Just an idea thats been running through my head!

I dont read this Saturn board much, so I dont know if this has been said before, but Ive been thinking about the saturn ring (protection ring) and was thinking about ways to copy it and use the ring on cdr games....I guess first of all we would need to know exactly where the ring starts on the cdrs or cds the saturn cds are all 74 min cds, so where would the data start for the protection? after that, I was thinking if someone could cut the data off of the origonal cd to use for this project. that is cut the protection ring off completely (in the perfect spot of coarse) you would need to be really precise!!....and if we know where the data of the ring starts we can get a game lets say something simple like Cotton, with one small data track...now then we make a cdr of cotton with a dummy file that pushes the data of the game out to the spot where the data for the security ring starts!! then we cut the cdr at the same spot where we cut the oriconal so we can simply replace the security ring in the same spot on the cdr, and then use some type of tape on the top side of the cdr to hold them together or something....(dont think Im crazy, Ive done it to a cracked psx game from blockbuster and burned it ok after.) then after the cdr is completely together....I guess use something similar to BlindRead to read the disc, and maby when it hits the cut track it will think its just a deep scratch and keep reading the cd....after the stuff is done reading, you open the file with a program and extract the data of the security ring.....after you collect the data for the security ring throw away the cdr and keep the security ring data for future use on other games.....then you would need to use a dummy file on Every saturn cdr game to push the data out to where the ring starts then inject the data with the security ring code at the end of the cd, giving you a true backup with the code of the ring still there....so when the saturn goes to read the ring, it sees the code there and plays the game.
smile.gif
I know its alot of work and probablly will not work but its an idea that I needed to get outta my head.....and onto this board, before I went crazy thinking about it. later.....
 
Man that sounds like a lota work but a GREAT idear if we could get a copy of that dam protection ring we could just attach it to all copys and downloaded games. There would be no more need for mod chips and motor killing swaps
biggrin.gif
 
The examples and wording in the patent for the protection scheme seem to suggest that the only part that matters is the Sega logo (the "SEGA" in "TRADEMARK 'SEGA'" is actually a tiny Sega logo, not the block text used elsewhere in the ring). The patent even shows the layout of the logo, but I'm not sure that it's identical to the one actually used, nor am I sure how it could be suitably converted from the rectangular matrix it's shown as to an equivalent CD organization.
 
did anyone ever notice the strange ring around the outside of Samurai Shodown 2 for the Neo CD its allmost looks Identical to the sega saturn ring only it says neo-geo instead....Since the newest Yamaha burners can copy and print that logo data it might be possible still with the newest yamaha burners....Who knows.....sure would be nice....Has anyone ever tried out my idea? Its hellva lota work but it might be possible...
 
I doubt any of this would work. The only places which I know of that talk about copy protection formats are for the PSX, and were writen in Chinese. Such pages as:

www.goldentimes.net/psx.htm

As for the saturn, I really never looked but I would assume even less would be spoken about it. The only thing I belive I have seen before was some pages in Chinese about the coding used to program the ICs on the mod board? I could have mistaken the assember for something else though.
 
no, the new yamaha burners can NOT read that logo either, and no, they can't burn it either. it will burn SOME logo. but not THE logo that is needed.
 
I don't seen why it wouldn't be possible to do that. And why you would say for SURE that it cant be done, no one has the new F1 burner to try it on. The thing is due out in a couple of months last i heard. You could use somthin like clonecd to read the entire disc, errors an all. The ring would most likely show up as errors. Then go into your favorite pick the image apart program and start from the lba of that area of the disc, where the apparently bad sectors are. Take that data, turn it into its own track, or hell just try to read it as cd text. I'm fairly certain yamaha's new burner can read the stuff aswell as write it. Wouldn't make sense if it couldnt. that would make it even easier. Just set the proper lba for each disc you burn an have the cdtext burnt to the outer ring.
 
But as was stated i another thread, on this same topic, even better would be to change the firmware programing so that the console no longer looks for the copywrite protection. I don't know if anyone has ever gone at it from that angle, but a small flash program, if we are dealing with an eprom, could possibly permanently disable or do away with the need for the saturn to look for the copywrite protection and poof...nop more need for mod board or swapping.
 
the text would need to be EXACTLY identical. clonecd or blindread can't read it, and those burners write THEIR text onto the cd, they don't write segas text on it. their font, their size, their pattern. much less write it absolutely identical down to the very last pit.

if it isn't absolutely identical, it won't work. for all we know, there's code in that text too which can't be read and certainly won't be reproduced by writing just text onto it.
 
