Commercial Homebrew
FAQ on creating a commercial PS1 title
These questions and discussions have happened multiple times over the Discord server, to the point it bears having a dedicated page to summarize the result of these talk. This will cover the practicalities of publishing a commercial title for the PlayStation 1, on the legal and technical issues this entails.
Legality of commercial homebrew
Fair warning first: the authors are not legal scholars, and this does not constitute legal advice in any way whatsoever. This is rather a list of facts and points about the legality of creating commercial homebrew software for the PlayStation 1.
The way the console has been designed by Sony is so that only Sony can technically publish a game for it, but it has no legal way to prevent people from publishing what was at the time called "unlicensed" products. These existed for other consoles such as the Super Nintendo, but no unlicensed game got ever released for the PlayStation 1, most likely due to the technical challenges described below. However, unlicensed discs still got produced, such as the Action Replay, the GameShark, or the Import Player.
The very important detail of most of these unlicensed titles is they weren't using the tools and libraries published by Sony to function, most likely to preemptively avoid legal challenges, as the Psy-Q SDK is most definitely copyrighted material. This may be way less relevant today, 30 years after the initial release of the console, as Sony may no longer care about enforcing their copyright on this old SDK, but the copyright on it is still technically valid for another half century at least. Additionally, there has been known cases where big publishers such as Valve have been shown to be nervous about developers using unlicensed SDKs, like when they politely requested the developer of Portal 64 to cease their work. This means that using the Psy-Q for your commercial homebrew might potentially face a little bit more challenges than if you weren't using Sony's copyrighted material in it.
Technicalities of commercial homebrew
The major blocker to homebrew on the PlayStation 1 is about solving the usability problem of booting the software on the machine. While the copy protection of the machine is easily defeated by using modchips, or using an Optical Drive Emulator (ODE), this still represents a hurdle that some people might consider too big for the UX for booting a commercial homebrew title. We will first discuss the reason for modchips or ODEs with the technical details, and then we will list the potential alternatives, with their associated pros and cons.
The hardware PlayStation 1 copy protection
The console's CD-Rom controller prevents reading data discs which aren't manufactured with a method unique to Sony. Here are details on how this actually works.
A pressed CD is a sandwich of various materials, the important one being a thin aluminum layer which contains microscopic holes in it, arranged in a spiral starting from the inner ring of the disc, and spooling towards the outer ring. A blank CD-R on the other hand has a different sandwich for it to work properly, the two important layers being: (1) a thin layer of organic dye which can be poked at by the burner's laser, and (2) a thicker glass layer which contains a cut spiral on it. The glass layer with the spiral has several goals. The main one is to guide the burner's laser into poking the holes into the dye layer when writing, as the mechanics of an unguided laser wouldn't otherwise have the sufficient precision for placing the laser at such microscopic distances. Another goal is to provide the laser with a "tempo", in the form of a continuous wobble on the spiral. What it means in practice is the spiral doesn't have a constant width, but instead wobbles throughout its whole length, creating a 22.05kHz signal that the writing laser can use to infer the writing rate, instead of trying to have an extremely precise spinning rotation speed. And the last goal, which is the one relevant for us here, is to provide a side-channel for the burner to gather information about the inserted CD-R. What is called the ATIP is an encoded stream of data near the beginning of the disc, leveraging a secondary modulation of the 22.05Hz carrier signal from the wobble. On a normal CD-R, the ATIP contains information useful to the burner software, such as the manufacturer id, the length of the spiral, the power required, the maximum speed, etc.
A CD optical sensor works by having several sensors arranged in a very specific pattern. Tow of these sensors are used to track the position of the spiral, and the ATIP can be decoded by leveraging these sensors. In other words, the glass wobble isn't detected directly, but only its influence on the diffraction of the laser. Sony used this to create the PlayStation 1 copy protection mechanism: their officially licensed discs are pressed with an aluminum layer with holes that are of variable width, simulating the presence of the glass wobbly spiral of a CD-R. This allows them to encode license information in a way that is extremely difficult to replicate. The encoding is somewhat similar to what a normal ATIP will look like, with different frequencies and data. Three main values exist in this special ATIP: "SCEI" for discs licensed to boot in Japan, "SCEA" for discs licensed to boot in the other NTSC regions, and "SCEE" for discs licensed to boot in the PAL regions. Each console will look exclusively for its region's string, meaning this copy protection also doubles as a region lock.
The software PlayStation 1 copy protection
Certain versions of the PlayStation 1's BIOS will have another layer of protection, done by comparing the data of the first few sectors of a disc with known copies stored inside the BIOS' rom chip, similar to how the Game Boy's BIOS was checking if the cartridge had a proper copy of the Nintendo logo on it. All of the Japanese versions of the console, and some of the late PSOne European variants had this check. Importantly: this check is technically very easy to defeat since this data is perfectly writable on a CD-R, but since two variants of the check exist with different data, it means it's impossible to create a unique disc which will match both. At the time, this was Sony's way of doing some amount of additional region locking. Some, but not all modchips will defeat this software protection.
