Apparently we're on twitter too
It is commonly said that the Sega Dreamcast had no security at all and that’s why you could play burned games out of the box.
Well in this article I’m going to dismantle this belief and show you why the Dreamcast did have security and why it was unnecessary to overcome this security to get backup games working.
First, trying to load a 1:1 copy of a Dreamcast game will end in failure because the DC’s security system will detect it, so how did hackers managed to boot games? The answer lies in one of the Dreamcast’s many features that ended up unused due to the console’s short life: Mil CD.
Mil-CD was system that Sega developed to add software contents to multimedia discs, for example, more advanced menus, browsers, amongst other apps. But like I said, this feature was never officially used, as a matter of fact, it was disabled on latest versions of the Dreamcast.
The reason for this removal is because Mil-CD was used to fool the dreamcast into booting burned commercial games. In other words, the dreamcast was able to boot these games because they posed as Mil-CD, instead of burned backups. This is similar to ESR on the Ps2, ESR patches the disc and tricks the Ps2 system into thinking the burned disc is a DVD-Video, instead of a Ps2 game.
Like I said above, the latest hardware revision of the Dreamcast still had Mil-CD code, but the playback of Mil-CD is disabled (much like the Ps3, which still has the ps2_emu, but disabled), this revision was v2 (there were three DC revisions: v0, v1 and v2) and you require a modchip to play burned games. You can easily identify a Dreamcast revision by looking for the number 0/1/2 under it.
Not only did the Dreamcast have security when booting burned CDs, it also had security on the official discs too. Just like the Gamecube, Wii and Wii U, the Dreamcast used a special type of discs called GD-Rom (Gigabyte Disc). These discs used the exact same technology as CDs, but differ in that the tracks are closer to each other, giving the disc approximately 1.2Gb of capacity. The layout of these discs made it impossible to dump.
Each disc had three different tracks, two of them were normal CD tracks readable by PCs, the last one (and biggest one) was the GD track and contained the game. The first track had plain text files, usually with the license of the game, sometimes even artwork of the game, while the second track was an audio track, so when you insert a GD into a conventional CD player, a voice comes up reminding you now you need to insert the game on a Dreamcast to be able to play it.
Now, this was not the actual security, everyone knows that CDs can have more than one session, as long as the PC knows where those sessions start and end. This is were security was, the GD-Roms did not contain any information about the GD track in the TOC (Table of Contents), so for a PC, there was no data beyond the second track. Dreamcasts obviously know this is not true, and look for a second TOC after the second track, which contains the info about the GD track. So a GD-Rom has the following structure:
- First, normal CD TOC that tells the PC there are only two tracks
- First track: Data, usually plain text files with the game’s license
- Second track: audio, this track is read by standard CD players and contains a warning
- Normal PCs think there is nothing more after this, the Dreamcast knows this is not true so it comes here and looks for a second TOC, this second TOC tells the Dreamcast about the GD track.
- GD track: contains the game itself.
Now, you may be asking: how did hackers manage to dump dreamcast games if it was impossible for a PC to read the GD track? Well, two methods were discovered to dump the games.
The first method used an exploit found in the game Phantasy Star Online, basically, the method consisted on using the Dreamcast itself to read the GD-Rom and stream it through an ethernet cable connected to the computer.
The second method consisted on the typical disc swapping. It worked by introducing a CD filled with data on your computer, and swapping it with a GD-Rom without your computer knowing it. That way the PC thought there was data all the way to the end of the disc, due to it using the CD’s TOC, instead of the newly swapped GD’s TOC. This method produced a 1:1 copy of the disc.
Now, the second “challenge” hackers faced were the size of the games. Like I said above, GD-Roms had about 1.2Gb of data, standard CDs had 700Mb. The solution to this depended on the game, some games didn’t use that much space and fitted directly into a CD. Other games used huge dummy files, so it was only a matter of replacing that dummy file with a smaller one and rebuilding the iso. Other games like Shenmue did use the 1.2Gb entirely, for these games three methods can be used: overburning, downsampling and GD-R.
- Overburning: consists of writing more data to the CD than it can hold, with a 700mb CD you can achieve 1Gb of data, and 1.2Gb with an 850Mb CD. I don’t recommend this method since it can destroy either your PC’s laser or your Dreamcast’s.
- Downsampling: like the name implies, it consist of downsampling the video and audio data to make the game smaller, at the cost of quality. A similar method consisted of getting rid of audio/video data altogether.
- GD-R: some empty, writable GD-Rs exists, but they require a GD burner, both the GD-Rs and the burners are not that common.
With all this, not only I’ve demonstrated that the Dreamcast had security, but I’ve also summed up the history of Dreamcast hacking.
