Saturn copy protection and CDRs: the conclusive end

Discussion in 'Sega Saturn Programming and Development' started by jhl, Feb 16, 2014.

  1. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    Over the years, a lot of people have come up with a lot of theories about the Saturn ring protection system. And I mean a *lot*. I've been researching this for a week and it hurt my head.
    On the one hand, there is the data in the ring - pretty well understood at this point: the right timestamps in the Q subchannel and in the Mode 2 header, and the appropriate bytes for pretty EFM patterns in the payload.
    On the other hand, there are a number of people who've claimed, without providing any concrete information, that the rings cannot be duplicated. [HR][/HR] I decided to do some investigation of my own.
    After burning a bunch of coasters with everything down to the Q subchannel correct based on public ring data, I decided to go seek out some answers (if you'll pardon the pun) in the drive itself.
    I took the drive out of my VA7 Saturn, and attached a little atmega32u4 breakout to it, to the command and status lines. Now I have a pet drive that I can control over USB, including issuing the all-important ring seeks. Here's the assembly on my stupendously messy desk:
    [​IMG]
    And here's a detail of the connection to the data bus. The green wire snakes off to control the door closed pin:
    [​IMG]
    There are two sets of power wires, because this particular drive really doesn't like having the drive motor noise on its sense-side power supply. The left wires supply the drive motors from a benchtop power supply, while the right-hand ones supply the sense and control circuitry from USB.
    I then used this rig to issue seek commands to ring data as well as regular data, both on burned and real discs.
    Aside from the data content, the real difference between ring and regular data is in the status responses from the drive. After completing a seek to the ring, a B6 response comes back, eg:
    B6 44 F1 03 F4 35 09 09 09 09 00 XX 01
    where XX is the checksum, 03 F4 35 is the address the seek hit, and B6 is the seek-complete code.
    During the seek, the code B2 is returned, and the four bytes before the checksum count up from zero to various numbers. The latter two always seem to count to the same number, but the first two don't on a regular CD - they only do it for a ring. This has been documented before.
    [TABLE]
    [TR]
    [TD] Seek on the ring:
    b2 00 00 04 ad 3f 00 00 00 00 00 5d 01
    b2 00 00 04 ad 3f 01 01 00 00 00 5b 01
    b2 00 00 04 ad 3f 01 01 01 01 00 59 01
    b2 00 00 04 ad 3f 02 02 01 01 00 57 01
    b2 00 00 04 ad 3f 02 02 02 02 00 55 01
    b2 00 00 04 ad 3f 03 03 02 02 00 53 01
    b2 00 00 04 ad 3f 03 03 03 03 00 51 01
    b2 00 00 04 ad 3f 04 04 03 03 00 4f 01
    b2 00 00 04 ad 3f 04 04 04 04 00 4d 01
    b2 00 00 04 ad 3f 05 05 04 04 00 4b 01
    b2 00 00 04 ad 3f 05 05 05 05 00 49 01
    b2 00 00 04 ad 3f 06 06 05 05 00 47 01
    b2 00 00 04 ad 3f 06 06 06 06 00 45 01
    b2 00 00 04 ad 3f 07 07 06 06 00 43 01
    b2 00 00 04 ad 3f 07 07 07 07 00 41 01
    b2 00 00 04 ad 3f 08 08 07 07 00 3f 01
    b2 00 00 04 ad 3f 08 08 08 08 00 3d 01
    b2 00 00 04 ad 3f 09 09 08 08 00 3b 01
    b2 00 00 04 ad 3f 09 09 09 09 00 39 01
    b2 48 5a 04 ad 3f 0a 0a 09 09 00 95 01
    b6 48 59 04 ad 3f 0a 0a 09 09 00 92 01
    [/TD]
    [TD] Seek on normal track:
    b2 00 00 03 ad 3f 00 00 00 00 00 5e 01
    b2 00 00 03 ad 3f 01 00 00 00 00 5d 01
    b2 00 00 03 ad 3f 01 00 01 01 00 5b 01
    b2 00 00 03 ad 3f 02 00 01 01 00 5a 01
    b2 00 00 03 ad 3f 02 00 02 02 00 58 01
    b2 00 00 03 ad 3f 03 00 02 02 00 57 01
    b2 00 00 03 ad 3f 03 00 03 03 00 55 01
    b2 00 00 03 ad 3f 04 00 03 03 00 54 01
    b2 00 00 03 ad 3f 04 00 04 04 00 52 01
    b2 00 00 03 ad 3f 05 00 04 04 00 51 01
    b2 00 00 03 ad 3f 05 00 05 05 00 4f 01
    b2 00 00 03 ad 3f 06 00 05 05 00 4e 01
    b2 00 00 03 ad 3f 06 00 06 06 00 4c 01
    b2 00 00 03 ad 3f 07 00 06 06 00 4b 01
    b2 00 00 03 ad 3f 07 00 07 07 00 49 01
    b2 00 00 03 ad 3f 08 00 07 07 00 48 01
    b2 00 00 03 ad 3f 08 00 08 08 00 46 01
    b2 43 27 03 ad 3f 09 00 08 08 00 db 01
    b6 43 27 03 ad 3f 09 00 08 08 00 d7 01
    [/TD]
    [/TR]
    [/TABLE]

