They were discovered and documented in 2013 by nocash, there was just no way to use them outside of cheat-carts with unirom or BIOS-replacements until now.
If I understood anti-mod games correctly, they had an additional check for the license string. Early chips would constantly send it (even when not reading the part that is used for authentication). The game could check for the SCE* string and if it did find it (shouldn't be the case) there must be a modchip sending it.
This prevented even original CDs from being used. Modded console → No game.
Later modchips switched themselves off after authenticating the disc (guess this was the "stealth" in the later versions).
True.
But there are also some games which check for the license mid-game properly (afaik Spyro NTSC-U is one of them) and due to the nature of the unlock-mechanism used, that won't work as that licence-check is disabled.
What doesn't work with modchip and with an exploit like this one is successfully playing unpatched backups of LibCrypt protected games. They crash deliberately early on. Coincidentally I just tried it hoping RAW copy with subchannel data would work without patch… NOPE!
Then you must have ripped or burned it wrong: Reading and writing subchannel-data uncorrected and the burner must support DAO RAW _96_ (or similarly named).
Any kind of modchip being there or not doesn't affect Libcrypt at all, only if the disc is properly made (or burned).
I managed to fix my non formatting card with a sort of new solutions
I did not have any of the mentiond CD games eg wipeout or coolboarders so I was finding a way to restore my first flashed mem card
I tried my games and found that resident evil can fix the corrupted card also
1. Put resident evil disk in ps2
2. Wait for it to load
3. Insert the flashed memory card
4. The memory card is recognised but does not contain any saves
5. Play the game till you can save at typewriter
(Play as chris will be able to save faster)
6. You will be able to save requires 1block
7. Once saved restart your ps2
8. Go into browser and ps1 mem card is there
9. Now you can use MC app to format
10. Restore your original backup of mem card
It's a great lil exploit and glad there are ways to get your card to function again
But there are also some games which check for the license mid-game properly (afaik Spyro NTSC-U is one of them) and due to the nature of the unlock-mechanism used, that won't work as that licence-check is disabled.
[…]
Then you must have ripped or burned it wrong: Reading and writing subchannel-data uncorrected and the burner must support DAO RAW _96_ (or similarly named).
Any kind of modchip being there or not doesn't affect Libcrypt at all, only if the disc is properly made (or burned).
Good point. My newer drives are missing this capability. Thank you! Never had any luck burning LibCrypt games without crack. Grubbing through my old stuff on the attic I quickly found an older burner supporting this write mode, plugged it into a Windows XP machine and Alcohol 120% created a seemingly working copy (tested for about ½ hour) of a protected game. If this really works out, I'm going to replace my cracked backups containing the crappy "We are the greatest!!11!"-intros by the cracking groups with clean copies.
Hey, I've released version 1.1 yesterday: see release 1.1 on the github repo; I cannot post a link since I'm a new member.
So far it has been confirmed working on BIOS 2,0, 4.1, 4.5. Some feedback would be nice for other BIOS versions. I've also just added support for SCPH-7000 and SCPH-7000W (the image files are not in the release, but they are in the repo).
If you can test the latest images on real hardware and report the status here, I'd be grateful (make sure you test the latest images - they overwrite a different address compared to the previous ones). If it doesn't work, make absolutely sure you have the correct image file and that you wrote the image file to the memcard exactly as it is. If possible, read back the memory card and compare with the original image file.
So far it has been confirmed working on BIOS 2,0, 4.1, 4.5. Some feedback would be nice for other BIOS versions. I've also just added support for SCPH-7000 and SCPH-7000W (the image files are not in the release, but they are in the repo).
Since I'm not a developer I'm always happy if I can contribute a small thing:
Small PSONE,SCPH-102 (PAL) BIOS 4.4 working perfectly with Freepsxboot-unirom-fastload-20210421-bios-4.4.mcd
The console has an (unknown) modchip so I can't say anything to the nocash unlock on this one. Hope the modchip is not a problem.
The same MC works on another SCPH-102 without modchip. The second console has BIOS version 4.5 but I didn't flash the 4.5 specific image to the MC (found out about this device being a 4.5 after starting FreePSXBoot).
