Welcome, Guest!

Here are some links you may find helpful

GC Creating bootable mini DVDs... possible?

kazade

Member
Original poster
May 30, 2019
8
18
3
Obviously over in the Dreamcast scene we can create homebrew that can be burned to CD and which boots on (most) unmodded hardware.

I recently learned that Datel managed to create bootable mini DVDs on the game cube for Action Replay, and I'm surprised this knowledge hasn't found its way into the GC homebrew scene.

So I guess my question is, had anyone outside Datel achieved this? Is there some blocker that prevents it (e.g special hardware)?

I'd love to be able to port my DC stuff over to the GC!
 

pool7

Donator
Donator
Registered
Sep 1, 2018
87
62
18
AGName
pool7
AG Join Date
2008/03/04
The Dreamcast was a special case, as Datel exploited the use of MIL-CDs, which you can burn at home, and for which the DC was prepared to run even from CD-R. Similar to how you can play Audio CDs burned at home on any CD-based console.

I'm not familiar with the specifics of GC discs (though I seem to rememeber watching a video about it not too long ago), but I'd assume they used custom hardware at the manufacturing plant, to make sure these were not easily cloned. Keep in mind Datel was able to make bootable discs for many consoles, including PS1, PS2, GC. Either they had their own manufacturing plant, or partnered with one that did the job for them.
 

kazade

Member
Original poster
May 30, 2019
8
18
3
So there's some info at these links:

https://debugmo.de/2008/11/anatomy-of-an-optical-medium-authentication/ <<--- Detail

Here's my (probably wrong) understanding...

Essentially, official GC discs had 6 "holes" in the disc at specific locations that the drive wouldn't read properly. That junk data that the drive did return would be encrypted/obfuscated somehow and stored in the Burst Cutting Area of the disk. As no-one has the precision kit to make those 6 holes, you wouldn't be able to reproduce the disk.

But Datel realised that it didn't matter if those holes existed or not, as long as you encrypted/obfuscated whatever was read at those 6 locations and put it at the start of the disk the GC would read it blindly.

Whoever wrote that second link up there clearly has all the knowledge to make bootable mini DVDs, but they never got around to writing parts 2 and 3, and obviously it would be some serious work to write a tool which takes an ISO or whatever and spits out a burnable bootable image.

I guess I'm hoping that someone with enough knowledge might see this and consider picking this up ;)
 
  • Like
Reactions: pool7

Bad_Ad84

Well-known member
Registered
May 30, 2019
85
202
33
AGName
Bad_Ad84
AG Join Date
26/05/2011
Link says they use the bca area. You can't write this, only press.

So while it may be possible to make your own pressed disc that boots, you arent making a dvdr that does.
 
  • Like
Reactions: FamilyGuy

tmbinc

New member
Jun 4, 2019
2
24
3
It's not as easy as that. A BCA is defined by radial stripes that are picked up by the laser; the same mechanism as for regular reads is used (reflected light from main channel), but tracking is off, focus is fixed, and FG (=rotiational speed generator) is in open-loop mode (i.e. holding a ~constant speed).

The BCA is - as you're aware - added by a strong laser which removes reflective material. If you look at the data on a scope while a BCA is read, you can still see the background bits.

Here's an example - on the right (-ROM), I measured a pressed disc, and you can see that between the stripes, there's valid data. (Don't be confused by the actual polarity of the data) The signal measured here is the RF channel (i.e. main data channel) of a regular DVD reader.

bcamaynotfail.png


BCA is a standard technique, but it is identical in terms of how it is produced and how it is read to the "6 holes" that are added for copy protection. Here's a picture of one of the copy protection stripes - you can see the same pattern - low reflectivity (polarity is inverted to the picture above) during the stripe, regular data before and after:

2010-07-05_183452.jpg


On the disc itself, it looks like this: (This is one of the copy protection stripes, but again - the BCA looks identical instructure) The reflective material is destroyed in the stripe (which isn't well visible here - the sample processing for the SEM ironically cleans it up a bit).

