Welcome, Guest!

Here are some links you may find helpful

GC Creating bootable mini DVDs... possible?

kazade

Registered
Registered
Joined
May 30, 2019
Messages
8
Reaction score
18
Points
3
Obviously over in the Dreamcast scene we can create homebrew that can be burned to CD and which boots on (most) unmodded hardware.

I recently learned that Datel managed to create bootable mini DVDs on the game cube for Action Replay, and I'm surprised this knowledge hasn't found its way into the GC homebrew scene.

So I guess my question is, had anyone outside Datel achieved this? Is there some blocker that prevents it (e.g special hardware)?

I'd love to be able to port my DC stuff over to the GC!
 

pool7

Donator
Donator
Registered
Joined
Sep 1, 2018
Messages
85
Reaction score
61
Points
18
AG User Name
pool7
AG Join Date
2008/03/04
The Dreamcast was a special case, as Datel exploited the use of MIL-CDs, which you can burn at home, and for which the DC was prepared to run even from CD-R. Similar to how you can play Audio CDs burned at home on any CD-based console.

I'm not familiar with the specifics of GC discs (though I seem to rememeber watching a video about it not too long ago), but I'd assume they used custom hardware at the manufacturing plant, to make sure these were not easily cloned. Keep in mind Datel was able to make bootable discs for many consoles, including PS1, PS2, GC. Either they had their own manufacturing plant, or partnered with one that did the job for them.
 

kazade

Registered
Registered
Joined
May 30, 2019
Messages
8
Reaction score
18
Points
3
So there's some info at these links:

https://debugmo.de/2008/11/anatomy-of-an-optical-medium-authentication/ <<--- Detail

Here's my (probably wrong) understanding...

Essentially, official GC discs had 6 "holes" in the disc at specific locations that the drive wouldn't read properly. That junk data that the drive did return would be encrypted/obfuscated somehow and stored in the Burst Cutting Area of the disk. As no-one has the precision kit to make those 6 holes, you wouldn't be able to reproduce the disk.

But Datel realised that it didn't matter if those holes existed or not, as long as you encrypted/obfuscated whatever was read at those 6 locations and put it at the start of the disk the GC would read it blindly.

Whoever wrote that second link up there clearly has all the knowledge to make bootable mini DVDs, but they never got around to writing parts 2 and 3, and obviously it would be some serious work to write a tool which takes an ISO or whatever and spits out a burnable bootable image.

I guess I'm hoping that someone with enough knowledge might see this and consider picking this up ;)
 

Bad_Ad84

Registered
Registered
Joined
May 30, 2019
Messages
85
Reaction score
202
Points
33
AG User Name
Bad_Ad84
AG Join Date
26/05/2011
Link says they use the bca area. You can't write this, only press.

So while it may be possible to make your own pressed disc that boots, you arent making a dvdr that does.
 

tmbinc

Registered
Registered
Joined
Jun 4, 2019
Messages
2
Reaction score
24
Points
3
It's not as easy as that. A BCA is defined by radial stripes that are picked up by the laser; the same mechanism as for regular reads is used (reflected light from main channel), but tracking is off, focus is fixed, and FG (=rotiational speed generator) is in open-loop mode (i.e. holding a ~constant speed).

The BCA is - as you're aware - added by a strong laser which removes reflective material. If you look at the data on a scope while a BCA is read, you can still see the background bits.

Here's an example - on the right (-ROM), I measured a pressed disc, and you can see that between the stripes, there's valid data. (Don't be confused by the actual polarity of the data) The signal measured here is the RF channel (i.e. main data channel) of a regular DVD reader.

bcamaynotfail.png


BCA is a standard technique, but it is identical in terms of how it is produced and how it is read to the "6 holes" that are added for copy protection. Here's a picture of one of the copy protection stripes - you can see the same pattern - low reflectivity (polarity is inverted to the picture above) during the stripe, regular data before and after:

2010-07-05_183452.jpg


On the disc itself, it looks like this: (This is one of the copy protection stripes, but again - the BCA looks identical instructure) The reflective material is destroyed in the stripe (which isn't well visible here - the sample processing for the SEM ironically cleans it up a bit).