I don't know - this has probably been disproved and is completely and utterly wrong - but I had always assumed that the text had very little to do with the security code. Surely CD's can only hold two values (0 and 1, pit and groove), but if you factor the "text" into it, if would create a third way of scattering the laser beam. If this were the case, wouldn't this mean that the Saturn's drive is more a ternary device than a binary one? I can hardly see Sega going to the trouble of creating a new never-before-seen technology just to act as a security device...

I thought that any security code was simply on a part of the security ring that had no text, and the text was just a pretty little nothing that Sega placed there for the sake of it. Does any one know if the "pirate" CD-R's (that had the security code already on them) available in China at one point included the text?

Feel free to flame my ignorance if I'm missing something obvious here
smile.gif
 
I also doubt the text has anything to do with the protection, and mainly serves as a means of identifying bootlegs. You can put text and images on the reflective side of CDs and still play them in ordinary players. A schoolfriend showed me an otherwise normal audio CD about 5-6 years ago that had the band's logo on the underside (can't remember what band though, some electronica).

What I believe is the primary protection mechanism is the small blank area before the protection ring. A conventional CD-reader would most likely refuse to move the head over an area where there's no groove, but the Saturn controller could position the head at some absolute position and start reading from there. Another possibility is that there's another spiral starting from the outer edge of the disc, like on the Gamecube discs.

I know I'm not an expert in reading legalese, but I interpreted the patent for the CD protection so that the logo data is located in the security area (probably not the term used in the patent) which in turn is located in the same sector as the region protection, which is the IP.BIN.

On a related note, the US Dark Savior CD has what looks like an additional protection ring, are there other games like this?

(edit: If anyone's interested in the patent, go to US Patent and Trademark Office and search for patent number 5,371,792. If you want to see the rest of Sega's patents, search for an/sega (assignee name))
 
If there are data on that security track (forgetting about that text on the ring), maybe there is a way to write a Saturn application to read that data and print them on the screen?

or maybe not...

PD
 
The problem is that the Saturn is designed so the main CPUs can't access the CD-ROM subsystem directly, and instead has to use predefined interface calls.

If I've understood things correctly, what's loaded off of the protected part is the actual drive control software. What's stored in ROM is just the basic ability to validate the disc and load the control program. When the patent talks about two processors it is talking about the SH1 that sits on the mainboard and about the H8(?) microcontroller that sits on the actual CD board. If this is true, then the modboard contains the program that's read from the disc during the validation phase and feeds it to the SH1 when it asks for it. As the patent describes, the H8 is then halted and the new control software is uploaded.
 
Anyone seen the new Sony Music CD's that wont play in a normal PC or mac? If you look closely you can see a small square area that holds corrupted data which is what the pc looks for and stops the disc from working. However if you have a black felt tip pen and colour in this area, the disc will work fine in your pc again. Maybe the same idea can be applied to the security protection bit? Dont ask how, just another idea to throw into the ring.
 
The felt tip thing works because there's an area (a second, invalid TOC) you don't want the drive to see. In this case, there's an area we do wan't to see, but can't.
 
But as was stated i another thread, on this same topic, even better would be to change the firmware programing so that the console no longer looks for the copywrite protection. I don't know if anyone has ever gone at it from that angle, but a small flash program, if we are dealing with an eprom, could possibly permanently disable or do away with the need for the saturn to look for the copywrite protection and poof...nop more need for mod board or swapping.

The problem with this approach is that the relevant firmware is integrated into the processors that control the protection. People have hacked up the BIOS (which is what led to territory lockout bypass features on cheat carts), but it's no good for getting rid of the ring check.

if it isn't absolutely identical, it won't work

That remains to be seen. It presumably has to be close enough to fool the verification routine, but that doesn't necessarily mean that it needs to be identical. I've also gotten a couple discs with fairly extensive scratches in the ring region to boot, which suggests that there's some level of tolerance for variations.

for all we know, there's code in that text too which can't be read and certainly won't be reproduced by writing just text onto it.

I've seen nothing to suggest this. Sega's patent on the protection suggests that the text itself is rendered with runs of frequent transitions and infrequent transitions in the channel.

maybe there is a way to write a Saturn application to read that data and print them on the screen

Based on what I know about the CD interface, this might be possible but is unlikely. As has been said before, the main system does not have any low-level control over the drive.