Backups loading perfectly.
Don't have any other models besides one with the already tested 4.1
Edit:
The files for 4,3, 4.4 and 4.5 appear to be the same anyway.
Thanks for the feedback. The files are indeed the same, the BIOSes are different but happen to have the same stack pointer value when the exploit triggers, and also allow the same instruction to be overwritten. Nevertheless, if we improve yet again the exploit, the files may end up being different.
Thanks for the feedback. Someone reported recently that BIOS version 2.2 (A) was not working, and I had mistakenly assumed that BIOS 2.2 (E) was the same as 2.2 (A), as it's the case for versions 4.1, 4.4, and 4.5.
So I've updated again the images, and the BIOS list. There is also a fix which caused the exploit to freeze on some BIOS versions; this is fixed by reading a dummy frame from the memory card before loading the actual payload. All the updated images are on github (not in the release, but in the download links on the main repo page). I am waiting for the Unirom author to update his code, and I will do a release once it's ready.
Thanks for the feedback. Someone reported recently that BIOS version 2.2 (A) was not working, and I had mistakenly assumed that BIOS 2.2 (E) was the same as 2.2 (A), as it's the case for versions 4.1, 4.4, and 4.5.
So I've updated again the images, and the BIOS list. There is also a fix which caused the exploit to freeze on some BIOS versions; this is fixed by reading a dummy frame from the memory card before loading the actual payload. All the updated images are on github (not in the release, but in the download links on the main repo page). I am waiting for the Unirom author to update his code, and I will do a release once it's ready.
I will test the new images later this day and post results. I've bought an additional console, SCPH-1002 (E), for testing. If I stumble upon more models, I will buy them. Flea markets not existing anymore makes this a lot harder (and more expensive).
Edit:
Tests done with the new images from 30th of April 2021.
Results: Not a single problem, regression or failure (100% success rate, CD-R loading perfectly) with any of those:
SCPH-1002, BIOS 2.2 12/04/95 E, CRC32: 1E26792F
SCPH-9002, BIOS 4.1 12/16/97 E, CRC32: 318178BF
SCPH-102, BIOS 4.4 03/24/00 E, CRC32: 0BAD7EA9 (has unknown modchip)
SCPH-102, BIOS 4.5 05/25/00 E, CRC32: 76B880E5
Also perfectly working: Formatting memory card with Unirom to prevent Memory Card Annihilator on the PS2 from crashing.
Can't do more at the moment. As mentioned, if I find more consoles, I'll buy them. Not much hope here. Imported NTSC consoles will be even harder to get.
Boy, the PlayStation 1 sure got a lot of hardware revisions and BIOS versions.
Showing which FreePSXBoot images are the same at the moment by checksum: 1e5bf9d8c4915315265dbf7086a2520c freepsxboot-unirom-fastload-20210430-bios-2.0-1995-05-10-E-9bb87c4b.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-11-14-A-b7c43dad.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-12-16-A-502224b6.mcd
21700c491b620821248a786d93a5598a freepsxboot-unirom-fastload-20210430-bios-4.1-1997-12-16-E-318178bf.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-I-bc190209.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-I-24fc7e17.mcd
2a0c258b112b9c311d3f455e5e824202 freepsxboot-unirom-fastload-20210430-bios-3.0-1996-09-09-I-ff3eeb8c.mcd
4966a362e63a950a460b873832ab47e6 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-A-aff00f2f.mcd
4966a362e63a950a460b873832ab47e6 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-A-37157331.mcd
4b40669b3a3a47d184610c94dcca39ab freepsxboot-unirom-fastload-20210430-bios-3.0-1996-11-18-A-8d8cb7e4.mcd
4b40669b3a3a47d184610c94dcca39ab freepsxboot-unirom-fastload-20210430-bios-4.0-1997-08-18-I-ec541cd0.mcd
6654289a9d916bc906ee4651d69ec7d6 freepsxboot-unirom-fastload-20210430-bios-3.0-1997-01-06-E-d786f0b9.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.3-2000-03-11-I-f2af798b.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.4-2000-03-24-A-6a0e22a0.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.4-2000-03-24-E-0bad7ea9.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.5-2000-05-25-A-171bdcec.mcd
79b0452db10adb045ed7aa8f95d8a6de freepsxboot-unirom-fastload-20210430-bios-4.5-2000-05-25-E-76b880e5.mcd
a0020be10e32260b06a4decdf3716e59 freepsxboot-unirom-fastload-20210430-bios-2.1-1995-07-17-E-86c30531.mcd
a0020be10e32260b06a4decdf3716e59 freepsxboot-unirom-fastload-20210430-bios-2.2-1995-12-04-E-1e26792f.mcd
a0686a864e378537a971ae79904c8f5a freepsxboot-unirom-fastload-20210430-bios-2.0-1995-05-07-A-55847d8c.mcd
ada128288fcd35269b67bed97d2ee2d6 freepsxboot-unirom-fastload-20210430-bios-1.0-1994-09-22-I-3b601fc8.mcd
cd3abde84054c9442b63dfd08c689396 freepsxboot-unirom-fastload-20210430-bios-1.1-1995-01-22-I-3539def6.mcd
It's interesting what mc-images are the same for which BIOS-versions.
