As of the making of this episode, the Sony PlayStation 2 is still the world's largest-selling console with over 150 million units sold. The PlayStation 2 greatly improved on the technology of the original PlayStation 1, and it was a true evolution in console video gaming. Sony learned from the mistakes of the PS1, with the rampant mod-chipping and piracy, and came up with a more elaborate copy protection scheme to thwart pirates and modders attempting to play unauthorized backups on the system. To better understand how the PlayStation 2 lock pirates out of its system, let's do a quick run-through of the PlayStation 1 security. The PlayStation 1 was region-lock, depending on where you bought your system from, and there was no EEPROM or jumper setting on the motherboard that you could use to change it. It was all hard-coded on the PS1. The discs themselves had a simple, but effective copy protection method. Original discs were pressed with a watermark which also contained the region code of the game. The watermark was only pressed onto original discs. Consumer grade CD burners are not capable of writing this watermark, due to the way that data was burned onto the disc. So, although you could easily read PlayStation 1 discs in a regular PC Drive and make a copy of the game, it would not boot on a PlayStation 1. This is because when an original is put into the drive, the watermark is read and the region code is accessed from the disc. If it matches the region code on the PlayStation 1 motherboard, the game boots. Simple enough. It also meant that it was simple enough to emulate the watermark and circumvent the region check to boot a copied version of the game, with a simple modchip. Sony definitely learned from their mistakes of the Sony PlayStation 1 security, from the simple swap trick method to the modchips that ultimately bypassed and defeated the security wobble and the watermark mechanism on the PlayStation 1 discs. Now, with the PlayStation 2, Sony stepped up security greatly. But, as we will find out, there were still ways to defeat the system that we're going to take a look at and deep dive into. When Sony was developing the PlayStation 2, enhancing security was essential. And Sony had learned from its mistakes of the PS1. Games were growing with size. Many games on the PlayStation 1 towards the end of its lifecycle were multi-disc games. The PlayStation 2 was upgraded from a CD to a DVD. And, also, its copy protection was beefed up, significantly. This is kind of how it went. The famous PlayStation 2 logo that you see when you boot up into a game is actually stored on the disc itself. It's encrypted in the first 16 sectors of the disc. Like the PlayStation 1, the PlayStation 2 has a watermark pressed onto what that can't be burned with a normal DVD burner. The key to decrypt the logo is in the watermark data. And that decryption key is also encrypted by using the product code of the disc which is spread across different sectors on the disc. One common myth about both PS1 and PS2 discs is the color of the discs. They were very easy to make backup copies of. It was mainly used to illustrate that you were using a legit copy of the game, as opposed to a high-quality reproduction. With this knowledge and understanding of how the PlayStation 2 boot process worked, it wasn't long before hardware modchip manufacturers came into the market with their products. The earliest modchips were crude and needed to work in conjunction with a disc, like an Action Replay or a GameShark. While not the first mod on the market, the Neo Key worked by, first, inserting the Action Replay disc, then swapping into the real game. Initially, this only worked with PlayStation 2 CD-based games, and not DVD games. The mod authenticated the backup copy as a PlayStation 1 disc. But the Action Replay, or GameShark, treated it like a PlayStation 2 CD, and the game would boot. Authenticating PlayStation 2 DVDs was trickier, but, eventually, worked around as well. One of the most important chips on the PlayStation 2 is the Mechacon. It's responsible for controlling the CD and DVD drive. Think of it, more like a Hypervisor for the DVD drive. All original PlayStation 2 DVDs have a media flag setting of DVD-ROM. If the Mechacon detected the media-flagged DVD-ROM coming from the disc, the game would boot. Making a simple copy of a game DVD would not boot, because the book type or media flag would be set to DVD+R. This was fixed by patching some wires from the modchip to the Mechacon to hardwire the media bit DVD-ROM, regardless, if an original or a backup copy was inserted. Right after the Neo Key, the first no-swap modchip, known as the Messiah, came onto the market and it was very successful. Mod-chipping a PlayStation 2 was complicated. Unlike the original Xbox, the no-swap chips were quite up to 20 wires to be soldered onto the motherboard. This wasn't a job for beginners. So, many people would pay modders high prices to chip their systems. Sony was aware of what was going on, and in 2004, won a landmark case against the man, David Bell, who was selling and installing Messiah chips. But this did little to stop the market, and, to this day, mod chips are still for sale on the Sony PlayStation 2, including the Modbo and others. They all use the same 20-wire method as the Messiah, become with more modern features. But mod-chipping wasn't the only option to defeat copy protection on the PlayStation 2. Remember, the PlayStation 1 used a simple swap trick method that would allow you to keep the drive tray open while the disc was spinning. The trick was after the watermark of the original disc was read and authenticated, you could swap in your backup copy and boot into a copy of that game. And, although the PlayStation 2 had a much more complicated boot and security process, it turns out you could perform a very similar hack. Now, I get a lot of questions on the channel asking me: "What's the deal with your Sony PlayStation 2 Slim? I've never seen a Sony PlayStation 2 Slim looked like that before." The short answer is: "It's just a regular Sony PlayStation 2 Slim with an aftermarket modification which is known as the "Swap Magic"." Both the PlayStation 2 Phat and Slim have sensors to detect if a disc is ejected. On my PlayStation 2 Slim, it has three sensors. This lid bypasses the PS2's eject sensor and uses a trick known as "Swap Magic". It's just one of many ways that the Sony PlayStation 2 is modded to allow backup games, and region-free, copy-protected games and homebrew to run. Swap Magic works by inserting a PlayStation 2 press disc that was created by Datel, that is inserted into the system when you power it on, then, by flipping up the lid and replacing it with your backup copy of the game. It simply allows the swapping of