Sega Dreamcast: how its security works and how it was hacked.
2023 Update (wololo): This article was written in 2012 and we still like to mention it as a reference article from time to time. However it’s been pointed to us that some parts of the full history were missing. I’ve added a link with some additional information at the bottom of the article, which hopefully can show some additional perspective.
Original 2012 article below:
It is commonly said that the Sega Dreamcast had no security at all and that’s why you could play burned games out of the box.
Well in this article I’m going to dismantle this belief and show you why the Dreamcast did have security and why it was unnecessary to overcome this security to get backup games working.
First, trying to load a 1:1 copy of a Dreamcast game will end in failure because the DC’s security system will detect it, so how did hackers managed to boot games? The answer lies in one of the Dreamcast’s many features that ended up unused due to the console’s short life: Mil CD.
Mil-CD was system that Sega developed to add software contents to multimedia discs, for example, more advanced menus, browsers, amongst other apps. But like I said, this feature was never officially used, as a matter of fact, it was disabled on latest versions of the Dreamcast.
The reason for this removal is because Mil-CD was used to fool the dreamcast into booting burned commercial games. In other words, the dreamcast was able to boot these games because they posed as Mil-CD, instead of burned backups. This is similar to ESR on the Ps2, ESR patches the disc and tricks the Ps2 system into thinking the burned disc is a DVD-Video, instead of a Ps2 game.
Like I said above, the latest hardware revision of the Dreamcast still had Mil-CD code, but the playback of Mil-CD is disabled (much like the Ps3, which still has the ps2_emu, but disabled), this revision was v2 (there were three DC revisions: v0, v1 and v2) and you require a modchip to play burned games. You can easily identify a Dreamcast revision by looking for the number 0/1/2 under it.
Not only did the Dreamcast have security when booting burned CDs, it also had security on the official discs too. Just like the Gamecube, Wii and Wii U, the Dreamcast used a special type of discs called GD-Rom (Gigabyte Disc). These discs used the exact same technology as CDs, but differ in that the tracks are closer to each other, giving the disc approximately 1.2Gb of capacity. The layout of these discs made it impossible to dump.
Each disc had three different tracks, two of them were normal CD tracks readable by PCs, the last one (and biggest one) was the GD track and contained the game. The first track had plain text files, usually with the license of the game, sometimes even artwork of the game, while the second track was an audio track, so when you insert a GD into a conventional CD player, a voice comes up reminding you now you need to insert the game on a Dreamcast to be able to play it.
Now, this was not the actual security, everyone knows that CDs can have more than one session, as long as the PC knows where those sessions start and end. This is were security was, the GD-Roms did not contain any information about the GD track in the TOC (Table of Contents), so for a PC, there was no data beyond the second track. Dreamcasts obviously know this is not true, and look for a second TOC after the second track, which contains the info about the GD track. So a GD-Rom has the following structure:
- First, normal CD TOC that tells the PC there are only two tracks
- First track: Data, usually plain text files with the game’s license
- Second track: audio, this track is read by standard CD players and contains a warning
– Normal PCs think there is nothing more after this, the Dreamcast knows this is not true so it comes here and looks for a second TOC, this second TOC tells the Dreamcast about the GD track.
– GD track: contains the game itself.
Now, you may be asking: how did hackers manage to dump dreamcast games if it was impossible for a PC to read the GD track? Well, two methods were discovered to dump the games.
The first method used an exploit found in the game Phantasy Star Online, basically, the method consisted on using the Dreamcast itself to read the GD-Rom and stream it through an ethernet cable connected to the computer.
The second method consisted on the typical disc swapping. It worked by introducing a CD filled with data on your computer, and swapping it with a GD-Rom without your computer knowing it. That way the PC thought there was data all the way to the end of the disc, due to it using the CD’s TOC, instead of the newly swapped GD’s TOC. This method produced a 1:1 copy of the disc.
Now, the second “challenge” hackers faced were the size of the games. Like I said above, GD-Roms had about 1.2Gb of data, standard CDs had 700Mb. The solution to this depended on the game, some games didn’t use that much space and fitted directly into a CD. Other games used huge dummy files, so it was only a matter of replacing that dummy file with a smaller one and rebuilding the iso. Other games like Shenmue did use the 1.2Gb entirely, for these games three methods can be used: overburning, downsampling and GD-R.