3.0 US and 4.0 JP?
2.1, 2.2 and 3.0 JP?
2.1 US/EU and 2.2 US/EU, but then 3.0 EU all alone?
Funny.
Just to add, I tried backups of NTSC and PAL (my region) and both worked perfectly. Also, the 1st time ever I've been able to play a backup of Vib Ribbon (after many previous, failed, attempts through the years with emulation).
I managed to fix my non formatting card with a sort of new solutions
I did not have any of the mentiond CD games eg wipeout or coolboarders so I was finding a way to restore my first flashed mem card
I tried my games and found that resident evil can fix the corrupted card also
1. Put resident evil disk in ps2
2. Wait for it to load
3. Insert the flashed memory card
4. The memory card is recognised but does not contain any saves
5. Play the game till you can save at typewriter
(Play as chris will be able to save faster)
6. You will be able to save requires 1block
7. Once saved restart your ps2
8. Go into browser and ps1 mem card is there
9. Now you can use MC app to format
10. Restore your original backup of mem card
It's a great lil exploit and glad there are ways to get your card to function again
This is exactly what I did to fix one of my cards too, except I used RE2! I think I might've been using an old version of FreePSXBoot though, because I couldn't do it a second time. Say you used the wrong payload for your bios and now your memory card is broken. You can fix it without special PC hardware.
1. Use a second memory card and a PS2 to install TonyHax. This is the only step that requires a PS2.
2. Make a Unirom boot disc using the latest version. This ran on my PS1 with a Verbatim disc at 16x speed.
3. Use TonyHax to start the Unirom boot disc on PS1
5. Scroll to Memory Cards
6. Highlight files on the FreePSXBoot memory card, press X, then Format
As of version 1.3.3, TonyHax will block FreePSXBoot. This means you can use a memory card manager without crashing your console! I tried these steps on a PS2, but Unirom, while functional, has garbled text.
It is now possible to run FreePSXBoot on a memory card on slot 2, and to keep the memory card plugged in while playing a game (the kernel is patched by FreePSXBoot to disable the memory card on slot 2, so games will only see a memory card connected in slot 1).
I am (as always ) looking for feedback on the slot 2 exploit. It has been tested on a few models and works fine on these, but it may not be the case on all models.
You can download the slot 2 images on github directly from the home page of the repository (there is no tagged release yet, waiting for more feedback). Slot 1 images are still provided for users of the Memcard Pro, or in case of incompatibility.
Same consoles as last time:
SCPH-1002, BIOS 2.2 12/04/95 E, CRC32: 1E26792F
SCPH-9002, BIOS 4.1 12/16/97 E, CRC32: 318178BF (difference to last time: I've soldered in a PsNee…)
…but I also now have this one:
SCPH-7502, BIOS 4.1 12/16/97 E, CRC32: 318178BF
SCPH-102, BIOS 4.4 03/24/00 E, CRC32: 0BAD7EA9 (has unknown modchip)
SCPH-102, BIOS 4.5 05/25/00 E, CRC32: 76B880E5
Sadly still only PAL consoles. I have no idea where/how I could get a bunch of NTSC-U and NTSC-J for an acceptable price. My test only got three distinct Slot-2 memory card images covered since the md5sum for BIOS 4.4 and 4.5 are still the same.