I hope you enjoyed the post, ’cause more posts like this one will be coming in the future.
-
Nice article
Was there a homebrew scene on the Dreamcast, or was it all about piracy?-
yes, there was a decent number of homwbrews, specially emulators (the amount of emus for the dc is comparable to that of the psp). If it weren’t for it’s short life spam, I’d say the dreamcast could have easily been the console with most homebrews
-
http://www.youtube.com/watch?v=eKM7Jp7MSc0
Here’s a youtube video of some of the various homebrew apps (mainly emulators) for the Dreamcast… I believe at least some of these existed back when the Dreamcast was still being sold, although I would assume some are significantly newer than that.
I’m not certain, but I could really swear that I had a couple of these emulators when I was still using my “hacked” Dreamcast. (though I played my Dreamcast extensively long after it’s “generation”, so I could easily be mistaken due to that)
Also, I was going to ask Acid_Snake for a list of Mil-CD’s that were actually released for the Dreamcast (and presumably don’t work on newer models), but while researching it found that there were only 8:
<blockquote cite="As far as I know there's only 8 official Mil-Cd. (There could actaully be more, but I couldn't found more)
Checkicco – Checkicco no MIL-CD
D no Shokutaku 2 – Original Sound Track+MIL
dps – Heart Break Diary
Hang The DJ
Himitsu – Original Sound Track
Kita he – Pure Songs and Pictures
Snappers – 09 Chairs
Space Channel 5Backups of some of these Mil-Cd seems to need some modifications
(hacks) to boot on NTSC or PAL console (Beside Region Flags).FG " credits to -=FamilyGuy=- from the assemblergames forum.
(found this info at http://www.assemblergames.com/forums/showthread.php?19818-MilCD-release-list)
-
There was a prety big homebrew scene and there still is!
Loads of emulators were released for it.My dreamcast is still ready to fire up and it can play snes, megadrive, and a lota more.. a pc port of doom was actually released for it!
It can play the backups as discibed above as well, but i still have the original game discs.
-
Very nice I cant wait for the next one.
Loved the DC days:)
-
-
awesome post!
thanks for sharing 
-
I find the dreamcast great, i have to of them.
Is a nice news of the old dreamcast, the dreamcast have good games ^^ shenmue is one of a lot.
I love the dreamcast :3mfg proto
-
lol we were thinking about the same thing
-
-
everytime i hear about dreamcast all i can think of is SHENMUE!!!!!, i wish there was a dreamcast emulator on the ps3 or the xbox360
– (one wish that may never come true)-
There IS one for the 360, called nulldc-360
It’s still under development but if you compile it from source you can try it out. I have, been playing some Soul Calibur on it, amongst a few other games that work. -
Shennmue,Illbleed,Skies of arcadia,The house of the dead 2,Cannon spike.I wish someone work on that emulator because the one that’s on the internet doesnt work well at all,im just want to play skies of arcadia and illbleed again.
-
I haven’t tested any of those games myself but like I said it’s still under development, binaries are not even released yet.
The original PC version of the emu however is much older and binaries have been available for a long time. If the games you listed work on the PC version, they will probably get fixed for the 360 version eventually. Again the source for the 360 is available on Github so any programmer can contribute to the project!
-
-
-
Oww, memories *-* , My dreamcast doesn’t work, I miss it
-
This was a really good article! Thank you!
-
*.*
-
Nice read…
-
Good article keep them coming
-
i weardly like the system mainly cuz there controllers had that lil memory cards that also had that like digimon thing with like controll buttons.. what ever was the use or the ports for the sythem i remebr the thing had a phone modem that u could take out but i remeber that there was sumkind of port like the ps1 system had on the under nither of it like the add on thing for the game cube that lets u play gameboy advance games……
-
This is a very nice article,very interesting. Thank You.
-
Loved the DC…..those of us who used it heavily will remember that the first series of hacks you had to use a boot disc to defeat the security, then swap and boot your backup. Shenmue, Skies of Arcadia, JetGrind, Crazy Taxi, Grandia 2, 2K sports, the gun games, fishing games and racing games…..hell it was a great system despite its short life. It was not so much killed off by piracy as it was the PS2. Everyone had a psx and wanted to wait for PS2 so held off on buying it. Oh yeah don’t forget Phantasy Star online that used a modem and was the first real online craze on a console. It made incredible strides for the gaming world. For those that missed it you can get them for like $25 used in the US and .iso files are out there to be had and burned. Use good media like verbatim CDs and you will have no trouble. There were a crap load of games released in the EU market that never came to america including a lot of arcade games and compilations. Also Shenmue 2 was never released in the US but was in EU. It had japanese voice audio but english subtitles and for those that loved the first one it is worth getting a system just to play and continue the story. They put it out on X360 but redid the voice in english and the localization sucked….much better to play it on DC. I wish Sega would pull the Shenmue series back out of the closet and give us 3 on the new sytems. Playing sleeping Dogs right now on PS3 and that has got to be some sort of a spiritual sucessor!
