| Home | Forums | What's new | Resources | |
| "Crack the SEGA Saturn copy protection" contest |
| Mr. Saturn - Feb 26, 2005 |
| Prev | 1 | ... | 8 | 9 | 10 | 11 | 12 | ... | 16 | Next |
 |
Mask of Destiny | Mar 16, 2005 | |
| I think Video CD is our best bet at the moment. So assuming that the SH-1 doesn't require authentication for Mode 2 discs and also assuming that the BIOS won't boot a Mode 2 disc we have two options: 1) Find an exploitable bug in the BIOS that allows arbitrary data off of a Mode 2 disc to be executed. 2) Find a way to get the BIOS to run code from the first 32K of a Mode 1 disc and then use that to boot the Mode 2 disc. | |||
 |
croft | Mar 16, 2005 | |
| :thumbs-up: Hi all, I just opened up a blank saturn cdr and got some info. I have started a new thread. Sorry Mal, Peace | |||
 |
RitualOfTheTrout | Mar 17, 2005 | |
| I think it would be potentially easier to find/make mod chips that work on all systems. IE the recent discovery to make 21 pin mods work on 20 pin systems. I know this is really not the point, but... | |||
 |
mrkotfw | Mar 17, 2005 | |
| you're right. i think trying to get the mods to work (like the huge thread in the saturn forum) is more important. it only cost around $17 to get a mod from racketboy or jandaman. | |||
 |
Berty | Mar 17, 2005 | |
| I have the JVC v2 vcd card, i forget exactly what the option is, but there is support for a VCD menu system... I think that it is called PBC. Im not sure how it works, whether there is code on the vcd or what, but this may be an alternative to creating a buffer over-run on the main system bios. Does someone know how PBC works? Edit, I mention Buffer Over-run simply becuase i know that this is part of the reason why the PS2 mem card exploit works. Someone would have to spend some time with hardware registers though to confirm if this is possible on saturn. | |||
 |
Pinchy | Mar 21, 2005 | ||
there might be a chance in hell for you guys Ive always wondered what the data if any was out there and from snooping the CD data bus it seems to be just mode 2 sector data with a repeating pattern that results in the same EFM pattern that gives it that 'barcode' look. This is what the modchip does is insert this fake sector data when it tells the pickup sled to move out there. heres some data: Code:
ive noticed that the modchip generates some default MSF times where it will start at 70:02:00 and increment the count until the saturn doesnt request any more. Im willing to take a gander that you could probably take some game image and tack on some mode 2 sectors in the format above till it reaches out to 80:00:00 or how ever far you can get it to cover the edge where the sled stops and have it pass the the ring check. Im not going to try to burn some CD's myself but ill provide the info of the data thats out there. I just wanted to add some hard data to thread bucket since some cd burning expert out there might make some use of it. take note of the scrambled and descrambled differnce, seem that all CD drives do the actual scrambling of data mode 1,2 type sectors internally to the drive. i.e. when you read it descrambles it and when you write it scrambles it internally. the ecma docs describe the algorithm. Ive figured out a lot of how the modchip works and the protocol.Ill see if i can dig up the old homebrew modchip thread or make a new one and put some more info there. | ||||
|
mrkotfw | Mar 21, 2005 | |
| wow, i'm amazed. how exactly did you do this? i guess what can be done is just adding a "dummy" file to push this data at the end. i don't have a saturn at the moment so i can't seem to try. | |||
 |
Drenholm | Mar 21, 2005 | |
| Pinchy is the hero, Pinchy is the hero... Well done!  So is this all the ring data you've got for us so far?  Seriously, that seems promising! *hopes a lot* Hope to hear from you again with any progress you may have! :thumbs-up: | |||
|
Pinchy | Mar 23, 2005 | |
| Is there any cd burning software out there that will let you burn a custom TOC that doesnt contain true information about the contents of the disc? | |||
 |
ExCyber | Mar 23, 2005 | |
| I think that would require custom firmware, although depending on the details of what you want to do, maybe multisession (= more than one TOC) would work? | |||
|
Pinchy | Mar 23, 2005 | |