Results:
Unirom working like before. Formats memory cards for allowing new images to be flashed on the PS2 flawlessly. The game I loaded from CD-R was Castlevania – Symphony of the Night since it allows accessing Slot-2 for saves as well. The game simply states "Error!" for Slot-2, offers formatting MC2 but fails. Seems your kernel patch works perfectly.
The SCPH-102 with the unknown modchip crashed once, but I'm willing to file that under user error. Maybe I closed the tray too early and the modchip already tried starting the game. I tried it more than a dozen times afterwards → No problem.
Conclusion for my test devices: Perfect!
I have tested saving and loading with a few games and so far all of them work as expected (though strangely MGS will be stuck retrying on slot 2 if it sees no card connected there, but that's not due to FreePSXBoot).
The only case it could fail is if a game reimplements completely the memory card reading code instead of using the BIOS calls; so far I don't know of any such game.
After several months of work, the Harbour Masters 64 team have released their first public build of 2Ship2Harkinian, a feature-rich Majora's Mask PC port. This comes...
With the vast success of Super Mario Maker and its Switch sequel Super Mario Maker 2, Nintendo fans have long been calling for "Maker" titles for other iconic genres...
Palmer Luckey is known for his pursuits into the world of virtual reality, having founded Oculus and designed the Rift VR headset. Prior to the $2 billion dollar...
Ubisoft has today officially revealed the next installment in the Assassin's Creed franchise: Assassin's Creed Shadows. This entry is set in late Sengoku-era Japan...
Another day, another great emulator that makes its way into the Apple Store for more users to enjoy. With Apple opening its store up to videogame emulators earlier...
After a little more than three years of exclusivity with the Epic Games Store, Square Enix has decided to bring their beloved Kingdom Hearts franchise to Steam. The...
Another day, another Nintendo DMCA takedown against fan-made content.
Just a few minutes ago, Nintendo issued a DMCA takedown notice against a widely known and...
Sony is once more attempting to reintroduce players to their older library of games by re-releasing classic PlayStation 2 titles onto the PlayStation Store. During...
Skyward Sword is a divisive title in the Zelda series. Hailed with praise at launch with a 93 Metacritic average, the game since received criticism for the...
Continuing with the number of available retro emulators found in the Apple Store, after Apple's decision to finally allow videogame emulators on their store, another...
Palmer Luckey is known for his pursuits into the world of virtual reality, having founded Oculus and designed the Rift VR headset. Prior to the $2 billion dollar...
After several months of work, the Harbour Masters 64 team have released their first public build of 2Ship2Harkinian, a feature-rich Majora's Mask PC port. This comes...
Ubisoft has today officially revealed the next installment in the Assassin's Creed franchise: Assassin's Creed Shadows. This entry is set in late Sengoku-era Japan...
Another day, another Nintendo DMCA takedown against fan-made content.
Just a few minutes ago, Nintendo issued a DMCA takedown notice against a widely known and...
After a little more than three years of exclusivity with the Epic Games Store, Square Enix has decided to bring their beloved Kingdom Hearts franchise to Steam. The...
It's been a while since Microsoft released the Xbox One, and despite its age, there haven't been any reliable softmod methods to hack the console. Until now. A post...
Sony is once more attempting to reintroduce players to their older library of games by re-releasing classic PlayStation 2 titles onto the PlayStation Store. During...
With the vast success of Super Mario Maker and its Switch sequel Super Mario Maker 2, Nintendo fans have long been calling for "Maker" titles for other iconic genres...
The latest State of Play is here. This is PlayStation's Summer showcase, providing updates to new updates on upcoming games and brand new reveals. The 35-minute...
E3 may be gone, but it's not forgotten, as the trend of a massive Summer video game showcase still lives on in the form of the Summer Game Fest. Promising two hour of...
On the series s/x you can use a external HD but any next gen games must be on your internal ssd, or you can buy a ssd expansion card, but pricey. Any xbone, 360, or og Xbox games can be played from external tho.