p=1695
35. //Look at the pinout for your device and hook PsNee up to the points on your Playstation.
36.  
37.  
38. //--------------------------------------------------
39. //                 General info!
40. //--------------------------------------------------
41. //PLAYSTATION 1 SECURITY - HOW IT DOES IT'S THING:
42. //Sony didn't really go through great lenghts to protect it's precious Playstation
43. //from running unauthorised software; the main security is based on a simple ASCII
44. //string of text that is read from a part of an original Playstation disc that cannot
45. //be reproduced by an ordinary PC CD burner.
46. //As most of you will know, a CD is basically a very long rolled up (carrier) string in which very
47. //little pits and ehm... little not-pits are embedded that represent the data stored on the disc.
48. //The nifty Sony engineers did not use the pits and stuff to store the security checks for
49. //Playstation discs but went crazy with the rolled up carrier string. In an ordinary CD, the
50. //string is rolled up so that the spacing between the tracks is as equal as possible. If that
51. //is not the case, the laser itself needs to move a bit to keep track of the track and
52. //reliably read the data off the disc.
53. //If you wonder how the laser knows when it follows the track optimally: four photodiodes, light
54. //intensity measurement, difference measurements, servo. There.
55. //To the point: the Sony engineers decidedly "fumbled up" the track of sector 4 on a Playstation
56. //disc (the track was modulated in nerd-speak) so that the error correction circuit outputs a
57. //recognisable signal, as the laser needs to be corrected to follow the track optimally.
58. //This output signal actually is a 250bps serial bitstream (with 1 start bit and 2 stop bits) which
59. //in plain ASCII says SCEA (Sony Computer Entertainment of America), SCEE (Sony Computer Entertainment
60. //of Europe) or SCEI (Sony Computer Entertainment of Japan), depending on the region of the disc inserted.
61. //The security thus functions not only as copy protection, but also as region protection.
62. //The text string from the disc is compared with the text string that is embedded in the Playstation
63. //hardware. When these text strings are the same, the disc is interpreted to be authentic and from
64. //the correct region. Bingo!
65.  
66. //HOW THE MODCHIP TRICKS THE PLAYSTATION:
67. //The modchip isn't all that of a complicated device: clever reverse engineers found the point on the
68. //Playstation motherboard that carried the text string from the disc and found a way to temporarily block
69. //this signal (by grounding an input of an op-amp buffer) to be able to inject the signal from the modchip
70. //The modchip injects after about 1500ms the text strings SCEE SCEA SCEI on the motherboard point and stops
71. //with this after about 25 seconds. Because all the possible valid region options are outputted on the
72. //motherboard the Playstation gets a bit confused and simply accepts the inserted disc as authentic; after all,
73. //one of the codes was the same as that of the Playstation hardware...
74. //Early modchips applied the text strings as long as power was applied to them, whereby later Playstation
75. //software could detect whether a modchip was installed. This is circumvented in this application by idling the
76. //modchip after about 25 seconds. The text strings are only tranmitted again when the CD lid is opened and closed
77. //again, to enable playing multi-disc games. This is also called a stealth modchip in marketing-speak.
78.  
79.  
80. //--------------------------------------------------
81. //               New in this version!
82. //--------------------------------------------------
83. //A lot!
84. // - The PAL SCPH-102 NTSC BIOS-patch works flawlessly! For speed reasons this is implemented in bare
85. //   AVR C. It is functionally identical to the OneChip modchip, this modchip firmware was disassembled,
86. //   documented (available on request, but written in Dutch...) and analyzed with a logic analyzer to
87. //   make sure PsNee works just as well.
88. // - The code now is segmented in functions which make the program a lot more maintable and readable
89. // - Timing is perfected, all discs (both backups and originals of PAL and NTSC games) now work in the
90. //   PAL SCPH-102 test machine
91. // - It was found out that the gate signal doesn't havbe to be hooked up to a PAL SCPH-102 Playstation
92. //   to circumvent the copy protection. This is not tested on other Playstation models so the signal still
93. //   is available
94. // - The /xlat signal is no longer required to time the PAL SCPH-102 NTSC BIOS-patch
95. // - Only AVR PORTB is used for compatibility reasons (almost all the AVR chips available have PORTB)
96.  
97.  
