SCPH-1000 & Early SCPH-3000 Require Special SetSession Sequence Due To Buggy CDROM Controller Firmware

[alex-free]

SCPH-1000 and early SCPH-3000 consoles contain either VC0 A or VC0 B CDROM controllers. When you send SetSession on these controllers the TOC is not updated due to a bug (confirmed by NO $ PSX in an email). Tonyhax International is the only program that has a work around for this currently AFAIK. Me and MottZilla came up with it, we dub it the 'SetSessionSuperUltraCommandSmash'. Basically how it works is this:

• SetSession is sent to change the session to session 2 (which doesn't have to exist btw, and normally does not).
• We wait 2 interrupts, and then IMMEDIATELY send SetSession to change the session back to session 1 . This forces the TOC to update. There is actually a 3rd interrupt that can trigger when session 2 does not exist, we are ignoring this (undefined behavior) so that the CD drive doesn't actually lock up.

Probably a really good idea to disable interrupts and then re-enable them after doing this, I do this in tonyhax international by calling the 'bios reinitialize' function (which does other things to, but they are probably not necessary for i.e. unirom).

Let me know if you have questions. Check out the Tonyhax International implementation here: https://github.com/alex-free/tonyhax/blob/master/loader/secondary.c

[ramapcsx2]

Thanks for documenting your findings, really appreciate that! :)

[JonathanDotCel]

Awesome, once again, thanks for sharing :)

[alex-free]

Awesome, once again, thanks for sharing :)

No problem. Something I forgot to mention, the VC1A CDROM Controller Firmware has the same bug. VC1A is only found on extremely early (July 1995-October 1995) SCPH-1001s and maybe SCPH-1002s from the same period. The thing is, all of those consoles are unlockable so it doesn't matter for Tonyhax International which auto configures the boot method based on the CDROM Controller Firmware compile date using the 19'20 test command.

I have a 'late' SCPH-3000 with VC1B and an 'early' SCPH-3000 with VC0B. They are really close in serial numbers (bought them specifically to figure this out). So I belive VC1A is only found on very early USA and PAL consoles made right before or after launch in 1995. No USA or PAL consoles have VC0A or VC0B, I have an extremely early SCPH-1001 from July 1995 that is VC1A to prove that.

Something interesting with VC0A and VC0B is that they lack the ReadTOC command (which deautheticates non-licensed discs and updates the TOC data when sent). This is how i.e. Dino Crisis does anti-piracy checks on stock consoles to prevent a swap trick from booting the game. So curiously enough, as long as the TOC is updated via SetSession on a console with VC0A or VC0B, every anti-piracy measure breaks and is bypassed. This is actually how aprip works, by simulating this on all consoles. There is essentially a backdoor that just returns 0 in the ap code if the ReadTOC command doesn't return the right amount of interrupts (because it doesn't exist in the earlier CDROM Controller firmware). And as long as the TOC is correct all checks pass with flying colors.

So once you add the SetSession sequence, every game containg anti-piracy screens will just work for the SCPH-1000 and early SCPH-3000. Even Spyro YOTD, no patches required (requires a stock console, a non-stealth modchip would still fail).

I can test with multiple consoles any support you add by the way.

[JonathanDotCel]

Thanks! So the c++ conversion and opensourcing is well underway right now. Just wondering if you're on discord? Cheers, J

[alex-free]

Thanks!

So the c++ conversion and opensourcing is well underway right now.

Just wondering if you're on discord?

Cheers,

J

I might make an account for discord.

That's awesome that it's finally happening. I look forward to contributing the SetSessionSuperUltraCommandSmash and anti-piracy bypass system. I only know a bit of C though, is that going to be allowed for UniRom with it becoming C++?

If you are also interested, I just finished implementing GameShark code support in Tonyhax International. There is a desktop program that generates a save file from a .txt full of GameShark codes. That save file can then be copied to a PSX memory card and then it is read by Tonyhax International and it applies the cheats before booting a game. I could implement something similar for UniRom as well if you are interested.

[JonathanDotCel]

That's awesome man, would be nice to see you there; great little dev community.

When I say C++, it's "C, but with C++ namespaces, and the odd ENUM" lol. Nothing mental.

That's awesome about the GS support! Nic Noble's written a cool little cheat engine which turns the codes into machine code for maximum fast. It's not implemented yet, but I'm itching to use it!

Hope to see you soon anyway ^^

[alex-free]

That's awesome man, would be nice to see you there; great little dev community.

When I say C++, it's "C, but with C++ namespaces, and the odd ENUM" lol. Nothing mental.

That's awesome about the GS support! Nic Noble's written a cool little cheat engine which turns the codes into machine code for maximum fast. It's not implemented yet, but I'm itching to use it!

Hope to see you soon anyway ^^

Oh sweet.

When you say machine code, do you mean ASM? Check this: https://github.com/alex-free/tonyhax/blob/master/mottzilla-stealth-cheat-engine/Stealth_CheatEngine.asm

I've test 139 concurrent codes at once :)

[JonathanDotCel]

Haah, that's fuckin sweet - very concise!

So the one @nicolasnoble wrote generates CPU instructions for the codes, lol. E.g. trading a bit of space for speed

[alex-free]

Haah, that's fuckin sweet - very concise!

So the one @nicolasnoble wrote generates CPU instructions for the codes, lol. E.g. trading a bit of space for speed

That's what I was hoping you meant. That's so interesting! I don't think you can optimize more then that.