Milosch Meriac
2003-01-29 21:52:03 UTC
Hi folks,
I did some research about copy protection schemes. Here my results:
The basic idea is that the DVD drives used in Xboxes can be exchanged with
standard PC drives using some minor glue logic. So i savely assumed that
there is nothing special about the firmware/hardware used in Xbox drives.
DVD's have roughly a cypacity of 4.7G per plane. On one side you can have at
least two data planes - The laser inside your drive can focus on one of the
two layers. A DVD can two sides: this adds to a maximum capacity of 18GB per
DVD.
The 9GB format with two layers on one side is widely used for movie dvd's.
One-layer single-sided dvd's are mainly used on hongkong DVD's.
There are no DVD writers available that support the dual layer technique. It
would be a cool copy protection ("Burst Cutting Area"-usage and Wobbling is
much cooler).
The next problem is, that in "DVD General"-R/-RW's/+R/+RW's the lead-in is
already embossed:
Loading Image...
On the picture you see on the left side the burst-copy-area bar codes of a
Xbox Game DVD and on the right a common DVD-R blank.
The thin bright line on the DVD-R is the border beetween the embossed lead-in
area.
It's highly propable that the BCA (Burst Cutting Area) and the lead-in are
part of the copy protection scheme.
The expensive solution to write our own lead-in would be to use the DVD writer
"DVR-S201" from Panasonic. This writer is the only possibility to write "DVD
Authoring" media where you write the lead-in by yourself.
Media for "DVD Authoring" can't be used because they use a coating where you
need a different wavelength to write data. This behavor is wanted to disallow
users duplication of copyrighted media (CSS and other copy protection schemes
need at least the lead-in for protection information). To make sure that this
recorder would not be used by normal users they made it really expensive:
it's about 4000$.
One idea to simulate a valid BCA is to use a CD labling kit with reflective
stickers to print a valid BCA and stick it on the DVD media.
Maybe we can also can circumvent the "embossed lead in"-protection by writing
a second lead-in and use our BCA-sticker to hide the first lead-in.
The only drawback would be the you can't use the whole capacity of the DVD
anymore.
The cool thing is that this system prevents 1:1 copies of xbox games,
_because_ you can't use the whole capacity - i like this idea , because game
vendors can easily protect their intellectual property (just put important
data at the end of the DVD).
If the TOC/UDF-Filestructures are signed (checksums in lead-In etc.), the
approach would be to take a game file system and to zero all file contents.
We now can use the empty files to put our own data ther: the default.xbe
would contain our data and we can use the other files to put our own user
data like kernel image and ramdisk image or even a filesystem inside there.
The only drawback is that we can't choose the file names freely ;-).
The DVD could also contain CSS protected areas. This is no problem because the
CSS algorithm is unsave and we can calculate the keys easily. I don't think
that it is used because of the license fees.
CPRM (Content Protection For Recorable Media) could be theoretically used but
doesn't make much sense. In the first hand it's not officially announced for
DVD-ROM media and the it doesn't explicitely disable copying the data by
commercial hackers.
If they used "Bad Sectors"/"Correctable Errors" as security feature we can
write our own ECC-information using "disc at once" RAW writing mode.
Additional security features like "wobble codes" presumably not used because
it's not sumpported by current DVD drives-
It seems that they messed up the lead-in to fake the real size of the DVD -
and the real data is hidden. We have to figure out the correct order/type of
IDE commands to circumvent this.
The PARATA Project of Andy could help us much to be used as sniffer for IDE
bus commands.
I would write some basic command line tools to check the protection
possibilities - especially a BCA detection program to show the BCA of every
disc we want to check my assumptions.
--
Milosch Meriac
I did some research about copy protection schemes. Here my results:
The basic idea is that the DVD drives used in Xboxes can be exchanged with
standard PC drives using some minor glue logic. So i savely assumed that
there is nothing special about the firmware/hardware used in Xbox drives.
DVD's have roughly a cypacity of 4.7G per plane. On one side you can have at
least two data planes - The laser inside your drive can focus on one of the
two layers. A DVD can two sides: this adds to a maximum capacity of 18GB per
DVD.
The 9GB format with two layers on one side is widely used for movie dvd's.
One-layer single-sided dvd's are mainly used on hongkong DVD's.
There are no DVD writers available that support the dual layer technique. It
would be a cool copy protection ("Burst Cutting Area"-usage and Wobbling is
much cooler).
The next problem is, that in "DVD General"-R/-RW's/+R/+RW's the lead-in is
already embossed:
Loading Image...
On the picture you see on the left side the burst-copy-area bar codes of a
Xbox Game DVD and on the right a common DVD-R blank.
The thin bright line on the DVD-R is the border beetween the embossed lead-in
area.
It's highly propable that the BCA (Burst Cutting Area) and the lead-in are
part of the copy protection scheme.
The expensive solution to write our own lead-in would be to use the DVD writer
"DVR-S201" from Panasonic. This writer is the only possibility to write "DVD
Authoring" media where you write the lead-in by yourself.
Media for "DVD Authoring" can't be used because they use a coating where you
need a different wavelength to write data. This behavor is wanted to disallow
users duplication of copyrighted media (CSS and other copy protection schemes
need at least the lead-in for protection information). To make sure that this
recorder would not be used by normal users they made it really expensive:
it's about 4000$.
One idea to simulate a valid BCA is to use a CD labling kit with reflective
stickers to print a valid BCA and stick it on the DVD media.
Maybe we can also can circumvent the "embossed lead in"-protection by writing
a second lead-in and use our BCA-sticker to hide the first lead-in.
The only drawback would be the you can't use the whole capacity of the DVD
anymore.
The cool thing is that this system prevents 1:1 copies of xbox games,
_because_ you can't use the whole capacity - i like this idea , because game
vendors can easily protect their intellectual property (just put important
data at the end of the DVD).
If the TOC/UDF-Filestructures are signed (checksums in lead-In etc.), the
approach would be to take a game file system and to zero all file contents.
We now can use the empty files to put our own data ther: the default.xbe
would contain our data and we can use the other files to put our own user
data like kernel image and ramdisk image or even a filesystem inside there.
The only drawback is that we can't choose the file names freely ;-).
The DVD could also contain CSS protected areas. This is no problem because the
CSS algorithm is unsave and we can calculate the keys easily. I don't think
that it is used because of the license fees.
CPRM (Content Protection For Recorable Media) could be theoretically used but
doesn't make much sense. In the first hand it's not officially announced for
DVD-ROM media and the it doesn't explicitely disable copying the data by
commercial hackers.
If they used "Bad Sectors"/"Correctable Errors" as security feature we can
write our own ECC-information using "disc at once" RAW writing mode.
Additional security features like "wobble codes" presumably not used because
it's not sumpported by current DVD drives-
It seems that they messed up the lead-in to fake the real size of the DVD -
and the real data is hidden. We have to figure out the correct order/type of
IDE commands to circumvent this.
The PARATA Project of Andy could help us much to be used as sniffer for IDE
bus commands.
I would write some basic command line tools to check the protection
possibilities - especially a BCA detection program to show the BCA of every
disc we want to check my assumptions.
--
Milosch Meriac