How the Sony PlayStation PS1 Security was defeated | MVG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Man, MVG has some solid videos. His whole series of "How the security was defeated" is amazing. Well worth the watch.

👍︎︎ 128 👤︎︎ u/atzero 📅︎︎ Mar 09 2020 🗫︎ replies

Such quality content from this man every time. It’s like a holiday when he uploads

👍︎︎ 63 👤︎︎ u/larxene06 📅︎︎ Mar 09 2020 🗫︎ replies

M I S T A K E S W E R E M A D E

👍︎︎ 35 👤︎︎ u/lost_james 📅︎︎ Mar 09 2020 🗫︎ replies

MVG alongside The 8 Bit Guy and LGR are my to-go retro tech guys

👍︎︎ 34 👤︎︎ u/CJSZ01 📅︎︎ Mar 09 2020 🗫︎ replies

did Spyro 3 start the "troll the pirates" mentality of copy protection? was there ever any earlier examples of games doing things like this on pirated copies?

👍︎︎ 11 👤︎︎ u/anima22 📅︎︎ Mar 10 2020 🗫︎ replies

I swear this is a re-upload.

👍︎︎ 16 👤︎︎ u/IsaacWantCoin 📅︎︎ Mar 09 2020 🗫︎ replies

MVG is the MVP.

👍︎︎ 21 👤︎︎ u/OdinsPlayground 📅︎︎ Mar 09 2020 🗫︎ replies

If i remember correctly the last game remaining to have the libcrypt sectors dumped on Redump was Sydney 2000 (Australia release)" http://redump.org/disc/62664/ ". After that, all PAL games protected with this system were finally documented.

However, I wish he had known about the Jackie Chan Stuntmaster big fail " http://redump.org/disc/64315/ " I reported in the last Redump PS1 preservation report. xd

Obtaining info about that one is really difficult.

👍︎︎ 5 👤︎︎ u/diegorbb93 📅︎︎ Mar 10 2020 🗫︎ replies

Brilliant video, as usual. I also recommend watching this video, which gives more technical details on how the protection actually worked (as opposed to MVG's video, which focuses on explaining how it was defeated).

