"Crack the SEGA Saturn copy protection" contest

[Borisz]

as far as I know, we either have to find a way to physically reproducate the outer security ring on a CDR in some way, or find a method to block the Saturn from finding out that it isn't there.

the latter would require modding.

or if it is possible, we can use the Video CD method to get a disc booted. That seems the most feasable method, if someone manages to get it working in some way.

 

[Drenholm]

Originally posted by HI_Ricky+Tue, 2005-03-15 @ 06:51 AM--><div class='quotetop'>QUOTE(HI_Ricky @ Tue, 2005-03-15 @ 06:51 AM)</div><div class='quotemain'>1. put in cd close door.

2. read toc (no sega ip info=4b,with sega info=3)

3. read sega ring (yes= 4a,no=4b)

4a.show you all track and cd player icon auto change saturn icon

4b.show you all track and cd player icon

[post=131591]Quoted post[/post]​

[/b]

What do these numbers represent? Does this mean that the codes can somehow be 'mocked up' and a CD-R booted?

<!--QuoteBegin-mal@Wed, 2005-03-16 @ 02:17 AM

Please STFU.

[post=131645]Quoted post[/post]​

[/quote]

:flamethrower:

 

[Mask of Destiny]

I think Video CD is our best bet at the moment. So assuming that the SH-1 doesn't require authentication for Mode 2 discs and also assuming that the BIOS won't boot a Mode 2 disc we have two options:

1) Find an exploitable bug in the BIOS that allows arbitrary data off of a Mode 2 disc to be executed.

2) Find a way to get the BIOS to run code from the first 32K of a Mode 1 disc and then use that to boot the Mode 2 disc.

 

[croft]

:thumbs-up: Hi all,

I just opened up a blank saturn cdr and got some info.

I have started a new thread.

Sorry Mal,

Peace

 

[RitualOfTheTrout]

I think it would be potentially easier to find/make mod chips that work on all systems. IE the recent discovery to make 21 pin mods work on 20 pin systems. I know this is really not the point, but...

 

[mrkotfw]

you're right. i think trying to get the mods to work (like the huge thread in the saturn forum) is more important. it only cost around $17 to get a mod from racketboy or jandaman.

 

[Berty]

I have the JVC v2 vcd card, i forget exactly what the option is, but there is support for a VCD menu system... I think that it is called PBC.

Im not sure how it works, whether there is code on the vcd or what, but this may be an alternative to creating a buffer over-run on the main system bios.

Does someone know how PBC works?

Edit,

I mention Buffer Over-run simply becuase i know that this is part of the reason why the PS2 mem card exploit works. Someone would have to spend some time with hardware registers though to confirm if this is possible on saturn.

 

[Pinchy]

there might be a chance in hell for you guys

Ive always wondered what the data if any was out there and from snooping the CD data bus it seems to be just mode 2 sector data with a repeating pattern that results in the same EFM pattern that gives it that 'barcode' look.

This is what the modchip does is insert this fake sector data when it tells the pickup sled to move out there.

heres some data:

actaul "ring" data from a game:

0000: 00 FF FF FF-FF FF FF FF-FF FF FF 00-71 C0 71 62 ............q.qb

0010: 00 28 28 1E-80 08 48 06-59 59 59 59-59 59 59 59 .((...H.YYYYYYYY

0020: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0030: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0040: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0050: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0060: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0070: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

...

00B0: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

00C0: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

00D0: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

00E0: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

00F0: 59 59 59 59-59 59 59 59-59 59 59 59-59 59 59 59 YYYYYYYYYYYYYYYY

0100: 59 59 59 59-59 59 59 59-59 59 59 59-72 DD E5 99 YYYYYYYYYYYYr...

descrambled:

0000: 00 FF FF FF-FF FF FF FF-FF FF FF 00-70 40 71 02 ............p@q.

0010: 00 00 28 00-00 00 28 00-F1 5B A7 D8-D9 39 39 71 ..(...(..[...99q

0020: 71 47 C7 D1-31 3F F7 F3-A5 26 58 B9-59 11 59 6F qG..1?...&X.Y.Yo

0030: D9 4F B9 57-91 5D 0F DA-27 B8 B9 11-11 6F EF CF .O.W.]..'....o..