    OK, so it's there, everyone agrees on this. But what's it from?
    Since it's not possible to dump the firmware from the drive microcontroller without decapping it, I dug into the next best thing: the schematics for the drive.
    Luckily, my drive is almost the same revision as that documented in the leaked Tectoy schematics - relevant page here, for you to follow along. The head amplifier chip AN8807 and signal processor MN6627x datasheets are also necessary reading - unfortunately the latter doesn't seem to be floating around for this particular chip. I used the newer MN662785TBUC chip's datasheet to map my way around.
    One of the theories going around was that there was "non EFM" data in the ring, or that there are sectors written with C1/C2 errors (lower than a burner can write, even in raw mode).
    That's pretty easily put paid to - the C2 error flag doesn't even go to the microcontroller, so it won't know about any such thing! Scoping this line during a ring read also shows no activity. (These come from the signal processing LSI - see C2F signal, which pops out on the line to the Saturn, and the FLAG line, which goes only to the testpoint array).
    So perhaps it's something funky in the subcodes? If so, none of the dumps have shown anything but timecode. Maybe bad CRCs? But on a real ring, the STAT line stays high, indicating good CRC. So that's not it either. [HR][/HR] So that's it for the popular theories: now time to make one of my own. Looking at the schematic, one thing really jumps out at me: the VDET signal on the head amplifier (called WDET elsewhere). This is referred to as a "vibration detect" signal, and is used in portable CD players. Portable. Not fixed, because you don't carry your Saturn around, do you? (Well, I don't.)
    Looking at the AN8807 datasheet, this signal is driven by a window comparator from the tracking error signal, so if the tracking error starts jumping around a lot, it'll trigger. Well, that is definitely an odd thing to find here. It's also routed to the microcontroller, and is broken out on the debugging testpoints along with /STEST and /WTEST, which makes it extra interesting. Let's take a look at the tracking error!
    Here we are reading non-ring tracks:
    [​IMG]
    The blue trace is the BLKCK (aka SI, sector indicator?) signal, which rises once each sector. Note that the CD is running at double speed mode - so the sectors appear at 150Hz. The yellow trace is the TEBPF signal, which is the tracking error output to the signal processing LSI. I'm probing this straight off C312.
    Nothing much going on here, as expected. The WDET signal stays low. But if we seek into the ring:
    [​IMG]
    Hmm! Every second sector is radially offset from the previous one. Looking at WDET:
    [​IMG]

    This represents the heart of the CD copy protection: the sectors in the ring are not laid out straight, but they jump in and out radially at the sector boundaries - they "wobble". It's not enough to make the drive lose tracking - given it was designed for this task - but it's certainly enough to give my TSSTcorp drive vicious hiccups (it won't read many ring sectors even on a good day).
    This is pretty similar to ATIP, the method used to encode timing and disc information in the pregroove on blank CD-Rs, but both simpler and more extreme. There have been occasional rumours about such a "wobble" method being used, and something similar was apparently used on the PS1.
    I hope this lays the matter to rest, and prevents anyone from wasting more time on it (like my day burning useless discs).
    I'm sure someone will wave their hands around and say that custom burner firmware could do the job, but good luck finding a burner with a programmable DSP in the pregroove tracking loop and managing to modify it to do the job. The dream is dead. Goodnight!