| It shouldnt require new fimrware. the problem is software. From what im reading you can do the trick with clonecd by creating a custom .ccd format or whatever it is they use, but im not keen on drag and drop pushbutton windows garbage. When doing DAO the software reads the bin/iso/cue sheet and determines what data to put in the subchannel on the TOC/lead-in and writes it. The problem im having is that I can add the necessary sector data to the file and burn it, the saturn will read it just fine, it just that it seems to check the length of track data and if its runs out to where the ring data is then it calls it unsuitable. It would be nice if the cue sheet would support a toc section, have one set of rules to govern the track layout and another to say what you want the TOC to have. It seems the protection relies on fact that most all drives rely on the toc to know where data is and what format. If for example the toc says the last track ends at 55minutes then it simply wont let you try to seek out farther than that. The saturn cd DSP allows you to control the stepper motor directly and move anywhere. Theres one last check I want to try and if anyone else is interested is to take any saturn image and pad it out with all zero's to about 75minutes (or 80 if you have some of that media) and see if the drive reports unsuitable or if it does the constant reseeking like it does when you burn it otherwise. When I take any normally bunred game and try to run it with no modchip it will spin and spin trying its damndest to read some valid data out there at the edge.Then it will give up and report it as only an audio cd. But Ive gotten it to the point where it will seek and return immediately and say unsuitable for this system so I think im making some progress. If by simply putting all zero data out there (blank audio with no data mode sector information) it returns saying unsuitable or audio only then it will confirm a suspicion i have of some extra checks it might be doing internallly. So yea I lied , i am willing to burn some coasters, it was just too tempting with 4 in the can im going to put efforts toward a tool for the job. cdrdao modifications look tempting but not very rewarding. | |||
|
Borisz | Mar 24, 2005 | |
| You could just pad out a bin/cue image with zeros and add an extra track in the cuesheet so it fills up the entire 80m space. Did anyone tried that yet? | |||
|
Pinchy | Mar 24, 2005 | |
| Yes, did you bother to read the posts? Thats the problem, when you pad the the image out and/or add entries to the cue sheet that information is going to be added to the TOC. It seems the saturn checks to see if theres a mode 2 track in there and if it goes out to 70:00:00 or beyond. | |||
|
mrkotfw | Mar 24, 2005 | |||||
| this is coming straight out of my ass here: Code:
not sure if Code: is correct. | |||||||
|
BiO | Mar 24, 2005 | ||
have you already tried a 2 session disc? padded iso/bin/cue until 70:00:00 (are you sure it's the right value?) on the first session, ring data on the second session. In this way you'll have two different tocs what are you using as ring data? the scrambled code from offset 0000 to 0100 you post before? <!--QuoteBegin-P iratero@Thu, 2005-03-24 @ 10:44 AM this is coming straight out of my ass here: FILE "game.bin" BINARY TRACK 01 MODE1/2048 INDEX 01 00:00:00 FILE "security.bin" BINARY TRACK 02 MODE2/2336 PREGAP 00:70:00 INDEX 01 00:00:00 [/quote] this does not solve toc problem | ||||
|
Drenholm | Mar 24, 2005 | |
| Pinchy, could you please give us as much detailed information as you can about the security code you read? For example, have you tried reading it from different discs, multiple times from the same disc, and so on. I know that there are at least two types of code - for Sega games and third-party ones respectively; there may well be more. But already, what you have done is really interesting and pretty great. Best of luck! | |||
|
mal | Mar 25, 2005 | ||
What makes you say that? | ||||
|
ExCyber | Mar 25, 2005 | ||
I tried this a couple years ago, more or less. I'm not sure exactly what you mean, but it did not lose tracking (= spin up way too fast) as it does with most games, it acts pretty sanely and the pickup kicks around on the outside for a while, presumably trying to read the signature. After a little while it eventually popped up with "Game disc unsuitable for this system"). This is from memory so details may be wrong... | ||||
| Prev | 1 | ... | 8 | 9 | 10 | 11 | 12 | ... | 16 | Next |