0040: AF B7 9F 95-0B 8C A4 C6-58 F1 59 27-D9 79 39 41 ........X.Y'.y9A

0050: 71 53 C7 DE-71 3B C7 F0-F1 27 A7 F9-19 21 69 7B qS..q;...'...!i{

0060: CD 40 F6 13-A5 6E 58 8F-D9 07 B9 61-11 4B EF D4 .@...nX....a.K..

0070: EF BC EF 92-6F 8E 0F 87-E7 81 29 03-FD 62 62 0A ....o.....)..bb.

0080: 0A 24 A4 B8-D8 D1 39 3F-F1 73 A7 C6-59 31 59 77 .$....9?.s..Y1Yw

...

0050: 79 52 01 5E-23 DB FA 78-E0 81 2B 83-FC C2 62 72 yR.^#..x..+...br

0060: 0A 06 24 A1-78 DB C1 38-F3 F1 26 67-F9 49 21 55 ..$.x..8..&g.I!U

0070: 7B DC 80 FA-43 A0 92 5B-8E 18 C7 E9-31 2D 77 FE {...C..[....1-w.

0080: 05 23 E0 BA-6B 90 8C CF-86 77 81 45-03 D0 A2 7F .#..k....w.E...⌂

0090: 9A 03 88 A2-45 1A 10 A8-AF 9D 1F 8A-00 00 00 00 ....E...........

start of modchip data:

0000: 00 FF FF FF-FF FF FF FF-FF FF FF 00-71 82 02 62 ............q..b

0010: 00 28 28 1E-80 08 48 06-A0 66 A0 66-A8 59 A8 59 .((...H..f.f.Y.Y

0020: A8 59 A8 59-A8 59 A8 59-A8 59 A8 59-A8 59 A8 59 .Y.Y.Y.Y.Y.Y.Y.Y

.... repeats, ends with:

0020: A8 59 A8 59-A8 59 A8 59-A8 59 A8 59-A8 59 A8 59 .Y.Y.Y.Y.Y.Y.Y.Y

0030: A8 59 A8 59-A8 59 A8 59-A8 59 A8 59-72 DD E5 99 .Y.Y.Y.Y.Y.Yr...

descrambled:

0000: 00 FF FF FF-FF FF FF FF-FF FF FF 00-70 02 02 02 ............p...

0010: 00 00 28 00-00 00 28 00-08 64 5E E7-28 39 C8 71 ..(...(..d^.(9.q

0020: 80 47 36 D1-C0 3F 06 F3-54 26 A9 B9-A8 11 A8 6F .G6..?..T&.....o

ive noticed that the modchip generates some default MSF times where it will start at 70:02:00 and increment the count until the saturn doesnt request any more.

Im willing to take a gander that you could probably take some game image and tack on some mode 2 sectors in the format above till it reaches out to 80:00:00 or how ever far you can get

it to cover the edge

where the sled stops and have it pass the the ring check.

Im not going to try to burn some CD's myself but ill provide the info of the data thats out there. I just wanted to add some hard data to thread bucket since some cd burning expert out there might make some use of it.

take note of the scrambled and descrambled differnce, seem that all CD drives do the actual scrambling of data mode 1,2 type sectors internally to the drive. i.e. when you read it descrambles it and when you write it scrambles it internally. the ecma docs describe the algorithm.

Ive figured out a lot of how the modchip works and the protocol.Ill see if i can dig up the old homebrew modchip thread or make a new one and put some more info there.

 

[mrkotfw]

wow, i'm amazed. how exactly did you do this? i guess what can be done is just adding a "dummy" file to push this data at the end. i don't have a saturn at the moment so i can't seem to try.

 

[Drenholm]

Pinchy is the hero, Pinchy is the hero...

Well done! So is this all the ring data you've got for us so far?

Seriously, that seems promising! *hopes a lot* Hope to hear from you again with any progress you may have!

:thumbs-up:

 

[Pinchy]

Is there any cd burning software out there that will let you burn a custom TOC that doesnt contain true information about the contents of the disc?

 

[ExCyber]

I think that would require custom firmware, although depending on the details of what you want to do, maybe multisession (= more than one TOC) would work?

 

[Pinchy]

It shouldnt require new fimrware. the problem is software. From what im reading you can do the trick with clonecd by creating a custom .ccd format or whatever it is they use, but im not keen on drag and drop pushbutton windows garbage.

When doing DAO the software reads the bin/iso/cue sheet and determines what data to put in the subchannel on the TOC/lead-in and writes it. The problem im having is that I can add the necessary sector data to the file and burn it, the saturn will read it just fine, it just that it seems to check the length of track data and if its runs out to where the ring data is then it calls it unsuitable.