    [SUB]with many thanks to Lazerbeat for pointing me in the direction of this crazy fun console[/SUB]
     
    Last edited: Oct 5, 2016
    Shane McRetro and Getta Robo like this.
  2. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    Just to clarify, when I say "ring" I actually mean the stuff the Saturn seeks to before it seeks all the way to the outer diameter to read some of the logo ring data. If it doesn't find this (perhaps "pre-ring"?) then it doesn't bother with the logo data.

    Presumably the ring and pre-ring are separate because in a poor-condition drive, the pre-ring wobble actually causes read errors. I had to turn the orange pot on the sled of my drive clockwise a bit before it would reliably read CDR data, and before I did that it did throw a few CRC errors on the pre-ring Q subcode too. That would make checking the logo data impossible, or at least unreliable.
     
    Last edited: Feb 16, 2014
  3. Druidic teacher

    Druidic teacher Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,643
    Likes Received:
    129
    x
     
    Last edited: Jun 22, 2017
  4. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
  5. Druidic teacher

    Druidic teacher Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,643
    Likes Received:
    129
    x
     
    Last edited: Jun 22, 2017
  6. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    I believe the inner ring has wobble (and maybe logo data), and the outer ring just has logo data.

    Modchips do two things: they supply the wobble detect byte after the first seeks, then the logo data after the final seek. Not terribly hard to build. What exactly is wrong with the current ones?
     
  7. rso

    rso Gone. See y'all elsewhere, maybe.

    Joined:
    Mar 26, 2010
    Messages:
    2,190
    Likes Received:
    447
    If the inner ring's wobble is the important part - why does the swap trick (with an obviously wobble-less CD-R) work anyways? Wouldn't the drive not even bother seeking towards the outer ring?

    Or maybe I just seriously misinterpreted something here... like the location of said inner ring. Would that be close to the hole, or rather towards the outside between the data and the outer ring?
     
  8. Druidic teacher

    Druidic teacher Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,643
    Likes Received:
    129
    x
     
    Last edited: Jun 22, 2017
  9. Ripper006

    Ripper006 Newly Registered

    Joined:
    Aug 3, 2013
    Messages:
    3
    Likes Received:
    0
    The "inner"ring - as you call it, is imo at about 55 minute point.

    Drive doesnt care about the outer ring.

    Even if the leadout is way before the 55 m. point it will pass it and stops at that 55m. point (and not booting up)

    @jhl: can you show results of a CD-R side-by-side.
     
    Last edited: Feb 18, 2014
  10. ASSEMbler

    ASSEMbler Administrator Staff Member

    Joined:
    Mar 13, 2004
    Messages:
    19,394
    Likes Received:
    1,029
    I love data.

    I have two saturn disc burners from sega and they didn't have the ability to read the wobble areas.

    You would submit a master, they would press it and copy protect at once. I have a gold saturn master disc, and it's
    just a normal CDR that won't play without the boot cd.
     
    Last edited by a moderator: Feb 16, 2014
  11. Druidic teacher

    Druidic teacher Officer at Arms

    Joined:
    Jun 6, 2006
    Messages:
    3,643
    Likes Received:
    129
    x
     
    Last edited: Jun 22, 2017
  12. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    I didn't capture a trace of it, because it was profoundly uninteresting: WDET stays low, no matter what you do, forever and ever. I don't recall whether ATIP was visible in the tracking error but I certainly don't think so.


    You could probably drive a *small* LED with a 1k+ resistor off the WDET line to look for yourself. On the JVC drive there's a cluster of 6 testpoints in one corner with labels in the copper. Number 6 is WDET.
     