DcRdBKeW0AEzqrT.jpg


But now look back at the first picture - all you need to produce is a small stripe of low reflectivity. Instead of blowing away material with a big fat laser, you could also just change material with a small laser - by writing data to it. I.e., if you write zeros, the reader will pick this up in the _very same way_ as a BCA stripe. The idea here is to embed the zeros directly into the bitstream.

To be clear, the zeros need to be in the NRZ data, i.e. after all the data encoding. It's not possible[citation needed] to do this with just a firmware hack, as you need to skip the EFM+ data encoding stage.

This is exactly what Datel did - they embedded the copy protection stripes by putting zeros into the encoded data.

For the BCA, Datel still used a regular BCA burner, but even for the BCA, you can embed them into the data. I did some experiments a few years ago and they were promising (but for stupid reasons never worked out completely). You can see in the first picture how my BCA _almost_ reads the same as a real BCA.

For the BCA, because tracking is off, the laser can be in-between two tracks. In theory the stripes would have to be perfectly radial, but in practice as long as they are sufficiently aligned, it should work well enough.


So there you have it - it's possible to write the necessary structure onto a recordable disc.

BUT: According to the Datel engineer who defeated the copy protection back then, there's an additional layer of security by using PS1-style wobble. That, unfortunately, would be harder (but not impossible!) to do on a burned disc.
 

kazade

Member
Original poster
May 30, 2019
8
18
3
@tmbinc thanks for taking the time to respond! That's incredibly useful information!

So ultimately, someone with the time, patience, resources, knowledge and inventiveness could blast GC and Wii homebrew right open!

Any takers? ?
 

Mystical

Member
Jun 3, 2019
5
2
3
AGName
Mystical
AG Join Date
03/05/2011
Just to chip in my 2p on this (from a very hazy memory):

Yes Datel have a huge manufacturing plant located in Stone (near Stoke on Trent, Midlands, UK)
They were able to press discs for most CD-based consoles.
I believe they had to use some of the boot information from an original GC game (i think it was a sports title they used)
Maybe someone else remembers more about this than I do and can chip in?
 

FamilyGuy

2049 Donator
Donator
Registered
May 31, 2019
344
337
63
AGName
-=FamilyGuy=-
AG Join Date
March 3, 2007
It's not as easy as that. A BCA is defined by radial stripes that are picked up by the laser; the same mechanism as for regular reads is used (reflected light from main channel), but tracking is off, focus is fixed, and FG (=rotiational speed generator) is in open-loop mode (i.e. holding a ~constant speed).

The BCA is - as you're aware - added by a strong laser which removes reflective material. If you look at the data on a scope while a BCA is read, you can still see the background bits.

Here's an example - on the right (-ROM), I measured a pressed disc, and you can see that between the stripes, there's valid data. (Don't be confused by the actual polarity of the data) The signal measured here is the RF channel (i.e. main data channel) of a regular DVD reader.

bcamaynotfail.png


BCA is a standard technique, but it is identical in terms of how it is produced and how it is read to the "6 holes" that are added for copy protection. Here's a picture of one of the copy protection stripes - you can see the same pattern - low reflectivity (polarity is inverted to the picture above) during the stripe, regular data before and after:

2010-07-05_183452.jpg


On the disc itself, it looks like this: (This is one of the copy protection stripes, but again - the BCA looks identical instructure) The reflective material is destroyed in the stripe (which isn't well visible here - the sample processing for the SEM ironically cleans it up a bit).

DcRdBKeW0AEzqrT.jpg


But now look back at the first picture - all you need to produce is a small stripe of low reflectivity. Instead of blowing away material with a big fat laser, you could also just change material with a small laser - by writing data to it. I.e., if you write zeros, the reader will pick this up in the _very same way_ as a BCA stripe. The idea here is to embed the zeros directly into the bitstream.

To be clear, the zeros need to be in the NRZ data, i.e. after all the data encoding. It's not possible[citation needed] to do this with just a firmware hack, as you need to skip the EFM+ data encoding stage.

This is exactly what Datel did - they embedded the copy protection stripes by putting zeros into the encoded data.