👍︎︎ 11 👤︎︎ u/wrtervc 📅︎︎ Mar 09 2020 🗫︎ replies

Captions

[Music] the ear is 1994 and a change was approaching Sony had launched the PlayStation and with it came a whole wave of innovation for one Sony's engineering team was committed to the cd-rom format the cartridge format that was used by Nintendo and Sega for many years prior was not even considered to be an option CD ROMs allowed for cheaper and more streamlined development a development bill could be burnt onto a CD and played on a test kit without too much trouble much easier than the old cartridge format according to Sony president Jim Ryun compact discs gave people the appetite to take more risks while certainly not the first CD ROM based system with the launch of the Sony Playstation it introduced CD ROMs to many gamers before the PlayStation many of us were using cartridges or floppy discs Sony took full advantage of the cd-rom format and marketed the PlayStation to a different audience than Nintendo or Sega over in the USA extreme sports racing and fighting games were very popular early on that contained licensed punk rock metal rap and R&B soundtracks on the disc [Music] [Applause] in the UK Sony targeted the system to the 20 something-year-old with disposable income the underground club scene and the PlayStation went hand-in-hand with Sony's setting up dedicated PlayStation areas in over 50 UK underground clubs this wasn't just video games anymore the popular game wiped out by Psygnosis would feature songs by The Chemical Brothers that were very popular in the clubs at the time the cd-rom was integral to the success of the PlayStation 1 [Music] over on the Nintendo 64 many wondered why Nintendo stuck with the cartridge format the PlayStation was the system that had the larger game to the 100-hour plus RPGs long cutscenes for motion video sequences and amazing music soundtracks everything was just bigger and better but as they say every action has an equal and opposite reaction and as a result of the successful cd-rom format came piracy [Music] Sonne knew that crackers would be snooping around the internals of the system and trying to find ways to pirate games to combat this they came up with a simple but clever method to protect their software from any forms of backup they also protected the console against different region disks being inserted at first glance if you insert a PlayStation 1 disk into a PC you can easily read and dump the contents of the disk and even make a backup copy there was no obfuscation or encryption on these disks at all sony used the table of contents on the disk to store the region information of the game but then at the mastering plant a sophisticated technique press this data with what's known as the wobble groove the wobble groove was read at boot up to determine the region encoding of the game as well as forced the copy protection on the disk a consumer-grade CD burner was not capable of replicating the wobble groove during the burning process so any backup copy that was made would be missing the wobble groove and simply be rejected by the PlayStation and any different region discs would also be rejected when it was extracted from the wobble groove the new region encoding would not match what was on the PlayStation BIOS of the machine while it was a very simple protection the problem was it wasn't very good with a fast hand you could perform what was known as the swap trick whereby forcing the lid open on the PlayStation with a pen you could boot from an original game and when the disc would authenticate the Wobble data and begin to boot into the game you could quickly replace the disc with a backup since the PlayStation believes you've passed the region check it will boot into the game that's on the disk and by quickly swapping discs with a backup you could get a backup to load on a Playstation one this was a crude method but it worked without a mod chip and speaking of mod ships it wasn't long after until mod ship started to appear that automated this process with a backup disk that was inserted into the PlayStation 1 with a mod ship the license string or region information would be sent back to authenticate automatically this was a very simple and effective method because the PlayStation 1 only wants to know if it's received back a valid region string Sony's mistake here is that they relied heavily on CD burners being far too expensive for most consumers to buy but they scrambled when the prices started to plummet the PlayStation 1 was the birth of the mod as we know it they were absolutely everywhere everyone had a mud ship installed in their ps1 and even to this day if you go to a thrift store or eBay and buy a used PlayStation one there is a fairly large likelihood that there is actually a mud ship installed into the device sony realized they had a problem the cost of much it was cheap and pretty soon anyone who owned a PlayStation wanted to install a chip in their system you could even go down to your local blockbuster rent a few ps1 games burn them keep the copies and return the originals it also meant that releasing cracking groups started to appear and release games on bulletin boards and FTP sites worldwide groups such as Callisto paradox mops bad and many others not only release games but they also released trainers or the ability to cheat in games adding cheat codes to most PlayStation 1 games was simple to do because there was no security or memory guarding you could easily poke or update certain memory locations trainers were simple to develop on the PlayStation 1 all that was needed was a simple interrupt to update specific memory locations this was achieved using an event handler at a memory address essentially this was the same method as the action replay cartridge on the ps1 but was installed with the game complete with a menu intro to set the options at the time cracking and release groups were quite experienced many of them came from the Amiga so the cracking training and releasing of games was nothing new with excellent coders teams got quickly familiar with the PlayStation hardware and in some countries in the world you could actually buy high-quality bootleg PlayStation 1 games that would run without a mud chip that were obviously not original copies but utilized a custom firmware and a certain type of CD burner in order to replicate the wobble groove and allow you to play backup copies or illegal copies of PlayStation 1 games for a few years mud shipping and piracy was synonymous with the PlayStation 1 it seemed like nothing could be done but in 1998 all of a sudden newer games that were coming out stopped working on mud ships sometimes just with a black screen or a frieze or sometimes with this message Sonne had discovered a method to detect the presence of a mod ship this was easy enough to do because the chip was always enabled by simply running code to check for one if it returned data back when it shouldn't have normally done so meant that an external device was installed and Sony added additional checks in many of their games to stop this but this in turn let mod ship manufacturers to come up with the idea of a stealth mod ship one that would activate at boot time past the authentication check and then deactivate itself but this isn't all that Sony had implemented the second part of this protection utilized a 16-bit key that was stored in the sub channel data of a game cd-rom this protection was known as Lib crypt and there were four different protection methods that utilized Lib crypt in some way the protection itself works as follows somewhere in the game code is run to detect the presence of a mod chip and the second part will decrypt the necessary 16-bit code from the lip crypt subchannel data in order to play the game if the first check fails then the game crashes outright if the Lib check fails an anti-piracy screen may be displayed but in some cases games will have features removed like for example theme park disabled the new game feature in the main menu see couldn't even play the game Lib crypt was difficult to duplicate with a CD burner because many CD burners at the time did not even support writing