They were discovered and documented in 2013 by nocash, there was just no way to use them outside of cheat-carts with unirom or BIOS-replacements until now.
If I understood anti-mod games correctly, they had an additional check for the license string. Early chips would constantly send it (even when not reading the part that is used for authentication). The game could check for the SCE* string and if it did find it (shouldn't be the case) there must be a modchip sending it.
This prevented even original CDs from being used. Modded console → No game.
Later modchips switched themselves off after authenticating the disc (guess this was the "stealth" in the later versions).
True.
But there are also some games which check for the license mid-game properly (afaik Spyro NTSC-U is one of them) and due to the nature of the unlock-mechanism used, that won't work as that licence-check is disabled.
What doesn't work with modchip and with an exploit like this one is successfully playing unpatched backups of LibCrypt protected games. They crash deliberately early on. Coincidentally I just tried it hoping RAW copy with subchannel data would work without patch… NOPE!
Then you must have ripped or burned it wrong: Reading and writing subchannel-data uncorrected and the burner must support DAO RAW _96_ (or similarly named).
Any kind of modchip being there or not doesn't affect Libcrypt at all, only if the disc is properly made (or burned).
I managed to fix my non formatting card with a sort of new solutions
I did not have any of the mentiond CD games eg wipeout or coolboarders so I was finding a way to restore my first flashed mem card
I tried my games and found that resident evil can fix the corrupted card also
1. Put resident evil disk in ps2
2. Wait for it to load
3. Insert the flashed memory card
4. The memory card is recognised but does not contain any saves
5. Play the game till you can save at typewriter
(Play as chris will be able to save faster)
6. You will be able to save requires 1block
7. Once saved restart your ps2
8. Go into browser and ps1 mem card is there
9. Now you can use MC app to format
10. Restore your original backup of mem card
It's a great lil exploit and glad there are ways to get your card to function again
But there are also some games which check for the license mid-game properly (afaik Spyro NTSC-U is one of them) and due to the nature of the unlock-mechanism used, that won't work as that licence-check is disabled.
[…]
Then you must have ripped or burned it wrong: Reading and writing subchannel-data uncorrected and the burner must support DAO RAW _96_ (or similarly named).
Any kind of modchip being there or not doesn't affect Libcrypt at all, only if the disc is properly made (or burned).
Good point. My newer drives are missing this capability. Thank you! Never had any luck burning LibCrypt games without crack. Grubbing through my old stuff on the attic I quickly found an older burner supporting this write mode, plugged it into a Windows XP machine and Alcohol 120% created a seemingly working copy (tested for about ½ hour) of a protected game. If this really works out, I'm going to replace my cracked backups containing the crappy "We are the greatest!!11!"-intros by the cracking groups with clean copies.
Hey, I've released version 1.1 yesterday: see release 1.1 on the github repo; I cannot post a link since I'm a new member.
So far it has been confirmed working on BIOS 2,0, 4.1, 4.5. Some feedback would be nice for other BIOS versions. I've also just added support for SCPH-7000 and SCPH-7000W (the image files are not in the release, but they are in the repo).
If you can test the latest images on real hardware and report the status here, I'd be grateful (make sure you test the latest images - they overwrite a different address compared to the previous ones). If it doesn't work, make absolutely sure you have the correct image file and that you wrote the image file to the memcard exactly as it is. If possible, read back the memory card and compare with the original image file.
So far it has been confirmed working on BIOS 2,0, 4.1, 4.5. Some feedback would be nice for other BIOS versions. I've also just added support for SCPH-7000 and SCPH-7000W (the image files are not in the release, but they are in the repo).
Since I'm not a developer I'm always happy if I can contribute a small thing:
Small PSONE,SCPH-102 (PAL) BIOS 4.4 working perfectly with Freepsxboot-unirom-fastload-20210421-bios-4.4.mcd
The console has an (unknown) modchip so I can't say anything to the nocash unlock on this one. Hope the modchip is not a problem.
The same MC works on another SCPH-102 without modchip. The second console has BIOS version 4.5 but I didn't flash the 4.5 specific image to the MC (found out about this device being a 4.5 after starting FreePSXBoot).
Backups loading perfectly.
Don't have any other models besides one with the already tested 4.1
Edit:
The files for 4,3, 4.4 and 4.5 appear to be the same anyway.
Thanks for the feedback. The files are indeed the same, the BIOSes are different but happen to have the same stack pointer value when the exploit triggers, and also allow the same instruction to be overwritten. Nevertheless, if we improve yet again the exploit, the files may end up being different.
Thanks for the feedback. Someone reported recently that BIOS version 2.2 (A) was not working, and I had mistakenly assumed that BIOS 2.2 (E) was the same as 2.2 (A), as it's the case for versions 4.1, 4.4, and 4.5.
So I've updated again the images, and the BIOS list. There is also a fix which caused the exploit to freeze on some BIOS versions; this is fixed by reading a dummy frame from the memory card before loading the actual payload. All the updated images are on github (not in the release, but in the download links on the main repo page). I am waiting for the Unirom author to update his code, and I will do a release once it's ready.
