Sega Dreamcast: how its security works and how it was hacked.

It is commonly said that the Sega Dreamcast had no security at all and that’s why you could play burned games out of the box.
Well in this article I’m going to dismantle this belief and show you why the Dreamcast did have security and why it was unnecessary to overcome this security to get backup games working.

First, trying to load a 1:1 copy of a Dreamcast game will end in failure because the DC’s security system will detect it, so how did hackers managed to boot games? The answer lies in one of the Dreamcast’s many features that ended up unused due to the console’s short life: Mil CD.

Mil-CD was system that Sega developed to add software contents to multimedia discs, for example, more advanced menus, browsers, amongst other apps. But like I said, this feature was never officially used, as a matter of fact, it was disabled on latest versions of the Dreamcast.

The reason for this removal is because Mil-CD was used to fool the dreamcast into booting burned commercial games. In other words, the dreamcast was able to boot these games because they posed as Mil-CD, instead of burned backups. This is similar to ESR on the Ps2, ESR patches the disc and tricks the Ps2 system into thinking the burned disc is a DVD-Video, instead of a Ps2 game.

Like I said above, the latest hardware revision of the Dreamcast still had Mil-CD code, but the playback of Mil-CD is disabled (much like the Ps3, which still has the ps2_emu, but disabled), this revision was v2 (there were three DC revisions: v0, v1 and v2) and you require a modchip to play burned games. You can easily identify a Dreamcast revision by looking for the number 0/1/2 under it.

Not only did the Dreamcast have security when booting burned CDs, it also had security on the official discs too. Just like the Gamecube, Wii and Wii U, the Dreamcast used a special type of discs called GD-Rom (Gigabyte Disc). These discs used the exact same technology as CDs, but differ in that the tracks are closer to each other, giving the disc approximately 1.2Gb of capacity. The layout of these discs made it impossible to dump.

Each disc had three different tracks, two of them were normal CD tracks readable by PCs, the last one (and biggest one) was the GD track and contained the game. The first track had plain text files, usually with the license of the game, sometimes even artwork of the game, while the second track was an audio track, so when you insert a GD into a conventional CD player, a voice comes up reminding you now you need to insert the game on a Dreamcast to be able to play it.

Now, this was not the actual security, everyone knows that CDs can have more than one session, as long as the PC knows where those sessions start and end. This is were security was, the GD-Roms did not contain any information about the GD track in the TOC (Table of Contents), so for a PC, there was no data beyond the second track. Dreamcasts obviously know this is not true, and look for a second TOC after the second track, which contains the info about the GD track. So a GD-Rom has the following structure:

  • First, normal CD TOC that tells the PC there are only two tracks
  • First track: Data, usually plain text files with the game’s license
  • Second track: audio, this track is read by standard CD players and contains a warning

- Normal PCs think there is nothing more after this, the Dreamcast knows this is not true so it comes here and looks for a second TOC, this second TOC tells the Dreamcast about the GD track.

- GD track: contains the game itself.

Now, you may be asking: how did hackers manage to dump dreamcast games if it was impossible for a PC to read the GD track? Well, two methods were discovered to dump the games.

The first method used an exploit found in the game Phantasy Star Online, basically, the method consisted on using the Dreamcast itself to read the GD-Rom and stream it through an ethernet cable connected to the computer.

The second method consisted on the typical disc swapping. It worked by introducing a CD filled with data on your computer, and swapping it with a GD-Rom without your computer knowing it. That way the PC thought there was data all the way to the end of the disc, due to it using the CD’s TOC, instead of the newly swapped GD’s  TOC. This method produced a 1:1 copy of the disc.

Now, the second “challenge” hackers faced were the size of the games. Like I said above, GD-Roms had about 1.2Gb of data, standard CDs had 700Mb. The solution to this depended on the game, some games didn’t use that much space and fitted directly into a CD. Other games used huge dummy files, so it was only a matter of replacing that dummy file with a smaller one and rebuilding the iso. Other games like Shenmue did use the 1.2Gb entirely, for these games three methods can be used: overburning, downsampling and GD-R.

- Overburning: consists of writing more data to the CD than it can hold, with a 700mb CD you can achieve 1Gb of data, and 1.2Gb with an 850Mb CD. I don’t recommend this method since it can destroy either your PC’s laser or your Dreamcast’s.