-
Yes, the first hack (Utopia boot disc) tricked the system into thinking it was a Mil-CD, after that it was discovered that you can insert that Mil-CD boot code into actual games, it’s called a selfboot game. I miss my dreamcast, it has a broken laser T_T
-
The laser is fairly easy to replace. Especially since the DC uses regular screws. I believe there are only two types of screw in it and the other type is just a little bit longer. Those hold the controller ports in place. I think it’s either 3 or 4 of them. But seriously, even I’m not tech savvy but its pretty easy I’d say.
-
not that easy when both the laser and the laser’s circuit board are broken
-
-
-
I forgot.. how many games were suppose to be in that series? I remember it being huge, something like 8….
-
-
Any way to get a dreamcast emulator for the vita? That would be amazing to play these games because I never had a dreamcast.
-
no.
we can’t even get fullspeed N64
that’d be great tho -
You never had a Dreamcast :O But once we get full control of the Vita its possible.
-
-
i miss my dreamcast. got me reminiscing..
-
loved it thank you
-
this is all so fascinating for me, because the first console i had was the n64. i wasn’t even aware the all the other consoles before and i was so young back then, that i never would have thought about hacking and stuff. as boring as normal history is to me, video game history is fascinating.
-
Interesting as hell. Thanks for this.
-
Wow great article. I like this kind of articles and I hope you write more about the old console hacking. I never had a dreamcast
-
How about vita? S this related to ps vita hacking system?
-
nope
not EVERYTHING on this site is about PSVita
-
-
Yeah good and interesting article!
thanks and keep’em coming! -
I actually enjoyed reading this! Please, write more of these!!
-
Nice article, The Dreamcast gave me the love for Homebrew with the NES emulator.
It enabled me to play Megaman 5 + 6 as we never got those titles in the UK.
Beats of Rage was pretty sweet as well.
I love the Dreamcast for the 2d capcom fighters and Sega arcade classics like house of the dead 2.
Great memories
-
I like this kind of lecture. Keep it up.
-
sold mine a few months before had had found out about burning games when i was younger, miss that console.
-
I wish Sega would get back in the console business. Dreamcast 2 would be incredible.
-
little known fact: the dreamcast 2 (or rather, the original plans of the dreamcast 2) was sold to microsoft (now you know were the xbox comes from)
-
-
I’m happy that my Dreamcast still works. Now if you’ll excuse me I’m gonna go play some Q-Bert.
-
How about the Gamecube? Nintendo placed the IPL in an serial ROM but the data was encrypted. At boot the data was fetched and decrypted inside the Flipper ASIC. They used a linear feedback shift register to implement the decryption which required one bit to be shifted in and out at a time but they forgot to clear the LFSR after reading the completed byte so the decrypted data was shifted out on to bus! So the serial output line could be sniffed to get the IPL and reverse the algorithm so modchips could be used to replace to IPL ROM.
-
Interesting, I’ll dig up some more about this, specially about G-O-Ds
(their hacking method was the same as for the dreamcast)-
and that’s not even the biggest security failure by Nintendo. That honor goes to the geniuses who used strcmp instead of memcmp to verify the RSA signatures in the Wii. As for Microsoft, the use of TEA for the 1st boot loader hash in the second XBOX revision was really dumb.
-
-
There was a soft hack for the GC as well. You had to use an action replay boot. The problem was with the GC laser, it was hard to get it to read any burned discs with consistency. I actually got a custom top for it that would let you use 5inch CDs and then I was able to find a brand media that worked pretty well……still a pain.
-
-
Cool article
-
Great article.
A small gift : http://www.upzat.com/viewimg/700fd-katana_GD-Writer_HKT-04.jpg …
Feel free to use this photo. I can provide a photo without my pseudo.-
Rare stuff, nice, then it got me thinking and led me to discs then to a blogger with more rare stuff to read.
Discs: http://triplemoonstar.brinkster.net/theshed/default.asp?subcat=186
Interesting blogger stuff (mmm..or not):
http://triplemoonstar.brinkster.net/theshed/blog/I can’t vouch for the links chaps. But a interesting read all the same
-
yes, definitely kill3r!
-
-
Happy days. The best console ever made.:-)
-
FYI: It’s possible to run games from a SD Card and you can connect the Dreamcast with a HDMI cable to your TV for a great picture quality.