98. //--------------------------------------------------
99. //                  Pinouts!
100. //--------------------------------------------------
101. //FOR ARDUINO UNO (WITH ATMEGA328):
102. // - Arduino pin 8  = data    = ATMega pin 14
103. // - Arduino pin 9  = gate    = ATMega pin 15
104. // - Arduino pin 10 = lid     = ATMega pin 16
105. // - Arduino pin 11 = biosA18 = ATMega pin 17
106. // - Arduino pin 12 = biosD2  = ATMega pin 18
107.  
108. //FOR ATTINY25/45/85:
109. // - Arduino pin 0 = data    = ATTiny pin 5
110. // - Arduino pin 1 = gate    = ATTiny pin 6
111. // - Arduino pin 2 = lid     = ATTiny pin 7
112. // - Arduino pin 3 = biosA18 = ATTiny pin 2
113. // - Arduino pin 4 = biosD2  = ATTiny pin 3
114.  
115. //--------------------------------------------------
116. //                    Includes!
117. //--------------------------------------------------
118. #include <Flash.h>
119.  
120. //--------------------------------------------------
121. //               Arduino selection!
122. //--------------------------------------------------
123. #define ARDUINO_UNO        //Make that "#define ARDUINO_UNO" if you want to compile for Arduino Uno instead of ATTiny25/45/85
124.  
125. #ifdef ARDUINO_UNO
126. //Pins
127. int data = 8;         //The pin that outputs the SCEE SCEA SCEI string
128. int gate = 9;         //The pin that outputs the SCEE SCEA SCEI string
129. int lid = 10;         //The pin that gets connected to the internal CD lid signal; active high
130. int biosA18 = 11;     //Only used in SCPH-102 PAL mode
131. int biosD2 = 12;      //Only used in SCPH-102 PAL mode
132. int delay_ntsc = 2350;
133. int delay_between_bits = 4;
134. int delay_between_injections = 74;
135. #endif
136.  
137. #ifdef ATTINY
138. //Pins
139. int data = 0;        //The pin that outputs the SCEE SCEA SCEI string
140. int gate = 1;
141. int lid = 2;         //The pin that gets connected to the internal CD lid signal; active high
142. int biosA18 = 3;     //Only used in SCPH-102 PAL mode
143. int biosD2 = 4;      //Only used in SCPH-102 PAL mode
144. int delay_ntsc = 2400;
145. int delay_between_bits = 4;
146. int delay_between_injections = 68;
147. #endif
148.  
149. //--------------------------------------------------
150. //              Global variables!
151. //--------------------------------------------------
152. //None, just like it should be!
153.  
154. //--------------------------------------------------
155. //              Seperate functions!
156. //--------------------------------------------------
157. void NTSC_fix()
158. {
159.   //Make sure all pins are inputs
160.   DDRB = 0x00;
161.  
162.   //Wait until just before the pulse on BIOS A18 arrives
163.   delay(delay_ntsc);
164.  
165.   //...And wait here until it actually happened
166.   while(!(PINB & B00001000))
167.   {
168.     ;  //Wait
169.   }
170.   delayMicroseconds(12);
171.   PORTB = B00000000;
172.   DDRB = B00010000;
173.   delayMicroseconds(5);
174.   DDRB = 0x00;
175. }
176.  
177. void inject_SCEE()
178. {
179.   //SCEE-array                                                                                                                   //      Start            Data     Stop
180.   FLASH_ARRAY (boolean, SCEEData, 1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,1,0,1,0,0,1,0,1,0,1,1,1,0,1,0,0,1,0,1,0,1,1,1,0,1,0,0);      //SCEE: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01011101 00   44 bits total
181.  
182.   int bit_counter;
183.  
184.   for (bit_counter = 0; bit_counter < 44; bit_counter = bit_counter + 1)
185.   {
186.     if (SCEEData[bit_counter] == 0)
187.     {        
188.       pinMode(data, OUTPUT);
189.       digitalWrite(data, 0);
190.       delay(delay_between_bits);
191.     }
192.     else
193.     {
194.       pinMode(data, INPUT);                //We make the data pin high-impedance to let the pull-up of the Playstation motherboard make a 1
195.       delay(delay_between_bits);
196.     }
197.   }
198.  