Thanks for the feedback. Someone reported recently that BIOS version 2.2 (A) was not working, and I had mistakenly assumed that BIOS 2.2 (E) was the same as 2.2 (A), as it's the case for versions 4.1, 4.4, and 4.5.
So I've updated again the images, and the BIOS list. There is also a fix which caused the exploit to freeze on some BIOS versions; this is fixed by reading a dummy frame from the memory card before loading the actual payload. All the updated images are on github (not in the release, but in the download links on the main repo page). I am waiting for the Unirom author to update his code, and I will do a release once it's ready.
I will test the new images later this day and post results. I've bought an additional console, SCPH-1002 (E), for testing. If I stumble upon more models, I will buy them. Flea markets not existing anymore makes this a lot harder (and more expensive).
Edit:
Tests done with the new images from 30th of April 2021.
Results: Not a single problem, regression or failure (100% success rate, CD-R loading perfectly) with any of those:
SCPH-1002, BIOS 2.2 12/04/95 E, CRC32: 1E26792F
SCPH-9002, BIOS 4.1 12/16/97 E, CRC32: 318178BF
SCPH-102, BIOS 4.4 03/24/00 E, CRC32: 0BAD7EA9 (has unknown modchip)
SCPH-102, BIOS 4.5 05/25/00 E, CRC32: 76B880E5
Also perfectly working: Formatting memory card with Unirom to prevent Memory Card Annihilator on the PS2 from crashing.
Can't do more at the moment. As mentioned, if I find more consoles, I'll buy them. Not much hope here. Imported NTSC consoles will be even harder to get.
Boy, the PlayStation 1 sure got a lot of hardware revisions and BIOS versions.
Showing which FreePSXBoot images are the same at the moment by checksum: 1e5bf9d8c4915315265dbf7086a2520c freepsxboot-unirom-fastload-20210430-bios-2.0-1995-05-10-E-9bb87c4b.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-11-14-A-b7c43dad.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-12-16-A-502224b6.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-12-16-E-318178bf.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-I-bc190209.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-I-24fc7e17.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-3.0-1996-09-09-I-ff3eeb8c.mcd
4966a362e63a950a460b873832ab47e6 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-A-aff00f2f.mcd
4966a362e63a950a460b873832ab47e6 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-A-37157331.mcd
4b40669b3a3a47d184610c94dcca39ab freepsxboot-unirom-fastload-20210430-bios-3.0-1996-11-18-A-8d8cb7e4.mcd
4b40669b3a3a47d184610c94dcca39ab freepsxboot-unirom-fastload-20210430-bios-4.0-1997-08-18-I-ec541cd0.mcd
6654289a9d916bc906ee4651d69ec7d6 freepsxboot-unirom-fastload-20210430-bios-3.0-1997-01-06-E-d786f0b9.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.3-2000-03-11-I-f2af798b.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.4-2000-03-24-A-6a0e22a0.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.4-2000-03-24-E-0bad7ea9.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.5-2000-05-25-A-171bdcec.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.5-2000-05-25-E-76b880e5.mcd
a0020be10e32260b06a4decdf3716e59 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-E-86c30531.mcd
a0020be10e32260b06a4decdf3716e59 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-E-1e26792f.mcd
a0686a864e378537a971ae79904c8f5a freepsxboot-unirom-fastload-20210430-bios-2.0-1995-05-07-A-55847d8c.mcd
ada128288fcd35269b67bed97d2ee2d6 freepsxboot-unirom-fastload-20210430-bios-1.0-1994-09-22-I-3b601fc8.mcd
cd3abde84054c9442b63dfd08c689396 freepsxboot-unirom-fastload-20210430-bios-1.1-1995-01-22-I-3539def6.mcd
It's interesting what mc-images are the same for which BIOS-versions.
3.0 US and 4.0 JP?
2.1, 2.2 and 3.0 JP?
2.1 US/EU and 2.2 US/EU, but then 3.0 EU all alone?
Funny.
Just to add, I tried backups of NTSC and PAL (my region) and both worked perfectly. Also, the 1st time ever I've been able to play a backup of Vib Ribbon (after many previous, failed, attempts through the years with emulation).
I managed to fix my non formatting card with a sort of new solutions
I did not have any of the mentiond CD games eg wipeout or coolboarders so I was finding a way to restore my first flashed mem card
I tried my games and found that resident evil can fix the corrupted card also
1. Put resident evil disk in ps2
2. Wait for it to load
3. Insert the flashed memory card
4. The memory card is recognised but does not contain any saves
5. Play the game till you can save at typewriter
(Play as chris will be able to save faster)
6. You will be able to save requires 1block
7. Once saved restart your ps2
8. Go into browser and ps1 mem card is there
9. Now you can use MC app to format
10. Restore your original backup of mem card
It's a great lil exploit and glad there are ways to get your card to function again
This is exactly what I did to fix one of my cards too, except I used RE2! I think I might've been using an old version of FreePSXBoot though, because I couldn't do it a second time. Say you used the wrong payload for your bios and now your memory card is broken. You can fix it without special PC hardware.