– Overburning: consists of writing more data to the CD than it can hold, with a 700mb CD you can achieve 1Gb of data, and 1.2Gb with an 850Mb CD. I don’t recommend this method since it can destroy either your PC’s laser or your Dreamcast’s.
– Downsampling: like the name implies, it consist of downsampling the video and audio data to make the game smaller, at the cost of quality. A similar method consisted of getting rid of audio/video data altogether.
– GD-R: some empty, writable GD-Rs exists, but they require a GD burner, both the GD-Rs and the burners are not that common.
With all this, not only I’ve demonstrated that the Dreamcast had security, but I’ve also summed up the history of Dreamcast hacking.
I hope you enjoyed the post, ’cause more posts like this one will be coming in the future.
2023 Update (wololo): check this great reply with lots of additional details on Dreamcast hacks by modrobert on EurAsia (thanks to modrobert for reaching out).
Fun read Acid, can’t wait for more hacking history.
Dreamcast <3.
At Zorak: NullDC does a decent job (occasional graphical weirdness aside).
http://code.google.com/p/nulldc/
http://www.emucr.com/2012/04/nulldc-svn-r141.html
Like many here, I still have my DC (actually 3 of them) and bb adapters, vmus, and tons of games that I own legit! This was a great machine (even got FreeBSD running on it) SH4! I can say though that all the original hacks came from some guys with a special scsi burner that had gd-r firmware on it. Anyone remember the 90minute cd-r discs? They were able to rip and create a “boot” disc. these guys were called wither utopia or echelon (can’t remember.) it wasn’t until phase 2/3 that they figured out how to burn a “bootable” disc.
Regardless, this system (developed by M$ w/ Sega) should have done better and I think Sega should have NEVER got out of the HW world.
Here’s what. I get about the Dreamcast:
1. Its the only 3d game that was better than the ps2 because of Rainbow Six.
2. Its the only System that can play audio from most games (CD player) if you guys didn’t know that. And now y’all saying it can be hacked? That is amazing
Sorry I mean better than ps1 lol
Great article Acid_Snake!! Must say I have been a playstation person for a long time with psps and ps2 fats…but looks like the other console scenes were more interesting than psp and ps2 scenes.hope to read more such interesting articles in the future too!!
i agree i been a PLAYSTATION FAN MYSELF
This was an incredibly interesting post, Acid.
Great article. Enjoyed learning some about the Dreamcast.
The GD-ROM were also burned in a reverse way and the GD-ROM Reader of the Dreamcast would also read in a reverse way.
Standard CD-ROM Reader read CDs clockwise. Same for burner.
Since the Dreamcast would read the GD-ROM anti-clockwise, tricks had to be used to properly burn ISO and such using standard CD Burner.
That’s not true, the drive has the same rotation as a normal CD drive.
Wow, is that you, Steve? lol
Just came across this article after somebody re-posted it on Faceplant.
And yep, the “High Density” track on a GD Rom disk still runs in the same direction as a standard CD, it’s just that it gets recorded at twice the normal data rate, to squeeze more onto the disk.
Dreamcast is the only console from Sega that’s not suck…
The DC never used PSO to dump games. ypu are confused with the Gamecube and the PSO exploit. We used a coders cable fashioned out of a system link cable and teraterm to dump disc back then. It took about 24 hours per disc. Nw days we use the BBA and httpd-ack to dump a disc in under 30 minutes. And it has been proven time and again that using a PC to dump doesn’t give accurate results and why no one uses it as it isn’t a true 1:1 dump.
I was about to write the same thing … the good old rip cable! Took forever to rip a game :/ I miss that era though. I converted a lot of ripped games to autoboot back in the days but the only game I released was Space Channel 5 and I had to compress the videos quite a lot for it to fit on a CD. Some people got creative and released games on 2 discs … 1 with videos for half of the game and the other one with videos for the 2nd half (ex: Grandia 2). It was a lot of fun.