For the BCA, Datel still used a regular BCA burner, but even for the BCA, you can embed them into the data. I did some experiments a few years ago and they were promising (but for stupid reasons never worked out completely). You can see in the first picture how my BCA _almost_ reads the same as a real BCA.

For the BCA, because tracking is off, the laser can be in-between two tracks. In theory the stripes would have to be perfectly radial, but in practice as long as they are sufficiently aligned, it should work well enough.


So there you have it - it's possible to write the necessary structure onto a recordable disc.

BUT: According to the Datel engineer who defeated the copy protection back then, there's an additional layer of security by using PS1-style wobble. That, unfortunately, would be harder (but not impossible!) to do on a burned disc.
I love how you went all the way and took a SEM image of the actual thing.

Could you clarify what part would be reproducable with end user hardware? The pseudo-BCA? What about the wobble?

By after all encoding, do you mean what's actually written to disc, aka illegal EFM / actual flat 0 zones?
 

tmbinc

New member
Jun 4, 2019
2
24
3
The header of each Datel disc contains the game identifier of NHL Hitz 20-02 (if I remember correctly). Datel disc are very weirdly mastered - there are fragments of valid PSN (physical sector number) blocks, but it's not continuous. I.e. it's hard to rip the game without losing information _even_ when you capture the raw EFM+ bit stream, because apparently the spiral has discontinuities. (I need to do some more SEM imaging, this should be visible).

The idea at some point was that Datel hat stitched together part of an original game with part of their data. In theory they may have kept the original BCA intact, and duplicated the stripe position by embedding it into the bitstream. All(?) Datel discs use the same BCA.

This is interesting because if you can keep the BCA and relative stripe position, you don't need to re-encode the BCA, and you don't need to understand the encryption algorithm of the BCA. (Remember that the relative position of the stripes to the data is stored encrypted in the BCA; (un)fortunately with a symmetric cipher). So maybe Datel didn't understand the encryption?

At some point a friend bought a pressed US version of that game, and I dumped the EFM+ bitstream of that disc, and compared it with the Datel disc. Result: it was different. So either I took the wrong NHL Hitz version/region/whatever, or Datel did indeed remaster the disc.

FamilyGuy - yes, "afte encoding" == illegal EFM+ / flat 0 zone. (Strictly speaking there's a physical different between BCA/Stripe and flat-zero, but the reader isn't able to see the difference).

My setup is a modified DVD burner where I interface the LVDS channel that drives the laser diode with an FPGA. It worked to a certain extent, but never well enough. I was able to write arbitrary EFM+ bitstreams to disc, including lightscribe-style disc art and fake-BCAs. It's more than a firmware hack, but everything non-digital is still the original burner. Writing wobble is not directly possible, but with a crude hack (feeding an AC signal into tracking coils while writing...) it may (or may not) be possible.

In summary, most frustrating project I've ever worked on. (If someone could find me the source code for a DVD or BD writer firmware, I'd be _sooooo_ happy.)
 

Wombat

Donator
Donator
Registered
May 31, 2019
109
111
43
AGName
Wombat
AG Join Date
14-03-2004
@tmbinc If I recall correctly I picked up somewhere that the original Freeloader was using Crazy Taxi for it's foundation. So it might be worth it giving that disc a spin to see if it matches.

edit:
Thanks for clearing up my memory @FamilyGuy, yes you are right this was for swap magic PS2.
 
Last edited:

FamilyGuy

2049 Donator
Donator
Registered
May 31, 2019
344
337
63
AGName
-=FamilyGuy=-
AG Join Date
March 3, 2007
@tmbinc If I recall correctly I picked up somewhere that the original Freeloader was using Crazy Taxi for it's foundation. So it might be worth it giving that disc a spin to see if it matches.
I've heard that "Crazy Taxi being used as a based for commercial unlicensed bootable media" rumor for PS2's swap-magic first.
 