It would be nice if the cue sheet would support a toc section, have one set of rules to govern the track layout and another to say what you want the TOC to have.

It seems the protection relies on fact that most all drives rely on the toc to know where data is and what format. If for example the toc says the last track ends at 55minutes then it simply wont let you try to seek out farther than that. The saturn cd DSP allows you to control the stepper motor directly and move anywhere.

Theres one last check I want to try and if anyone else is interested is to take any saturn image and pad it out with all zero's to about 75minutes (or 80 if you have some of that media) and see if the drive reports unsuitable or if it does the constant reseeking like it does when you burn it otherwise.

When I take any normally bunred game and try to run it with no modchip it will spin and spin trying its damndest to read some valid data out there at the edge.Then it will give up and report it as only an audio cd. But Ive gotten it to the point where it will seek and return immediately and say unsuitable for this system so I think im making some progress. If by simply putting all zero data out there (blank audio with no data mode sector information) it returns saying unsuitable or audio only then it will confirm a suspicion i have of some extra checks it might be doing internallly.

So yea I lied , i am willing to burn some coasters, it was just too tempting with 4 in the can im going to put efforts toward a tool for the job. cdrdao modifications look tempting but not very rewarding.

 

[Borisz]

You could just pad out a bin/cue image with zeros and add an extra track in the cuesheet so it fills up the entire 80m space. Did anyone tried that yet?

 

[Pinchy]

Yes, did you bother to read the posts?

Thats the problem, when you pad the the image out and/or add entries to the cue sheet that information is going to be added to the TOC.

It seems the saturn checks to see if theres a mode 2 track in there and if it goes out to 70:00:00 or beyond.

 

[mrkotfw]

this is coming straight out of my ass here:

FILE "game.bin" BINARY

TRACK 01 MODE1/2048

INDEX 01 00:00:00

FILE "security.bin" BINARY

TRACK 02 MODE2/2336

PREGAP 00:70:00

INDEX 01 00:00:00

not sure if

00:70:00

is correct.

 

[BiO]

Originally posted by Pinchy+Wed, 2005-03-23 @ 02:19 PM--><div class='quotetop'>QUOTE(Pinchy @ Wed, 2005-03-23 @ 02:19 PM)</div><div class='quotemain'> The problem im having is that I can add the necessary sector data to the file and burn it, the saturn will read it just fine, it just that it seems to check the length of track data and if its runs out to where the ring data is then it calls it unsuitable.

[/b]

have you already tried a 2 session disc? padded iso/bin/cue until 70:00:00 (are you sure it's the right value?) on the first session, ring data on the second session. In this way you'll have two different tocs

what are you using as ring data? the scrambled code from offset 0000 to 0100 you post before?

<!--QuoteBegin-Piratero@Thu, 2005-03-24 @ 10:44 AM

this is coming straight out of my ass here:

FILE "game.bin" BINARY

TRACK 01 MODE1/2048

INDEX 01 00:00:00

FILE "security.bin" BINARY

TRACK 02 MODE2/2336

PREGAP 00:70:00

INDEX 01 00:00:00

[/quote]

this does not solve toc problem

 

[Drenholm]

Pinchy, could you please give us as much detailed information as you can about the security code you read?

For example, have you tried reading it from different discs, multiple times from the same disc, and so on. I know that there are at least two types of code - for Sega games and third-party ones respectively; there may well be more.

But already, what you have done is really interesting and pretty great. Best of luck!

 

[mal]

Originally posted by Drenholm@Fri, 2005-03-25 @ 03:49 AM

I know that there are at least two types of code - for Sega games and third-party ones respectively; there may well be more.

What makes you say that?

 

[ExCyber]

Theres one last check I want to try and if anyone else is interested is to take any saturn image and pad it out with all zero's to about 75minutes (or 80 if you have some of that media) and see if the drive reports unsuitable or if it does the constant reseeking like it does when you burn it otherwise.

I tried this a couple years ago, more or less. I'm not sure exactly what you mean, but it did not lose tracking (= spin up way too fast) as it does with most games, it acts pretty sanely and the pickup kicks around on the outside for a while, presumably trying to read the signature. After a little while it eventually popped up with "Game disc unsuitable for this system"). This is from memory so details may be wrong...