Most gamedata can be changed to allow better picture quality.
Note: You need some additional software and hardware to do all this. -
I wiash the WII U playable download dreamcast Games. When it is happening I will lose all my Money.
-
Great read wololo, I’m guessing the memory issue is why my burned shenmue backup always crashes after the first cutscene
-
Nope nvm, just poor quality cds. Coolest thing about burning dc games has gotta be the ability to add your own soundtracks
-
-
Would love to see DC games on the Vita… =)
-
ReviveDC and DCRes FTW.
-
Still have my dreamcast ( well, another one I bought a couple years ago) … Intresting tidbit for those still messing with it… DID YOU KNOW: Alot of games used wmv files for the audio… by replacing those you could create your own soundtrack for most games… I like them, but it was nice to have something other than offspring for crazy taxi… I also used DC to play divX files which were prety new at the time with few dvd players that supported it. I really cant beleive the system didn’t do better than it did…. I personally liked it more than the ps2…
-
All i ask is that someone create a dreamcast emulator for the psp/vita
-
not gonna happen on the psp…. vita mabey, but the pc dreamcast emulator never did get finished… kinda like saying you want a juguar emulator… which I really would :->
-
A … jAg…..
-
-
-
What there was only like 4 games worthing owning on the Jaguar……..No way PSP has enough power to emulate DC. The Vita could do it but if we would get a hacked Vita then a working DC emu wouldn’t mean so much. Sadly DC just wasn’t popular enough to get coders to work on emulators for it. If vita ever gets hacked then a good N64 or PS2 emulator would be the bomb!
-
I know, but I want to play the crappy wolfienalien vs triadapredator all the way through.
-
-
Actually he was talking about he larger size games and one of the other soluttions was the worked out a compression scheme for some games. Not sure how it worked but I know some of the later dupes did use some sort of real time compression
-
didnt the dreamcast play psx games also ? with a special disc?
-
if i am not mistaken it was bleemcast
-
-
Fun read Acid, can’t wait for more hacking history.
-
Dreamcast <3.
At Zorak: NullDC does a decent job (occasional graphical weirdness aside).
http://code.google.com/p/nulldc/
http://www.emucr.com/2012/04/nulldc-svn-r141.html -
Like many here, I still have my DC (actually 3 of them) and bb adapters, vmus, and tons of games that I own legit! This was a great machine (even got FreeBSD running on it) SH4! I can say though that all the original hacks came from some guys with a special scsi burner that had gd-r firmware on it. Anyone remember the 90minute cd-r discs? They were able to rip and create a “boot” disc. these guys were called wither utopia or echelon (can’t remember.) it wasn’t until phase 2/3 that they figured out how to burn a “bootable” disc.
Regardless, this system (developed by M$ w/ Sega) should have done better and I think Sega should have NEVER got out of the HW world.
-
Here’s what. I get about the Dreamcast:
1. Its the only 3d game that was better than the ps2 because of Rainbow Six.
2. Its the only System that can play audio from most games (CD player) if you guys didn’t know that. And now y’all saying it can be hacked? That is amazing -
Sorry I mean better than ps1 lol
-
Great article Acid_Snake!! Must say I have been a playstation person for a long time with psps and ps2 fats…but looks like the other console scenes were more interesting than psp and ps2 scenes.hope to read more such interesting articles in the future too!!
-
i agree i been a PLAYSTATION FAN MYSELF
-
-
This was an incredibly interesting post, Acid.
-
Great article. Enjoyed learning some about the Dreamcast.
-
The GD-ROM were also burned in a reverse way and the GD-ROM Reader of the Dreamcast would also read in a reverse way.
Standard CD-ROM Reader read CDs clockwise. Same for burner.
Since the Dreamcast would read the GD-ROM anti-clockwise, tricks had to be used to properly burn ISO and such using standard CD Burner.
-
That’s not true, the drive has the same rotation as a normal CD drive.
-
-
Dreamcast is the only console from Sega that’s not suck…
Reply
Latest entries on our Smart TV dedicated sister site
- Tronsmart MK908: Quad Core Android HDMI sticks are here!
- Streaming Netflix on your Kindle Fire HD: watch Netflix on your Kindle from outside the US
- The mk802 IV: Rikomagic announces the 4th Generation of the mk802 series
- Netflix on PS3: Watch Netflix with your PS3 from outside the US
- Watch Netflix outside of the US: how to setup Unblock-US on your Android Smart TV
78 comments
Comments feed for this article
Trackback link: http://wololo.net/2012/11/12/sega-dreamcast-how-its-security-works-and-how-it-was-hacked/trackback/