Last edited:
  • Like
Reactions: Wombat

Xe

Donator
Donator
Registered
Sep 3, 2018
47
123
33
AG Join Date
Mar 23, 2012
some great stuff here guys, keep going :)
 
  • Like
Reactions: kazade

xanthefin

Member
Jun 22, 2019
6
5
3
AGName
XantheFIN
AG Join Date
Mar 11, 2018
I've heard that "Crazy Taxi being used as a based for commercial unlicensed bootable media" rumor for PS2's swap-magic first.
Well if i put mine Swap Magic 3 DVD it has SCES_500.03 = Dead or Alive 2 PAL but no title

Swap Magic 3 CD has title CRAZY_TAXI and it has SLES_502.15
 
  • Like
Reactions: FamilyGuy

emu_kidid

New member
Jul 24, 2019
4
8
3
AGName
emu_kidid
AG Join Date
Jun 28, 2008
The Datel guy is probably lurking, one day he'll see this and spill the beans (in more detail than before) ;)
 

Protofall

Member
Jun 4, 2019
6
0
1
With the recent Nintendo leaks, I hear they contain some info about the Gamecube's (And maybe Wii's too?) disc format. I wonder if any of that stuff would be useful in order to make new GC discs. I get the thing with "Can't use source code for your own projects", but this is a disc format and there's only 1 (Maybe 2?) right ways to actually get a bootable disc. I say this because for bootable Dreamcast discs, we use the same "exploit" that Katana devkits came with to boot CDs on console because there's not really any other way. Seems like the same sort of thing here with Gamecube.

This is assuming those GC disc info is even helpful for our purposes. Has anyone here read through those docs?
 

Thebigman1106

Member
Registered
Jun 9, 2019
19
15
3
AGName
thebigman1106
AG Join Date
01072010
Just to chip in my 2p on this (from a very hazy memory):

Yes Datel have a huge manufacturing plant located in Stone (near Stoke on Trent, Midlands, UK)
They were able to press discs for most CD-based consoles.
I believe they had to use some of the boot information from an original GC game (i think it was a sports title they used)
Maybe someone else remembers more about this than I do and can chip in?

I seam to remember they struck a deal with Panasonic for a press or info on the disc.
 

Protofall

Member
Jun 4, 2019
6
0
1
I've re-read this thread and this source . So we know how the Gamecube Optical Disc (GOD) format works and I think we know everything needed to reproduce GC discs. (I'll admit, I don't fully get how the BCA works). So the better question is:

- Is there any piece of info we are missing? @tmbinc seemed to be close, but was having trouble. Maybe better equipment is needed.
 

FamilyGuy

2049 Donator
Donator
Registered
May 31, 2019
344
337
63
AGName
-=FamilyGuy=-
AG Join Date
March 3, 2007
I've re-read this thread and this source . So we know how the Gamecube Optical Disc (GOD) format works and I think we know everything needed to reproduce GC discs. (I'll admit, I don't fully get how the BCA works). So the better question is:

- Is there any piece of info we are missing? @tmbinc seemed to be close, but was having trouble. Maybe better equipment is needed.
You can't write the BCA easily on blank media I think? Yes you can replace the actual cutting by data, which is what Datel did, but they had DVD mastering equipment, which is more flexible than consumer burners.

See this for some more information: https://hackaday.com/2019/02/04/how-one-company-cracked-the-gamecube-disc-protection/
 

Protofall

Member
Jun 4, 2019
6
0
1
You can't write the BCA easily on blank media I think? Yes you can replace the actual cutting by data, which is what Datel did, but they had DVD mastering equipment, which is more flexible than consumer burners.

See this for some more information: https://hackaday.com/2019/02/04/how-one-company-cracked-the-gamecube-disc-protection/

That article was a bit weird. They say the AR disc doesn't have a BCA, but that doesn't really make sense. Unless they mean you don't need to *burn* a BCA and instead could embed it in the disc like you would to get around the mark/hole part? This then suggests you could just have a special iso you burn to a Mini-DVD-R and it works, but obviously that's not the case so idk how valid that source is.

One thing I'm not sure on, is mastering directly related to Pressed discs or can master be used with burnable discs? If the later would it be possible to obtain a mastering device and if the former couldn't we contact a DVD-Pressing company for further testing (Although this might cost a lot)
 

Make a donation