  13. arnoldlayne

    arnoldlayne Resolute Member

    Joined:
    Sep 1, 2005
    Messages:
    990
    Likes Received:
    112
    I've always enjoyed reading about the Saturn's copy protection, I think there have been countless threads like this one over the years... although this one seems to sum everything up quite neatly. 8 years ago I wouldn't have understood a word of this stuff but, over the years, slowly things seem to make sense to me, even though I have zero technical knowledge about these things... in fact 'zero' is probably being generous :)

    Just one question - Is it completely (and utterly) impossible to modify a CD burner to burn the wobble? I know you said it wasn't likely - which I guess answered my question - but I'm more curious to know 'why' it's impossible? What would a person need to do to a burner to make it replicate what they did in the CD pressing plants?
     
    Last edited: Feb 16, 2014
  14. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    Burners follow a spiral pregroove in the disc that's pressed at the CDR making factory. All they do is modulate the reflectance of the data in the groove.

    It would be very hard but not totally impossible to induce a tracking wobble in the burner's lens assembly during burning (presumably using some soldered-in shenanigans rather than firmware), but I'm pretty sure the laser doesn't make that much of a difference to the groove detection - the reader will still detect the pregroove as the track, and so no wobble. You'd almost certainly kill or severely wound the ATIP data coming off the disc too, so the burner would probably just error out once you started trying to modulate the tracking.
     
  15. arnoldlayne

    arnoldlayne Resolute Member

    Joined:
    Sep 1, 2005
    Messages:
    990
    Likes Received:
    112
    Thanks jhl, so even the extreme route of building/customising a bit of CD burning hardware is pretty much out of the window. I'd guess if such a thing was possible someone in Hong Kong or Taiwan would have come up with it years ago. Last I recall nobody ever came up with solid proof of a bootleg PSX/PS2 or Saturn bootleg disc directly booting (although I do remember the rumours of them existing - but nobody 'ever' provided the proof to back up the claim, which is kind of important when it comes to these things in my opinion)
     
  16. ActSean

    ActSean Active Member

    Joined:
    Feb 18, 2014
    Messages:
    27
    Likes Received:
    33
    I know this might not be the right place to ask this, but I'm curious about using another CD drive in the Saturn. I have a mod chip in mine, so the security ring is bypassed and this "wobble" detection you speak of shouldn't be an issue. So, with the use of a mod chip could one connect the leads from another CD drive and have that drive work in the Saturn? That could be particularly helpful in reviving systems whose drives have died.
     
    Last edited: Feb 18, 2014
  17. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    3,091
    Likes Received:
    1,033
    Nice read!

    I remember reading in some patent or internal docs for Dreamcast that there was a "mirror" area right before the logo ring. Could that be the "pre-ring" you're talking about? Its reflectance would wobble causing the check to pass?

    Good job getting facts and data!

    FG
     
  18. shark69

    shark69 Rapidly Rising Member

    Joined:
    Feb 18, 2014
    Messages:
    77
    Likes Received:
    1
    could you slow down the ring reader, or modulate the track without killing the atip data?
     
  19. jhl

    jhl Spirited Member

    Joined:
    Jul 29, 2013
    Messages:
    103
    Likes Received:
    116
    A big change in reflectance would cause the RF signal to drop out while the AGC adjusts, but the RFDET signal remains active no matter what it's reading.
    And reflectance won't affect the tracking signal much if at all. It'd also be /really/ hard to master and press consistently!

    So I believe it's just a radial wobble - the track wobbles in and out as it circles the disc.
     
    Last edited: Feb 18, 2014
  20. -=FamilyGuy=-

    -=FamilyGuy=- Site Supporter 2049

    Joined:
    Mar 3, 2007
    Messages:
    3,091
    Likes Received:
    1,033
    IIUC, Does some small flower-ish shapes? I still wonder what's the use of the mirror zone (might only be on dreamcast though).

    Anyhow, your work is great! Congrats!
     

Share This Page