DcRdBKeW0AEzqrT.jpg


But now look back at the first picture - all you need to produce is a small stripe of low reflectivity. Instead of blowing away material with a big fat laser, you could also just change material with a small laser - by writing data to it. I.e., if you write zeros, the reader will pick this up in the _very same way_ as a BCA stripe. The idea here is to embed the zeros directly into the bitstream.

To be clear, the zeros need to be in the NRZ data, i.e. after all the data encoding. It's not possible[citation needed] to do this with just a firmware hack, as you need to skip the EFM+ data encoding stage.

This is exactly what Datel did - they embedded the copy protection stripes by putting zeros into the encoded data.

For the BCA, Datel still used a regular BCA burner, but even for the BCA, you can embed them into the data. I did some experiments a few years ago and they were promising (but for stupid reasons never worked out completely). You can see in the first picture how my BCA _almost_ reads the same as a real BCA.

For the BCA, because tracking is off, the laser can be in-between two tracks. In theory the stripes would have to be perfectly radial, but in practice as long as they are sufficiently aligned, it should work well enough.


So there you have it - it's possible to write the necessary structure onto a recordable disc.

BUT: According to the Datel engineer who defeated the copy protection back then, there's an additional layer of security by using PS1-style wobble. That, unfortunately, would be harder (but not impossible!) to do on a burned disc.
 

Protofall

Registered
Registered
Joined
Jun 4, 2019
Messages
6
Reaction score
0
Points
1
@tmbinc Most of this stuff goes over my head, but thank you very much for this information ?
 
Last edited:

kazade

Registered
Registered
Joined
May 30, 2019
Messages
8
Reaction score
18
Points
3
@tmbinc thanks for taking the time to respond! That's incredibly useful information!

So ultimately, someone with the time, patience, resources, knowledge and inventiveness could blast GC and Wii homebrew right open!

Any takers? ?
 

Mystical

Registered
Registered
Joined
Jun 3, 2019
Messages
5
Reaction score
2
Points
3
AG User Name
Mystical
AG Join Date
03/05/2011
Just to chip in my 2p on this (from a very hazy memory):

Yes Datel have a huge manufacturing plant located in Stone (near Stoke on Trent, Midlands, UK)
They were able to press discs for most CD-based consoles.
I believe they had to use some of the boot information from an original GC game (i think it was a sports title they used)
Maybe someone else remembers more about this than I do and can chip in?
 

FamilyGuy

2049 Donator
Donator
Registered
Joined
May 31, 2019
Messages
317
Reaction score
317
Points
63
AG User Name
-=FamilyGuy=-
AG Join Date
March 3, 2007
It's not as easy as that. A BCA is defined by radial stripes that are picked up by the laser; the same mechanism as for regular reads is used (reflected light from main channel), but tracking is off, focus is fixed, and FG (=rotiational speed generator) is in open-loop mode (i.e. holding a ~constant speed).

The BCA is - as you're aware - added by a strong laser which removes reflective material. If you look at the data on a scope while a BCA is read, you can still see the background bits.

Here's an example - on the right (-ROM), I measured a pressed disc, and you can see that between the stripes, there's valid data. (Don't be confused by the actual polarity of the data) The signal measured here is the RF channel (i.e. main data channel) of a regular DVD reader.

bcamaynotfail.png


BCA is a standard technique, but it is identical in terms of how it is produced and how it is read to the "6 holes" that are added for copy protection. Here's a picture of one of the copy protection stripes - you can see the same pattern - low reflectivity (polarity is inverted to the picture above) during the stripe, regular data before and after:

2010-07-05_183452.jpg


On the disc itself, it looks like this: (This is one of the copy protection stripes, but again - the BCA looks identical instructure) The reflective material is destroyed in the stripe (which isn't well visible here - the sample processing for the SEM ironically cleans it up a bit).

DcRdBKeW0AEzqrT.jpg


But now look back at the first picture - all you need to produce is a small stripe of low reflectivity. Instead of blowing away material with a big fat laser, you could also just change material with a small laser - by writing data to it. I.e., if you write zeros, the reader will pick this up in the _very same way_ as a BCA stripe. The idea here is to embed the zeros directly into the bitstream.

To be clear, the zeros need to be in the NRZ data, i.e. after all the data encoding. It's not possible[citation needed] to do this with just a firmware hack, as you need to skip the EFM+ data encoding stage.

This is exactly what Datel did - they embedded the copy protection stripes by putting zeros into the encoded data.

