Modding my PS1 - Chipping (PSX-VX Part I)

WHAT
[All the source code can be found here: https://github.com/electrojack/psxvx]
I recently decided to mod a PS1.
After a lot of research I found that the info about chipping was not easily understandable.
The reason is that there are many PS1 motherboards, several different modchips and scarce precise how-tos.

The different PS1 boards are here: https://en.wikipedia.org/wiki/PlayStation_models#Comparison_of_models
The one I bought is a PU-18.

Nearly everybody use PIC modchips but I have ATtiny chips so I used one: a ATtiny13 that was laying around.

If you read that you should know about the protection used in the PS1. If not, read this: https://twitter.com/foone/status/974277587764523010

Now the problem is: where and how should I inject the "SCEE" string?


WHERE
The SCEE string should replace the one actually read on the disk.
This string is sent on a Data line that is accessible on the back of the motherboard.
Also the actual output must be muted so that we can send the SCEE string without it being messed with with the actual data.
Fortunately this muting can be done by putting low a single accessible signal: the so-called Gate pin.

This image shows the back of a PU-18. (bottom left in this picture: http://wiki.psxdev.ru/images/c/ca/PU-18%28b%29.jpg)
On this picture (1) is VCC, (8) is GND, (6) is DATA and (5) is GATE.

HOW
Now that we know the pin (DATA = 6) to monitor, I used my logic analyzer to see the signal I'll have to reproduce.
So I put a legit game CD in the PS1, put my D3 channel on the DATA pin and logged the signal.

And here it is, we can see the "SCEE" string.
This is UART, 250 bits/s, LSB-first.
This info is (fortunately) the same than what we can read here: https://problemkaputt.de/psx-spx.htm#cdromprotectionmodchips

CHIP FIRMWARE
With this info I made the following software and uploaded it on my ATtiny13 (fuses: H:FF, L:6A).
You can find it here: https://github.com/electrojack/psxvx/tree/master/part1_chipping

#define SETOUTPUT(ddr, n) ddr |= _BV(n);
#define SETINPUT(ddr, n) ddr &= ~_BV(n);
#define SETHIGH(port, n) port |= _BV(n);
#define SETLOW(port, n) port &= ~_BV(n);
#include <avr/io.h>
#include <util/delay.h>
#define gate 3
#define data 4
#define bitdur 4
#define pause 72
char scee[4] = "SCEE";
void wb(){_delay_ms(bitdur);}
void uart_start(){SETHIGH(PORTB, data);wb();}
void uart_stop(){SETLOW(PORTB, data);wb();}
void inject_scee(){
    for(int i=0;i<4;i++){
        uart_start();
        for(int j=0;j<8;j++){
            char val = ((scee[i] & (1<<j)) == 0);
            if(val){
                SETHIGH(PORTB, data);
            }else{
                SETLOW(PORTB, data);
            }
            wb();
        }
        uart_stop();
        uart_stop();
    }
    _delay_ms(pause);
}
int main(){
    OSCCAL = 69;
    SETOUTPUT(DDRB, data);
    SETOUTPUT(DDRB, gate);
    while(1){
        inject_scee();
    }
}

After analyzing the output, it's really close to the expected signal.


DOES THIS WORK?
Well...
The PS1 still reads genuine disks so I didn't kill it.
Also I guess that means that the data I inject is recognized as valid.

Booting burned disks is another story as none managed to boot.
I should state that my burned disks are pretty damaged though.

I have no CD burner so I can't test much further.
Although I think it's more or less working for two reasons:

• all the burned disks I tried manage to go to the Playstation screen
• one burned CD (Grand Theft Auto) it managed to go to the anti-piracy screen

Still, something must be off because the GTA disk plays normally on another PS1.

WHAT NOW
Two things:
 - fix this to make it actually boot games
 - check whether this chip passes the anti-modchip games (like FFVIII)


EDIT 1:
I tried to clean the lens and changed some timings (I've yet to update the code).
Now GTA sometimes manages to boot, but even then the intro lags a lot.
No other burned CDs boot after the Playstation splash screen.
I have to test a clean burned CD.

EDIT 2:
I moved the laser pot a bit, around 1/16 turn (I don't have any oscilloscope laying around right now), and it now loads both GTA and Vigilante 8 nearly as easily as on the other PS1 I was able to try.
The other games are officially dead according to that PS1.
I still have to perfectly adjust the pot with a scope and finely adjust the timings of the chip software and I guess it would then work flawlessly.

Also, my chip relies on its internal oscillator, which means that its timings may be off because it needs calibration (through the OSCCAL register) and the temperature of the chip affects it.

The correct way to fix this is to use an external oscillator, from the PS1 for exemple.

CONCLUSION
Success!

The PS1 is chipped and boots burned disks.

That was all I wanted so I won't spend more time on this but in order to cleanly finish this work I still have to precisely set the laser pot and fix the oscillator problem.