1. Use a second memory card and a PS2 to install TonyHax. This is the only step that requires a PS2.
2. Make a Unirom boot disc using the latest version. This ran on my PS1 with a Verbatim disc at 16x speed.
3. Use TonyHax to start the Unirom boot disc on PS1
5. Scroll to Memory Cards
6. Highlight files on the FreePSXBoot memory card, press X, then Format
As of version 1.3.3, TonyHax will block FreePSXBoot. This means you can use a memory card manager without crashing your console! I tried these steps on a PS2, but Unirom, while functional, has garbled text.
It is now possible to run FreePSXBoot on a memory card on slot 2, and to keep the memory card plugged in while playing a game (the kernel is patched by FreePSXBoot to disable the memory card on slot 2, so games will only see a memory card connected in slot 1).
I am (as always ) looking for feedback on the slot 2 exploit. It has been tested on a few models and works fine on these, but it may not be the case on all models.
You can download the slot 2 images on github directly from the home page of the repository (there is no tagged release yet, waiting for more feedback). Slot 1 images are still provided for users of the Memcard Pro, or in case of incompatibility.
Same consoles as last time:
SCPH-1002, BIOS 2.2 12/04/95 E, CRC32: 1E26792F
SCPH-9002, BIOS 4.1 12/16/97 E, CRC32: 318178BF (difference to last time: I've soldered in a PsNee…)
…but I also now have this one:
SCPH-7502, BIOS 4.1 12/16/97 E, CRC32: 318178BF
SCPH-102, BIOS 4.4 03/24/00 E, CRC32: 0BAD7EA9 (has unknown modchip)
SCPH-102, BIOS 4.5 05/25/00 E, CRC32: 76B880E5
Sadly still only PAL consoles. I have no idea where/how I could get a bunch of NTSC-U and NTSC-J for an acceptable price. My test only got three distinct Slot-2 memory card images covered since the md5sum for BIOS 4.4 and 4.5 are still the same.
Results:
Unirom working like before. Formats memory cards for allowing new images to be flashed on the PS2 flawlessly. The game I loaded from CD-R was Castlevania – Symphony of the Night since it allows accessing Slot-2 for saves as well. The game simply states "Error!" for Slot-2, offers formatting MC2 but fails. Seems your kernel patch works perfectly.
The SCPH-102 with the unknown modchip crashed once, but I'm willing to file that under user error. Maybe I closed the tray too early and the modchip already tried starting the game. I tried it more than a dozen times afterwards → No problem.
Conclusion for my test devices: Perfect!
I have tested saving and loading with a few games and so far all of them work as expected (though strangely MGS will be stuck retrying on slot 2 if it sees no card connected there, but that's not due to FreePSXBoot).
The only case it could fail is if a game reimplements completely the memory card reading code instead of using the BIOS calls; so far I don't know of any such game.
It's the first Nintendo Switch firmware update of 2024. Made available as of today is system software version 18.0.0, marking a new milestone. According to the patch...
After a couple days of Nintendo releasing their 18.0.0 firmware update, @SciresM releases a brand new update to his Atmosphere NX custom firmware for the Nintendo...
Today, April 8th, 2024, at 4PM PT, marks the day in which Nintendo permanently ends support for both the 3DS and the Wii U online services, which include co-op play...
Hello, GBAtemp members! After a prolonged absence, I am delighted to announce my return and upgraded form to you today...
Introducing tempBOT AI 🤖
As the embodiment...
Yet another casualty goes down in the never-ending battle of copyright enforcement, and this time, it hit a big website which was the host for many fangames based and...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
The highly popular and accurate FPGA hardware, MisterFGPA, has received today a brand new update with a long-awaited feature, or rather, a new core for hardcore...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
The romhacking community is always a source for new ways to play retro games, from completely new levels or stages, characters, quality of life improvements, to flat...
Retro handheld manufacturer Anbernic is releasing a refreshed model of its RG35XX handheld line. This new model, named RG35XX 2024 Edition, features the same...
It's the first Nintendo Switch firmware update of 2024. Made available as of today is system software version 18.0.0, marking a new milestone. According to the patch...
Today, April 8th, 2024, at 4PM PT, marks the day in which Nintendo permanently ends support for both the 3DS and the Wii U online services, which include co-op play...
Hello, GBAtemp members! After a prolonged absence, I am delighted to announce my return and upgraded form to you today...
Introducing tempBOT AI 🤖
As the embodiment...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
After a couple days of Nintendo releasing their 18.0.0 firmware update, @SciresM releases a brand new update to his Atmosphere NX custom firmware for the Nintendo...
Yet another casualty goes down in the never-ending battle of copyright enforcement, and this time, it hit a big website which was the host for many fangames based and...
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
Nintendo has recently announced through their social media accounts that a new Indie World stream will be airing tomorrow, scheduled for April 17th, 2024 at 7 a.m. PT...
The highly popular and accurate FPGA hardware, MisterFGPA, has received today a brand new update with a long-awaited feature, or rather, a new core for hardcore...