199.   pinMode(data, OUTPUT);
200.   digitalWrite(data, 0);
201.   delay(delay_between_injections);
202. }
203.  
204. void inject_SCEA()
205. {
206.   //SCEE-array                                                                                                                   //      Start            Data     Stop
207.   FLASH_ARRAY (boolean, SCEAData, 1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,1,0,1,0,0,1,0,1,0,1,1,1,0,1,0,0,1,0,1,1,1,1,1,0,1,0,0);      //SCEA: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01111101 00
208.  
209.   int bit_counter;
210.  
211.   for (bit_counter = 0; bit_counter < 44; bit_counter = bit_counter + 1)
212.   {
213.     if (SCEAData[bit_counter] == 0)
214.     {        
215.       pinMode(data, OUTPUT);
216.       digitalWrite(data, 0);
217.       delay(delay_between_bits);
218.     }
219.     else
220.     {
221.       pinMode(data, INPUT);                //We make the data pin high-impedance to let the pull-up of the Playstation motherboard make a 1
222.       delay(delay_between_bits);
223.     }
224.   }
225.  
226.   pinMode(data, OUTPUT);
227.   digitalWrite(data, 0);
228.   delay(delay_between_injections);
229. }
230.  
231. void inject_SCEI()
232. {
233.   //SCEE-array                                                                                                                   //      Start            Data     Stop
234.   FLASH_ARRAY (boolean, SCEIData, 1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,1,0,1,0,0,1,0,1,0,1,1,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0);      //SCEI: 1 00110101 00, 1 00111101 00, 1 01011101 00, 1 01101101 00
235.  
236.   int bit_counter;
237.  
238.   for (bit_counter = 0; bit_counter < 44; bit_counter = bit_counter + 1)
239.   {
240.     if (SCEIData[bit_counter] == 0)
241.     {        
242.       pinMode(data, OUTPUT);
243.       digitalWrite(data, 0);
244.       delay(delay_between_bits);
245.     }
246.     else
247.     {
248.       pinMode(data, INPUT);                //We make the data pin high-impedance to let the pull-up of the Playstation motherboard make a 1
249.       delay(delay_between_bits);
250.     }
251.   }
252.  
253.   pinMode(data, OUTPUT);
254.   digitalWrite(data, 0);
255.   delay(delay_between_injections);
256. }
257.  
258. void inject_multiple_times(int number_of_injection_cycles)
259. {
260.   int cycle_counter;
261.  
262.   for(cycle_counter = 0; cycle_counter < number_of_injection_cycles; cycle_counter = cycle_counter + 1)
263.   {
264.     inject_SCEE();
265.     inject_SCEA();
266.     inject_SCEI();
267.   }
268. }
269.  
270. void inject_playstation()
271. {
272.   //Variables
273.   int loop_counter;
274.  
275.   //Code
276.   NTSC_fix();
277.  
278.   delay(6900);
279.   digitalWrite(data, 0);
280.   pinMode(data, OUTPUT);
281.   delay(100);
282.  
283.   pinMode(gate, OUTPUT);
284.   digitalWrite(gate, 0);
285.  
286.   for (loop_counter = 0; loop_counter < 25; loop_counter = loop_counter + 1)
287.   {
288.     inject_SCEE();
289.   }
290.  
291.   pinMode(gate, INPUT);
292.   pinMode(data, INPUT);
293.   delay(11000);
294.  
295.   pinMode(gate, OUTPUT);
296.   digitalWrite(gate, 0);
297.  
298.   for (loop_counter = 0; loop_counter < 60; loop_counter = loop_counter + 1)
299.   {
300.     inject_SCEE();
301.   }
302.  
303.   pinMode(gate, INPUT);
304.   pinMode(data, INPUT);
305. }
306.  
307. //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
308. //--------------------------------------------------
309. //     Setup function - execution starts here!
310. //--------------------------------------------------
311. void setup()
312. {
313.   inject_playstation();
314. }
315.  
316. //----------------------------------------------------------------
317. //   Loop function - executes after the initial injection cycle
318. //----------------------------------------------------------------
319. void loop()
320. {
321.   if(lid == 0)
322.   {
323.     while(lid != 1);      //Wait until the lid is closed again (after being opened) to initiate a new injection cycle
324.     inject_playstation();
325.   }
326. }