For the BCA, Datel still used a regular BCA burner, but even for the BCA, you can embed them into the data. I did some experiments a few years ago and they were promising (but for stupid reasons never worked out completely). You can see in the first picture how my BCA _almost_ reads the same as a real BCA.

For the BCA, because tracking is off, the laser can be in-between two tracks. In theory the stripes would have to be perfectly radial, but in practice as long as they are sufficiently aligned, it should work well enough.


So there you have it - it's possible to write the necessary structure onto a recordable disc.

BUT: According to the Datel engineer who defeated the copy protection back then, there's an additional layer of security by using PS1-style wobble. That, unfortunately, would be harder (but not impossible!) to do on a burned disc.
I love how you went all the way and took a SEM image of the actual thing.

Could you clarify what part would be reproducable with end user hardware? The pseudo-BCA? What about the wobble?

By after all encoding, do you mean what's actually written to disc, aka illegal EFM / actual flat 0 zones?
 

tmbinc

Registered
Registered
Joined
Jun 4, 2019
Messages
2
Reaction score
24
Points
3
The header of each Datel disc contains the game identifier of NHL Hitz 20-02 (if I remember correctly). Datel disc are very weirdly mastered - there are fragments of valid PSN (physical sector number) blocks, but it's not continuous. I.e. it's hard to rip the game without losing information _even_ when you capture the raw EFM+ bit stream, because apparently the spiral has discontinuities. (I need to do some more SEM imaging, this should be visible).

The idea at some point was that Datel hat stitched together part of an original game with part of their data. In theory they may have kept the original BCA intact, and duplicated the stripe position by embedding it into the bitstream. All(?) Datel discs use the same BCA.

This is interesting because if you can keep the BCA and relative stripe position, you don't need to re-encode the BCA, and you don't need to understand the encryption algorithm of the BCA. (Remember that the relative position of the stripes to the data is stored encrypted in the BCA; (un)fortunately with a symmetric cipher). So maybe Datel didn't understand the encryption?

At some point a friend bought a pressed US version of that game, and I dumped the EFM+ bitstream of that disc, and compared it with the Datel disc. Result: it was different. So either I took the wrong NHL Hitz version/region/whatever, or Datel did indeed remaster the disc.

FamilyGuy - yes, "afte encoding" == illegal EFM+ / flat 0 zone. (Strictly speaking there's a physical different between BCA/Stripe and flat-zero, but the reader isn't able to see the difference).

My setup is a modified DVD burner where I interface the LVDS channel that drives the laser diode with an FPGA. It worked to a certain extent, but never well enough. I was able to write arbitrary EFM+ bitstreams to disc, including lightscribe-style disc art and fake-BCAs. It's more than a firmware hack, but everything non-digital is still the original burner. Writing wobble is not directly possible, but with a crude hack (feeding an AC signal into tracking coils while writing...) it may (or may not) be possible.

In summary, most frustrating project I've ever worked on. (If someone could find me the source code for a DVD or BD writer firmware, I'd be _sooooo_ happy.)
 

Wombat

Donator
Donator
Registered
Joined
May 31, 2019
Messages
109
Reaction score
111
Points
43
AG User Name
Wombat
AG Join Date
14-03-2004
@tmbinc If I recall correctly I picked up somewhere that the original Freeloader was using Crazy Taxi for it's foundation. So it might be worth it giving that disc a spin to see if it matches.

edit:
Thanks for clearing up my memory @FamilyGuy, yes you are right this was for swap magic PS2.
 
Last edited:

FamilyGuy

2049 Donator
Donator
Registered
Joined
May 31, 2019
Messages
317
Reaction score
317
Points
63
AG User Name
-=FamilyGuy=-
AG Join Date
March 3, 2007
@tmbinc If I recall correctly I picked up somewhere that the original Freeloader was using Crazy Taxi for it's foundation. So it might be worth it giving that disc a spin to see if it matches.
I've heard that "Crazy Taxi being used as a based for commercial unlicensed bootable media" rumor for PS2's swap-magic first.
 