sub channel data and the ones that did almost made it impossible to make a one-to-one copy of that sub channel data even though stealth mod chips existed now games needed to be cracked and the Lib crypt protection removed this again wasn't too difficult for the experience cracking groups but it was an extra step in the process Sony's options were limited and Lib crypt was completely defeated very very soon after it had come out it wasn't difficult to identify and then extract the 16-bit key from the Lib crypt sub channel tracks on the CD and then completely just patch out the protection itself and this was something that was fairly easy to do and many cracking groups were skilled enough to remove the liquid protection it became apparent that if the game developer and Sony stood any chance to defeat the Pirates it wouldn't be at the hardware level rather it needed to be performed as part of the game in one of the most well documented cases of anti-piracy Spyro the Dragon three year of the Dragon implemented lip crypt but also an additional layer of protection developer insomniac knew that there was rampant Siddhi party occurring on the PlayStation and their previous game Spyro 2 implemented a Lib crypt which was quickly dispatched by cracking group paradox for spyro 3 they came up with something even more ingenious spyro 3 would allow you to play through the game but when you got to Zoey early on she would inform you that you were playing a hack copy of the game but what was interesting was the game didn't kick you out it continued to allow you to play through the game but after a while strange things started to happen in PAL copies games would randomly switch between English French German and Spanish and various enemies would not give gems and sometimes gems found on the ground would be removed but there were many more things the game would sometimes return you to the ROM homeworld or level and if you managed to get to the source or a boss fight the player would be sent back to sunrise spring with all their save data wiped insomniac had implemented a series of CRC check sums in the code this meant that even if a single bit was changed it would result in an incorrect checksum and the game would fail its anti-piracy measure okay so let's get technical for a sec what is a CRC check sum well in simple terms it's something that is used for error detection and it has many use cases for example if you want to guarantee the result of a set of bytes over a network or if you want to make sure a file has not been tampered with then you may use a CRC process it was a perfect solution for Spyro 3 because the algorithm is fast there is no apparent slowdown or disk access to run the check the CRC will take an input string or an array of bytes and apply that against a magic number or a divisor and the output will be a value which matches the same number of bits as the input value this is important to remember because it means that a cracker could easily manipulate the divisor or magic number in order to make it equal to what the game was expecting but insomniac programmer Gavin dog knew that this may be a weak point and obfuscated the CRC checks by adding additional checks in the same box of code but at different offsets and to further complicate things he even used the checksum result value as part of the data being checked summed there was also no CRC check function call which again would have been easy to spot and patch out by crackers rather the checks were in lined in code so the compiler would just apply it to the main block of code that was being run with just one byte of difference in the code would fail one or any number of CRC checks and the crack protection would kick in Gavin knew that crackers would have to patch out Lib crypt which invalidated the copy and that was enough to trigger the protection when the game was released a few different scene groups released their crack off the game including bad who patched the Lib crypt to protection and then paradox released a crack of the game as well but both of these were non-working the crack Protection was still in place it took almost two months later for paradox to release an updated Spyro 3 that was 100% patched I reached out to the cracker known as baby doc to learn more about this crack his method was to write code to hook into the game and after the game had loaded he injected a bypass of the protection and then reapplied the original data so when the checksum was performed the test would be correct sounds simple enough but it was far from back in 1999 it was a different time there wasn't anywhere near as much a knowledge base information on PlayStation hardware so they had to learn things and share information themselves however paradox used an official development kit that had a homemade loader on it to boot into retail games this meant they had access to snoop memory and this is how Spyro 3 was able to be defeated baby doc spent two weeks extracting all the data comparing the memory dumps from an original copy of the game and repackaging it into a new file system he had to identify all the checksums and he had to be certain that all the checksums were caught bypassed and reapplied with original data this was a complicated and long process when I asked why go to the trouble for him it was a challenge it was fun there was no money involved just knowing that you could crack a complicated protection would make you one of the best crackers in the world for Sony and insomniac this protection held up after all the first two to three weeks is where you make the majority of money selling the game on our shelves in someone new the game would be correct eventually but it stood firm when it needed to but in reality there are only a small handful of games that had any additional crack protection there was a cost associated to it and it was pushed onto the development house and in most cases there wasn't enough time money and resources to consider doing it while the PlayStation 1 sold over 100 million systems and was a worldwide success it was also the game console that started the mud ship craze and brought it to the household so there you have a guys that's the story of anti-piracy on the Sony PlayStation 1 Sony came into that generation really not understanding the security mechanisms very well and it wasn't really their fault I think at the time things were a lot different than what they are today they felt like they had done enough to stop the casual copying of games and I guess in some ways they did but certainly relied too heavily on the CD burners being out of the price range of most consumers to buy but quickly tried to pivot and come up with different ways to stop piracy when burners started to fall in price significantly and then all of a sudden everyone that had a PC had a CD burner in their PC and will quickly and easily able to copy PlayStation 1 games and with the motive were easily able to run those games in the end certainly learned a lot of lessons from the PlayStation 1 and they beefed up security on the PlayStation 2 and I've done a video on security on the ps2 so if you're interested I'll leave a link to that video in the comments below hopefully you guys get a good understanding about what things Sony did kind of through each generation of this system and you'll get a good understanding of what was going on with the security and their thought process on that particular topic well guys we're going to leave it here for this video thank you so much for watching if you liked it you know what to do leave me a thumbs up and as always don't forget to Like and subscribe and I'll catch you guys in the next video bye for now [Music] [Laughter] [Music] [Laughter]

Info

Channel: Modern Vintage Gamer

Views: 809,924

Rating: undefined out of 5

Keywords: sony, playstation, ps1, psx, security, modding, cracking, paradox, kalisto, libcrypt, spyro the dragon, spyro 3, mvg, modern vintage gamer, mistakes were made, devkit, development kit, retro, game console, mcn mafia, reversing, trainers

Id: 7HOBQ7HifLE

Channel Id: undefined

Length: 15min 56sec (956 seconds)

Published: Mon Mar 09 2020