- Downsampling: like the name implies, it consist of downsampling the video and audio data to make the game smaller, at the cost of quality. A similar method consisted of getting rid of audio/video data altogether.

- GD-R: some empty, writable GD-Rs exists, but they require a GD burner, both the GD-Rs and the burners are not that common.

 

With all this, not only I’ve demonstrated that the Dreamcast had security, but I’ve also summed up the history of Dreamcast hacking.

I hope you enjoyed the post, ’cause more posts like this one will be coming in the future.

  1. atreyu187’s avatar

    The DC never used PSO to dump games. ypu are confused with the Gamecube and the PSO exploit. We used a coders cable fashioned out of a system link cable and teraterm to dump disc back then. It took about 24 hours per disc. Nw days we use the BBA and httpd-ack to dump a disc in under 30 minutes. And it has been proven time and again that using a PC to dump doesn’t give accurate results and why no one uses it as it isn’t a true 1:1 dump.

    Reply

  2. zorlon’s avatar

    I only came here due to one of my images being used, I honestly don’t care about that I was just curious (the nice label shot with the blue Mil-CD text that I put there myself) and the red marking out the important part of the label

    I do however find it odd that you state that v2 is not Mil-CD compatible after all the place you got the image from actually states that the v2 is a 50:50 version as it was part way through the production of the v2 consoles that Sega removed Mil-CD compat from there consoles, so the best way is via the date on the US models, PAL models do not have a date and I have never seen a v2 PAL console

    Reply

  3. zorlon’s avatar

    Oh and Mil-CD’s did get used officially only in Japan though

    I have a bunch of those myself, they are just video CD’s in effect but used SFD to encode the video, the sound for those are produced via CD-DA (Digital Audio Tracks)

    These are much higher quality to actual Video CD’s

    The menu for those is very basic, much the same as the CD player that is built into the Dreamcast, no Fast Forward or rewind, just skip forward/backward

    There are 3 extra’s on the menu, “Menu” “Info” “Internet”

    Menu = Video Track Menu it just has some very basic info on each video included

    Info = Track/Time/Status (e.g. PLAY STOP PAUSE)

    Internet = the usual web browser

    A few Official Mil-CD’s have extra audio tracks to what is used when the disc is booted and the video played

    These extra tracks can be played by the music player of the Dreamcast or in any other CD music player

    Reply

  4. zorlon’s avatar

    Also original Mil-CD’s had protection built into them, though this obviously did not stop us finding out how they created the Mil-CD format anyway.

    there is a PICTURES, folder (no it does not have any pics in it) that contains JACKET01.00J JACKET01.00N JACKET01.00S JACKET01.00T asides from the first file the rest of these files can not be extracted from the disc correctly, as I don’t know the exact method but I know the method Sony used for these PSX CD’s that has the same effect I will use that as an example.

    PSX CD’s use a header that is part of the disc rather than a direct part of the file (Sony used that for XA files and containers) these headers are targeted on those files but is only created when the disc is created not when the files are created, so although these header are directly linked to the files they are not part of the files and will cause an error on extracting, though the data can still be ripped you can’t then re-use that data on the target console.

    Reply

  5. zorlon’s avatar

    We have method of reading GD-Rom discs direct on PC

    3 variations of doing that (look at the redump wiki for info on that, myself I wouldn’t bother there, that and most GD’s are dumped now)

    Via Dreamcast we have a few options

    PSO not required or used as stated that is a GC method

    Network streamed the data direct from a GD to a Netwrok connection BBA or LAN modem required (You can possibly use the phone modem as well, using modded drivers ect ect on the PC side)

    DC coders cable (another direct connection to PC via a serial port, the Dreamcast end is just the serial port that was used for link up)

    SD Card (used via the serial port)

    There are possibly other methods as well asides from those

    Reply

  6. zorlon’s avatar

    Overburning is not going to destroy anything and you can’t get 1GB of data to even fit a 99min CD-R it is not possible, you can only get an extra few bytes to copy over using overburn I don’t even think you can get a full MB out of overburning, but I don’t remember the exact amount of data, your burner will only go so far before letting you know it can’t burn any more and give up then fail to close the disc, because there there is no room to burn the close info

    Reply

  7. zorlon’s avatar

    P.S. even if you have GD-R’s and a burner the Dreamcast can not boot these, you require a GD-R boot disc

    I will stop now I could possibly go on, most the info seems fine but there are some things that are either totally wrong or are miss leading

    Reply

· 1 · 2

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>