A tale overheard at Stompin' Wombat's Intergalactic Trading Post

Zilog vs. Microchip

Again, a historical note: read my original notes. They're relatively accurate, but they don't tell the whole story.

The Old Crow's microcontroller of choice since 1983 is Zilog's Z8 series. These formed the core computer circuit of just about every device I designed for 15 years. Here is an example; this board is a PID process controller built as a single card and designed to network with 14 other cards in a 19-inch rack frame. Seeing as I knew this microcontroller series extremely well, it made perfect sense to use it as the platform for research on these mod chips. It was at that point late October of 1996, and a friend sent me a mod chip (remember, this was my newly invented term for it--I wish I had the foresight at the time to register the domains modchip.* and modchips.*, but I was not one given to the vanity domain craze certain friends that worked at ISPs seemed to enjoy). This newly-arrived chip was of the chopped-off 14-pin variety, but the big feature was it needed only six connections. By good external fortune, someone had saved me an additional week or two of work as I did not need to study the 4 no-longer-needed signals. About this same time the frist rumors of an 8-pin PIC from Microchip were starting, and I was resolved to get my work onto one of those chips by the end on January 1997, as soon as I learned the mantra of PIC programming.

Since a 6-wire chip had four known-by-default connections: power, ground, clock and reset, this left only two connections to actually study using a "black-box" analysis method. This means that one does not care what actually exists inside the "black box" (in this case the 6-wire mod chip), the researcher is only concerned with producing the same results. As described in my historical note, above, I used a logic analyzer with an huge sample buffer and simply captured the transistions of these two signals from the point of reset to the point a disc booted. Diagrammatic analysis of the captured signals ultimately showed me what I was looking for: the key to this entire mod chip phenomenon--a repeating pattern of digits that somehow told the PSX to boot this disc.

Just How Does a Game Disc Get Authenticated, Anyway?

PSX region coding exists for much the same reason DVD region coding does: to control the release of a title into the worldwide market. Not all games (or DVD movies) are introduced at the same time everywhere. Consider the DVD: in many cases, a film may still be playing in one region while the DVD release has occurred in another. If the DVD was released while still in theatres in the same area, people would end up renting the DVD and the cinema box-office receipts--where the bulk of the return on investment occurs for a film--would drastically suffer. Thus, the DVD is not made available there until such time the film has left the theatres. The region coding assists in this control as a region 1 disc (North America) won't play in a non-region 1 player, thus protecting that market from premature saturation...unless of course the player has been modified. (DVD mod chips have long since outnumbered PSX mod chips, but the idea is the same: convince the machine it is booting/playing a disc of the proper region and type).

In the case of video games, they are typically released in Japan first, and the rest of thwe world second, save for those cases where a game originates elsewhere (usually the USA). Now, while the Japanese<->English (or other language) barrier hampers the usefulness of imported games, there are enough hardcore gamers using the PSX that can affect the domestic release of a game. Note: this is far less true of RPGs. 95% of US RPGers will also purchase the domestic release of a title simply because they want to play it again, this time understanding the story). The Old Crow falls into the other 5%--we can understand Japanese well enough to effectively play the games. Getting a PSX to boot my import TokiMemo game would mean I would not have to savage the drive spindle by swap-booting anymore.

The PSX game discs took advantage of the way CD optical mechanisms track the disc surface in order to implement their region coding method. When the laser of the optical 'head unit' activates, it is split into three coherent beams that impinge on the disc surface in a sort of slanted-dot pattern. The center beam is used to detect the edges of the 'pits' and 'lands' of a data track (including redbook audio) and thus provide the demodulator circuit with signals to turn into data usable by whatever device is attached--in this case a 32-bit MIPS R3000 computer with attached graphics engine and audio processor. The two outer beams coming off the beam splitter have a different function: they track the 'wobble groove' of the disc in order to provide active feedback to the servo control system that keeps the optics aligned with the disc surface. This wobble groove is analogous to a frequency standard in that it is a fixed signal with no modulated content. Now, the region coding designers had a clever idea: why not encode a small portion of the wobble groove such that the tracking signals could temporarily be used to recover an embedded data block. This is exactly how a PSX game disc is made, and why it cannot be copied: the wobble groove is not a user-definable part of the ISO-9660 mode 2 (XA) format. Therefore, when a copy of an original game disc is made, the writing drive uses a standard "in-spec" wobble groove signal.

Now that the source of the authentic region code is defined, it can be observed. The 'wobble data' used by the servo controller to track the disc is also sent over to the microcontroller that supervises ther drive's operation. Since the raw signal from the amplified optical photodiodes' output (part of the drive) is not conditioned to the voltages expected by the CD microcontroller, something must be done to convert this signal into the proper form, otherwise the microcontroller would get fried. This is the task of an simple yet crucial (to the success of a mod chip) level-converting operation amplifier circuit. It takes in a bipolar 8 volt signal and outputs a comfortable 3.3V signal that the microcontroller would like.

When booting a game, the main CPU first goes through some housekeeping code to initialize the machine. It then checks for the presence of a CD and detrermines if it is redbook audio (music CD) or CDROM-XA (data disc aka game CD). If it is a music CD, the CD player program is bootstrapped from system ROM. If it is a game disc, however, the main CPU will instruct the CD microcontroller (sub-CPU) to clear the 'region valid' flag (that is, one of the microcntroller's internal program-defined register data bits acting as the flag) and then the main CPU issues a command to the sub-CPU to read the wobble groove in a specific area of the disc. This is visibly noticable when the disc speed slow down for several seconds and speeds up again: the laser head is moved to a specific track and the spindle motor is told what RPM to use, and the result on the 'wobble data' pin of the microcontroller should be a region code. The sub-CPU reads in this serial wobble data and forms it into bytes. The bytes form a 4-digit ASCII word that is the true region code string.

This code string is internally compared by the sub-CPU to a string embedded in its program ROM. If they match, the region is valid, and the 'region valid' flag is set. If they do not match, the flag is not set. The sub-CPU tells the main CPU it is done, and the main CPU reads the result. If it sees the flag is set, it starts booting the game. If it sees the flag is clear (not set), then it aborts to the "Insert PSX CD" screen and idles until the disc-change (door switch) signal is seen by the sub-CPU and the whole process repeats.

How a Mod Chip Works, and, Why Mod Chips Worked in the First Place

The Old Crow