What I believe is the primary protection mechanism is the small blank area before the protection ring. A conventional CD-reader would most likely refuse to move the head over an area where there's no groove, but the Saturn controller could position the head at some absolute position and start reading from there.

The Saturn drive doesn't seem to do this. On 'short' CD-R discs, it will lose tracking when it tries to move the pickup to the outer ring, while it will act more or less normally if the disc is full. The refusal of normal readers to move to the ring area is probably just due to the fact that it's outside the TOC, where there is normally (in the case of standard discs) no channel to track. There's no reason for drive manufacturers to support attempts to seek there, because it could cause undue mechanical wear and/or malfunction as the drive attempts to reacquire the channel.

If I've understood things correctly, what's loaded off of the protected part is the actual drive control software. What's stored in ROM is just the basic ability to validate the disc and load the control program. When the patent talks about two processors it is talking about the SH1 that sits on the mainboard and about the H8(?) microcontroller that sits on the actual CD board. If this is true, then the modboard contains the program that's read from the disc during the validation phase and feeds it to the SH1 when it asks for it. As the patent describes, the H8 is then halted and the new control software is uploaded.

Where does the patent say that a new firmware program is loaded from disc? It refers to transfer of program control in several places (including transferring control to an authorized game program loaded from disc), but I don't think it ever says that firmware is loaded from the disc. Additionally, the modboards don't seem to contain a component with enough memory to contain any substantial CD controlling firmware, which would need to be provided by the board if firmware was normally loaded from disc...
 
Originally posted by ExCyber+June 25 2002,00:09--><div class='quotetop'>QUOTE(ExCyber @ June 25 2002,00:09)</div><div class='quotemain'>Where does the patent say that a new firmware program is loaded from disc? It refers to transfer of program control in several places (including transferring control to an authorized game program loaded from disc), but I don't think it ever says that firmware is loaded from the disc.[/b]


Take a look at claim 3:

A CD-ROM disk according to claim 1, wherein the program includes:

a first step in which a second CPU provided in the CD-ROM device is temporarily paused;

a second step in which contents of a program memory of the second CPU are rewritten with data recorded in the CD-ROM disk;

a third step in which operation of the second CPU is resumed;

a forth step in which head addresses of data recorded in the CD-ROM disk are set in a register of a first CPU; and

a fifth step in which a required program routine stored in the CD-ROM device is executed.

The patent says that the security code and disc identifier are located in the first sector of the CD, which certainly seems correct (SYS_AREn.O and SYS_SEC.O coming with SGL?) but it doesn't say anything specific about where this new program comes from. Of course the program code and security code might be one and the same and the protection being that the whole thing is patented (which apparently was Nintendos approach to the N64) but if you're going to make bootlegs I wouldn't think a detail like that would stop you.

<!--QuoteBegin-ExCyber
@June 25 2002,00:09

Additionally, the modboards don't seem to contain a component with enough memory to contain any substantial CD controlling firmware, which would need to be provided by the board if firmware was normally loaded from disc...[/quote]

True, but I don't have the knowledge or tools to find out what the modboards actually do. As the patent claims, some code is loaded from the disc, but that can't be the complete validation code or breaking it would be trivial. So some part of the validation code must be stored either in the outer ring or in a ROM somewhere (possibly integrated into the SH1 to prevent modding), then the modboard probably patches it on the fly as it is being transferred to skip the outer ring check.

(edit: Seriously broken formatting plus half-cooked ideas.)
 
I think you're looking at a patent for SCD (check the filing date), the "first CPU" being the Genesis 68000, the "second CPU" being the SCD 68000, and the "required program routine" being the bootstrap that's verified against a BIOS copy. Genesis, Saturn and Dreamcast also use a similar scheme. It's intended to force unauthorized publishers to include a program on their discs that displays the Sega logo/"produced by or under license from Sega" screen at boot (thus, it is presumed, making them violate trademark and copyright laws, although Reinhardt said in Sega v. Accolade that the Genesis sheme is invalid because Sega was ultimately responsible for the display and that the scheme renders the display code "functional" and thus unprotected), not to put up a technical barrier against copying. The patent I'm referring to is US Patent #5,627,895, "Electronic device for detecting selected visually perceptible indication information on an information storage medium for security comparison". This one also contains references that suggest that it's for Sega CD, but as it was filed in 1994/1995, it seems more likely that Sega CD is only being used as a representative example of a generic CD-based game console.
 
Back
Top