PlayStation 2 discs without the system being aware. This was the first of the softmodding methods that were used. The Swap Magic disc has the watermark and all the authentication checks in place. It's not clear how Datel managed to pull this off, but one theory is: they likely spliced the watermark and boot sectors onto their own discs. Now, if anyone knows more about how Datel managed to pull this off, I'd certainly be interested. Leave a comment below or E-mail me. Once the Swap Magic disc boots, it has intentional bad sectors on it. The PlayStation 2 retries a few times to read these sectors, but, eventually, the motor will stop. And then, all you need to do is pop, open the lid which won't affect the eject sensors. And the backup disc will boot and load, just like an original disc. The Swap Magic trick is clever and still works to this day, but along came a newer method that will become the final form of all PlayStation 2 modding. The best mods are often the simplest, the ones that don't require you to open up the system and solder 20 wires. FreeMCBoot falls into that category. By inserting a memory card into the PlayStation 2 and booting it up, it loads a custom menu known as "FreeMCBoot". From here, you can run homebrew, browse files, manipulate save games, boot backups and much more. But how is this possible? Loading homebrew code from a memory card seems like it would be the first thing that Sony would have patched out. The PlayStation 2 was designed to be upgradable by utilizing, you guessed it, the memory card. Sony's plan to do this was to release an update disc and the update would install itself onto the memory card When you would boot the PlayStation 2, the memory card would load its update and then boot into the system. So, by removing the memory card would downgrade you back to whatever the PlayStation 2 BIOS was running under. The PlayStation 2 had known NAND or flushable EEPROM to persist the update. It was performed on the memory card. Sony released one update disc in Japan, but the method was quickly scrapped as it was too easy to bypass the update, or just downgrade when you wanted to, by simply removing the memory card. Although Sony's stopped at bringing updates out, they never removed this ability from the PlayStation 2 and allowed it to be updated. And this is how FreeMCBoot works. It tricks the system into believing it's a memory card with an official update installed onto it. Except, of course, it's a full menu full of loaders and utilities to run backups and homebrew. The FreeMCBoot exploit works on almost all PlayStation 2 hardware, including the original Phat models, and all Slim models up to the 9000x model, where it was patched. FreeMCBoot also runs on the Japanese PSX, and it's actually recommended that you do this to minimize hard drive access in order to preserve the lifetime of the system. I covered the Japanese Sony PSX, in a previous episode, and all the potential issues it has. Check it out, if you're interested. FreeMCBoot works very well, but it has one main issue: it won't boot backup DVDs. This is because FreeMCBoot only allows .elf binaries to load and run like homebrew. However, FreeMCBoot comes with loaders to allow backups to play. The first is known as "ESR". One of the big-selling points of the PlayStation 2 was to support video DVDs. It even supports playing backup copies. So, by patching a game disc to be multi-session and including video DVD playback on the first session and the game data on the second, the PlayStation 2 will allow the disc to boot, thinking that it's a video DVD, and pass its authentication check. Then ESR will mount the second session on the disc with the game data and boot into the game as normal. This method requires a backup of the game patched in the multi-session format that ESR expects and will only work on FreeMCBoot, and not via traditional modchip or swap methods. And the second and more popular method these days is the "Open PS2 Loader", or "OPL". This allows unmodified disc images or ISOs to boot and run from external USB, hard drives, and even over the network shares via SMB, or Samba. It's the most popular method of running PS2 backups to this day. And, like FreeMCBoot, it's still very much in active development. And that's where we are at today. There were other methods of defeating PlayStation 2 security, but, in summary, we went from original modchips, to Swap Magic, to FreeMCBoot. Sony put much more time and resources into tightening up security on the PlayStation 2. But with its huge fanbase, and expert security researchers, and reverses, meant it was inevitable that the system would be defeated. Swap Magic still remains a very useful way to boot into backups and homebrew, and the FreeMCBoot exploit on a simple memory card was a simple oversight by Sony. But no matter what, the Sony PlayStation 2 still remains a fantastic system after all these years. One definitely worth revisiting, or if you haven't already, do yourself a favor and jump in for the first time. So, there you have it, guys. That's the story of the Sony PlayStation 2 and how security was ultimately defeated by attacking different entry points into the system, and completely disabling security on the system from the earliest modchip that first came out to the Swap Magic trick which was something that's still very much in use to this day, and then ultimately the FreeMCBoot method which is pretty common these days. If you look on eBay and want to buy a PlayStation 2, there's a pretty good chance. It's going to come with a FreeMCBoot memory card to allow you to play backups, homebrew and things like that. Well, guys, I hope you enjoyed this video and this look back at the security of the Sony PlayStation 2. There's definitely more of these types of videos that are in the works, and I think you, guys, really like them, and I certainly like going down memory lane and revisiting some of these awesome topics and awesome consoles. So, let me know what you thought about this one in the comments below. If you like this video, don't forget to give me a thumbs up. And, as always, don't forget to Like and subscribe and I'll catch you guys in the next video. Bye for now. [Outro song]
Heck yeah I love to use FreeMCBoot and its tools to force 60hz on my PAL games collection like CvS2! Get a FreeMCBoot memory card if u havenβt already. Itβs a must have for PS2 enthousiast users.
I remember the AR2 swap on DVDs. You enabled all dave mirra bmx cheats which caused some error. You could then eject the disc and replace it with your backups. Worked 9/10 tries.
Does anyone remember pew-FreeMcBoot days like the Independence Exploit? I remember using that to create the save file and copying it to a drive for use with Action Replay Max Evo or something like that for the PS2.