Defeating the copy protections using modchips
Without going into too many details, modchips have many different features, and overall are able to defeat the two copy protections described above. They require soldering a chip inside the console, which will then inject various pieces of data in different chips, in order to (1) fool the CD-Rom controller into thinking it read the license string from the ATIP, and (2) modify the BIOS to remove the software copy protection which only exists in certain machines.
This used to be the most mainstream way to run unlicensed software on the machine back in the days, alongside the infamous "disc swap" method which we will briefly talk about a bit later.
While the cost of modchips is very low, given the physical modifications required to install a modchip into a console, it can be considered in bad fashion to require the user to have a modchip in order to run one's commercial homebrew title.
Defeating the copy protections using ODEs
Optical Drive Emulators will effectively bypass the whole mechanical drive of the console. They usually allow loading a disc image straight from an SD-Card or similar storage, and will behave as if it was a real disc being inserted into the console. The various existing (and potentially future) ODEs for the console all require at least opening the console and do some amount of physical modification in it. Also their prices are typically much higher than that of modchips, so this can be perceived as an impossible hurdle to cross for buyers of commercial homebrew titles.
Pressing discs with the Sony ATIP
This has been done by at least two different companies. Datel published bootable discs containing the Action Replay on both the PlayStation 1 and PlayStation 2, and some unnamed Chinese company used to offer disc pressing services which was used to publish the Import Player on the PlayStation 1, and the HDLoader on the PlayStation 2.
However, no other disc pressing plant has been known to be able to replicate the same findings as Datel, meaning so far, we do not have an official publicly available commercial method to press bootable PlayStation 1 or PlayStation 2 discs. Some efforts have been made, without too much success for now.
One important detail is that the ATIP is encoded within the TOC area of the disc, and what has been observed from the Action Replay, the Import Player, or the HDLoader discs, is that these discs have been produced by replicating the existing TOC section of existing retail discs. For instance, HDLoader's TOC information is exactly the same as the official video game Crazy Taxi. This indicates that the pressing efforts done by these companies at the time didn't manage to find a method to effectively create the spiral from scratch, but instead mindlessly replicated the existing one from retail discs, before replacing the rest after the TOC area with their own. This also creates the limitation that the unlicensed discs do not have the liberty to create arbitrary TOCs, and instead must rely on the one that the disc pressing plants managed to replicate, which means no viable CDDA for instance.
Replicating Sony's ATIP using a custom burner firmware
Someone managed to create a modification of their burner's firmware to modulate the power level of their burner laser when writing the TOC area, in order to simulate the modulation of the spiral's width, and encode the Sony license information there. While seemingly promising, the method is reported to currently be pretty unreliable, with boot success rates being low enough to be a UX hurdle for a commercial homebrew title, most likely because the actual ATIP of the CD-R itself from its wobble will get in the way of reading the data, and also because this makes it more difficult for the drive to read the actual TOC information. This also requires a very specific CD-R burner, and the willingness to change its firmware, though if someone wants to sell a commercial homebrew title, this isn't that big of a deal.
Getting CD-Rs which can boot natively on a console
This is something which is frequently asked and discussed, but is very theoretical only. In theory, it may be possible for a CD-R manufacturer to create custom CD-Rs with an ATIP which, instead of having the normal CD-R ATIP information, would instead have the Sony's ATIP with the various license strings. Irrespective of the fact it is yet to be proven that a CD-R manufacturer might be either willing or able to produce such custom CD-Rs, this means one would need to use a custom CD-R burner firmware to ignore or bypass the ATIP information which is normally used to properly burn a disc. It might also theoretically be possible to interleave a normal CD-R ATIP with the Sony ATIP, to avoid using a custom firmware, if this proves viable. Again, we must insist this is completely theoretical only, and may be impossible in practice due to unknown factors, without even talking about the commercial interest a CD-R manufacturer may need to find for such a niche product to justify spending money on R&D for it.
Booting arbitrary code via parallel port
Most (but not all) variants of the PlayStation 1 console have a port on the back called the "Parallel Port", also known as PIO. This allows for up to theoretically 16MB of directly addressable external memory, though only after altering its memory map. At boot time, the BIOS of the console will try reading from this external memory, and if the appropriate strings are found, will simply set the execution pointer to it, allowing for seamless running of arbitrary code present there.
Creating carts which plug into this port is definitely doable, and complex electronics can be placed there, in order to allow for more than just memory chips. For instance, one can use USB mass storage devices there directly, and many other devices can be used, including SCSI controllers, IDE drives, or Compact Flash.
The major pros of this method are:
Quasi-universal boot method. As long as the console has a parallel port, the same exact cart device can be used.
Extremely good UX. The user simply needs to plug in the cart, and boot the console. No soldering is required, not even opening the console. The arbitrary software will immediately run, even bypassing the Sony boot logo sequence.
Fast mass storage. The bandwidth of the PIO can be several order of magnitude faster than that of the CD-Rom, which peaks at 300kB/s when reading data at 2x speed.
Extremely large storage. It is theoretically possible to handle extremely large mass storage devices, such as several terabytes, representing several order of magnitude more than that of a single 74 minutes CD-Rom, which can hold up to 650MB.