I only came here due to one of my images being used, I honestly don’t care about that I was just curious (the nice label shot with the blue Mil-CD text that I put there myself) and the red marking out the important part of the label
I do however find it odd that you state that v2 is not Mil-CD compatible after all the place you got the image from actually states that the v2 is a 50:50 version as it was part way through the production of the v2 consoles that Sega removed Mil-CD compat from there consoles, so the best way is via the date on the US models, PAL models do not have a date and I have never seen a v2 PAL console
Oh and Mil-CD’s did get used officially only in Japan though
I have a bunch of those myself, they are just video CD’s in effect but used SFD to encode the video, the sound for those are produced via CD-DA (Digital Audio Tracks)
These are much higher quality to actual Video CD’s
The menu for those is very basic, much the same as the CD player that is built into the Dreamcast, no Fast Forward or rewind, just skip forward/backward
There are 3 extra’s on the menu, “Menu” “Info” “Internet”
Menu = Video Track Menu it just has some very basic info on each video included
Info = Track/Time/Status (e.g. PLAY STOP PAUSE)
Internet = the usual web browser
A few Official Mil-CD’s have extra audio tracks to what is used when the disc is booted and the video played
These extra tracks can be played by the music player of the Dreamcast or in any other CD music player
Also original Mil-CD’s had protection built into them, though this obviously did not stop us finding out how they created the Mil-CD format anyway.
there is a PICTURES, folder (no it does not have any pics in it) that contains JACKET01.00J JACKET01.00N JACKET01.00S JACKET01.00T asides from the first file the rest of these files can not be extracted from the disc correctly, as I don’t know the exact method but I know the method Sony used for these PSX CD’s that has the same effect I will use that as an example.
PSX CD’s use a header that is part of the disc rather than a direct part of the file (Sony used that for XA files and containers) these headers are targeted on those files but is only created when the disc is created not when the files are created, so although these header are directly linked to the files they are not part of the files and will cause an error on extracting, though the data can still be ripped you can’t then re-use that data on the target console.
We have method of reading GD-Rom discs direct on PC
3 variations of doing that (look at the redump wiki for info on that, myself I wouldn’t bother there, that and most GD’s are dumped now)
Via Dreamcast we have a few options
PSO not required or used as stated that is a GC method
Network streamed the data direct from a GD to a Netwrok connection BBA or LAN modem required (You can possibly use the phone modem as well, using modded drivers ect ect on the PC side)
DC coders cable (another direct connection to PC via a serial port, the Dreamcast end is just the serial port that was used for link up)
SD Card (used via the serial port)
There are possibly other methods as well asides from those
Overburning is not going to destroy anything and you can’t get 1GB of data to even fit a 99min CD-R it is not possible, you can only get an extra few bytes to copy over using overburn I don’t even think you can get a full MB out of overburning, but I don’t remember the exact amount of data, your burner will only go so far before letting you know it can’t burn any more and give up then fail to close the disc, because there there is no room to burn the close info
P.S. even if you have GD-R’s and a burner the Dreamcast can not boot these, you require a GD-R boot disc
I will stop now I could possibly go on, most the info seems fine but there are some things that are either totally wrong or are miss leading
Excellent read, cheers !
I burned my Roms using Alchol 120% or something similar. My Shenmue 2 worked fine, I just went to Youtube and followed directions, back in ’09 though. Nice article and thanks for the comments. Very informational.
I don’t know where you got the idea that overburning works like that, but a couple of notes:
A) It will not burn out any lasers. that isn’t how it works
B) It will not allow you to burn that much extra data – All it is doing is burning more data into the 50MB or so of Buffer Space that is otherwise reserved.
I wanted to follow up and let you know how considerably I valued discovering your site today.
I’d personally consider it an honor to operate at my business office and be able to make use of the tips discussed on your website and also be a
part of visitors’ remarks like this. Should a position regarding guest
author become offered at your end, remember to let
me know.
So much terrible misleading info. Phantasy Star online was not used to dump games that was the Gamecube. Secondly Mil-CD was officially used see Space Channel 5 Mexican Flyer. There were more as well but only in the JP region. And v2 DC can play backups, there was a fourth revision v2.1 which was released only in the US had Mil-CD disabled. Only way to see if you have this model was to open the system and look at the main board. This was only done the last two months of production and didn’t happen to everyone even then. These models are super rare. 98% can play backups. Disc were dumped at first via the serial port using a coders cable and took 24-48 hours to dump. Later HTTP’d-ack was released to dump via the BBA adapter and took mere minutes. It’s still the way groups like TOSEC & Trurip dump GD-ROM disc as I helped dump and complete the US and PAL GDI sets.
Great read. I loved the dreamcast and was very sad to see it go. I still have mine and I just put fresh batteries in my vmu! Lol.
Is anyone going to revise this article? It’s been up for years now and plenty of people in the comments have voiced their opinions on the misleading information it contains.
At this point it would be smarter to just scrub the original article and replace it with a “SEE COMMENTS” note.