Last edited:

Xe

Donator
Donator
Registered
Joined
Sep 3, 2018
Messages
47
Reaction score
118
Points
33
AG Join Date
Mar 23, 2012
some great stuff here guys, keep going :)
 

xanthefin

Registered
Registered
Joined
Jun 22, 2019
Messages
5
Reaction score
4
Points
3
AG User Name
XantheFIN
AG Join Date
Mar 11, 2018
I've heard that "Crazy Taxi being used as a based for commercial unlicensed bootable media" rumor for PS2's swap-magic first.
Well if i put mine Swap Magic 3 DVD it has SCES_500.03 = Dead or Alive 2 PAL but no title

Swap Magic 3 CD has title CRAZY_TAXI and it has SLES_502.15
 

emu_kidid

Registered
Registered
Joined
Jul 24, 2019
Messages
4
Reaction score
8
Points
3
AG User Name
emu_kidid
AG Join Date
Jun 28, 2008
The Datel guy is probably lurking, one day he'll see this and spill the beans (in more detail than before) ;)
 

Protofall

Registered
Registered
Joined
Jun 4, 2019
Messages
6
Reaction score
0
Points
1
With the recent Nintendo leaks, I hear they contain some info about the Gamecube's (And maybe Wii's too?) disc format. I wonder if any of that stuff would be useful in order to make new GC discs. I get the thing with "Can't use source code for your own projects", but this is a disc format and there's only 1 (Maybe 2?) right ways to actually get a bootable disc. I say this because for bootable Dreamcast discs, we use the same "exploit" that Katana devkits came with to boot CDs on console because there's not really any other way. Seems like the same sort of thing here with Gamecube.

This is assuming those GC disc info is even helpful for our purposes. Has anyone here read through those docs?
 

Thebigman1106

Registered
Registered
Joined
Jun 9, 2019
Messages
17
Reaction score
15
Points
3
AG User Name
thebigman1106
AG Join Date
01072010
Just to chip in my 2p on this (from a very hazy memory):

Yes Datel have a huge manufacturing plant located in Stone (near Stoke on Trent, Midlands, UK)
They were able to press discs for most CD-based consoles.
I believe they had to use some of the boot information from an original GC game (i think it was a sports title they used)
Maybe someone else remembers more about this than I do and can chip in?

I seam to remember they struck a deal with Panasonic for a press or info on the disc.
 

Protofall

Registered
Registered
Joined
Jun 4, 2019
Messages
6
Reaction score
0
Points
1
I've re-read this thread and this source . So we know how the Gamecube Optical Disc (GOD) format works and I think we know everything needed to reproduce GC discs. (I'll admit, I don't fully get how the BCA works). So the better question is:

- Is there any piece of info we are missing? @tmbinc seemed to be close, but was having trouble. Maybe better equipment is needed.
 

FamilyGuy

2049 Donator
Donator
Registered
Joined
May 31, 2019
Messages
317
Reaction score
317
Points
63
AG User Name
-=FamilyGuy=-
AG Join Date
March 3, 2007
I've re-read this thread and this source . So we know how the Gamecube Optical Disc (GOD) format works and I think we know everything needed to reproduce GC discs. (I'll admit, I don't fully get how the BCA works). So the better question is:

- Is there any piece of info we are missing? @tmbinc seemed to be close, but was having trouble. Maybe better equipment is needed.
You can't write the BCA easily on blank media I think? Yes you can replace the actual cutting by data, which is what Datel did, but they had DVD mastering equipment, which is more flexible than consumer burners.

See this for some more information: https://hackaday.com/2019/02/04/how-one-company-cracked-the-gamecube-disc-protection/
 

Protofall

Registered
Registered
Joined
Jun 4, 2019
Messages
6
Reaction score
0
Points
1
You can't write the BCA easily on blank media I think? Yes you can replace the actual cutting by data, which is what Datel did, but they had DVD mastering equipment, which is more flexible than consumer burners.

See this for some more information: https://hackaday.com/2019/02/04/how-one-company-cracked-the-gamecube-disc-protection/

That article was a bit weird. They say the AR disc doesn't have a BCA, but that doesn't really make sense. Unless they mean you don't need to *burn* a BCA and instead could embed it in the disc like you would to get around the mark/hole part? This then suggests you could just have a special iso you burn to a Mini-DVD-R and it works, but obviously that's not the case so idk how valid that source is.

One thing I'm not sure on, is mastering directly related to Pressed discs or can master be used with burnable discs? If the later would it be possible to obtain a mastering device and if the former couldn't we contact a DVD-Pressing company for further testing (Although this might cost a lot)
 
shape1
shape2
shape3
shape4
shape5
shape6
Top