The cons however are also pretty major:
Not possible on all consoles. The SCPH-900x and SCPH-10x (also known as PSOne) no longer have the PIO. While it is theoretically possible to solder on a variant of the PIO connector in these consoles, the amount of work required for it is extremely high and prohibitively difficult for trying to sell a commercial homebrew title.
Much higher cost than simply pressing or burning a disc. The various parts involved into creating a PIO cart would be several order of magnitude more expensive than that of a commercial disc.
Unless some amount of UX is added into the software, the user would need to physically unplug or disable the cart to play other titles.
Several retail games contain known bugs, which can be exploited through specifically crafted memory card saves. The UX for this is fairly bad compared to modchips and PIO carts, as it requires the user to first acquire a retail copy of one of the exploitable games, then craft a memory card for this specific game, boot the game, trigger the exploit by going into the game's menu, before finally being able to run the arbitrary code. We'll discuss the pros and cons into the next section, as it is very similar.
The freepsxboot exploit works on all versions of the console, and requires the user to first craft a memory card for their version of their console specifically, power on the console without a disc in order to go into the BIOS' menu, and select the "Memory Card Manager" system with their pad, in order to finally run the arbitrary code.
Both tonyhax and freepsxboot rely on memory cards to run arbitrary code. At this point, the seller of a commercial homebrew may theoretically sell memory cards. If pre-loaded with a tonyhax-style exploit, the seller would also have to resell one of the known commercial titles to trigger the exploit. If pre-loaded with freepsxboot, the seller would need to know the exact BIOS revision of the customer's console, and then it means the memory card wouldn't be easily re-sellable by the customer, as it'd be quite specific to their version of their console.
Another methodology would be to use something like the picomemcard, sd2psx, or other similar products, in order to pre-load all variants of the freepsxboot exploit. The secondary advantage of reselling one of these devices to host a commercial homebrew title would be the speed and storage, as the retail memory cards have extremely low bandwidth, and very low storage space. The memory card port however still has a maximum bandwidth which is lower than that of the CD-Rom. It is also possible to leverage executing arbitrary code to load arbitrary data from an unlicensed disc, which we will discuss in a moment.
However, the major pro of using a memory card for exploiting a commercial game or the retail bios is that it allows for arbitrary code to run on any revision of the PlayStation 1 hardware, unlike using the PIO port for instance.
Loading arbitrary data from unlicensed discs
Regardless of the boot method for arbitrary code, there are several ways for the user to then read arbitrary data off an unlicensed disc, which can then be used in combination with one of the alternative to modchip methods above.
CD-Rom controller backdoor. The CD-Rom controller of some of the variants of the console have a backdoor introduced by Sony, allowing to effectively disable the check for the ATIP license string. The Japanese versions of the console have this backdoor disabled however. Once the backdoor is enabled, the CD-Rom controller will allow any unlicensed data disc to be read, as if it was a normal licensed data disc.
Disc swap. Infamously, one method to boot CD-Rs on the console is to violently swap the disc while it's booting, which can easily cause damages to the discs, and to the mechanical parts of the drive. However, running arbitrary code enables the user to stop the drive, and pause the software until the swap has been safely executed. What this involves however is a bit tricky: the user has to first find a method to wedge the lid switch of the console in order to trick it into thinking the lid is always closed. Then, the user has to prime the CD-Rom controller by reading the ATIP of a licensed disc. Finally, as the arbitrary code pauses the drive, the user can swap the disc with the unlicensed one, and continue the process with the unlicensed disc.
CDDA side channel. While unlicensed data discs won't be read natively by the controller, it'll still allow any audio disc to playback. The SPU of the console allows for reading the audio data being played in real time, so this introduces a side channel for reading arbitrary data. However, there are two major drawbacks to this method. The first is the fact the audio data into the SPU buffer is presented after a filter has been applied to the audio stream. This means that (1) the data read from the SPU won't exactly be the same as the digital audio bytes from the audio track, and (2) trying to just have data instead of an audio waveform means a worse response of the filter, which will further distort the data. As a result, the user needs to create a system to encode data into the audio waveform, for instance using Fourier transformations, which is complex, potentially CPU intensive, and drastically reduces the available bandwidth. The second drawback is that encoding-wise, digital audio has less protection against surface scratches on the physical disc than digital data, which will make this method more sensitive to minor surface damage of the disc.
Conclusion
All in all, given all of the above, until we get a better way to create discs directly, the seller of a commercial homebrew title may simply chose to declare their title requires a modchip to run, if they just want to sell a burned CD-R to their customers, as this is the least cumbersome method to employ there. All other methods will be order of magnitude more complex to handle, both in terms of UX for the buyer, and in terms of logistics for the seller. Regardless of all of the above information, it is also relevant to note that retail PS1 drives aren't well tuned out of the box to read CD-Rs. These drives were cheaply made, and while it is possible to tune them manually to better read CD-Rs, this can cause them to have worse reading rates of retail pressed discs as a result, further causing UX issues to the buyers of commercial homebrew titles. It is likely that if they have modchips installed, their drive will be tuned for CD-Rs that is, while any of the methods here which involve using CD-Rs without a modchip may still require the user to clean and tune their drive.