Sega Dreamcast: how its security works and how it was hacked.

by ps3iso on November 12, 2012

It is commonly said that the Sega Dreamcast had no security at all and that’s why you could play burned games out of the box.
Well in this article I’m going to dismantle this belief and show you why the Dreamcast did have security and why it was unnecessary to overcome this security to get backup games working.

First, trying to load a 1:1 copy of a Dreamcast game will end in failure because the DC’s security system will detect it, so how did hackers managed to boot games? The answer lies in one of the Dreamcast’s many features that ended up unused due to the console’s short life: Mil CD.

Mil-CD was system that Sega developed to add software contents to multimedia discs, for example, more advanced menus, browsers, amongst other apps. But like I said, this feature was never officially used, as a matter of fact, it was disabled on latest versions of the Dreamcast.

The reason for this removal is because Mil-CD was used to fool the dreamcast into booting burned commercial games. In other words, the dreamcast was able to boot these games because they posed as Mil-CD, instead of burned backups. This is similar to ESR on the Ps2, ESR patches the disc and tricks the Ps2 system into thinking the burned disc is a DVD-Video, instead of a Ps2 game.

Like I said above, the latest hardware revision of the Dreamcast still had Mil-CD code, but the playback of Mil-CD is disabled (much like the Ps3, which still has the ps2_emu, but disabled), this revision was v2 (there were three DC revisions: v0, v1 and v2) and you require a modchip to play burned games. You can easily identify a Dreamcast revision by looking for the number 0/1/2 under it.

Not only did the Dreamcast have security when booting burned CDs, it also had security on the official discs too. Just like the Gamecube, Wii and Wii U, the Dreamcast used a special type of discs called GD-Rom (Gigabyte Disc). These discs used the exact same technology as CDs, but differ in that the tracks are closer to each other, giving the disc approximately 1.2Gb of capacity. The layout of these discs made it impossible to dump.

Each disc had three different tracks, two of them were normal CD tracks readable by PCs, the last one (and biggest one) was the GD track and contained the game. The first track had plain text files, usually with the license of the game, sometimes even artwork of the game, while the second track was an audio track, so when you insert a GD into a conventional CD player, a voice comes up reminding you now you need to insert the game on a Dreamcast to be able to play it.

Now, this was not the actual security, everyone knows that CDs can have more than one session, as long as the PC knows where those sessions start and end. This is were security was, the GD-Roms did not contain any information about the GD track in the TOC (Table of Contents), so for a PC, there was no data beyond the second track. Dreamcasts obviously know this is not true, and look for a second TOC after the second track, which contains the info about the GD track. So a GD-Rom has the following structure:

  • First, normal CD TOC that tells the PC there are only two tracks
  • First track: Data, usually plain text files with the game’s license
  • Second track: audio, this track is read by standard CD players and contains a warning

- Normal PCs think there is nothing more after this, the Dreamcast knows this is not true so it comes here and looks for a second TOC, this second TOC tells the Dreamcast about the GD track.

- GD track: contains the game itself.

Now, you may be asking: how did hackers manage to dump dreamcast games if it was impossible for a PC to read the GD track? Well, two methods were discovered to dump the games.

The first method used an exploit found in the game Phantasy Star Online, basically, the method consisted on using the Dreamcast itself to read the GD-Rom and stream it through an ethernet cable connected to the computer.

The second method consisted on the typical disc swapping. It worked by introducing a CD filled with data on your computer, and swapping it with a GD-Rom without your computer knowing it. That way the PC thought there was data all the way to the end of the disc, due to it using the CD’s TOC, instead of the newly swapped GD’s  TOC. This method produced a 1:1 copy of the disc.

Now, the second “challenge” hackers faced were the size of the games. Like I said above, GD-Roms had about 1.2Gb of data, standard CDs had 700Mb. The solution to this depended on the game, some games didn’t use that much space and fitted directly into a CD. Other games used huge dummy files, so it was only a matter of replacing that dummy file with a smaller one and rebuilding the iso. Other games like Shenmue did use the 1.2Gb entirely, for these games three methods can be used: overburning, downsampling and GD-R.

- Overburning: consists of writing more data to the CD than it can hold, with a 700mb CD you can achieve 1Gb of data, and 1.2Gb with an 850Mb CD. I don’t recommend this method since it can destroy either your PC’s laser or your Dreamcast’s.

- Downsampling: like the name implies, it consist of downsampling the video and audio data to make the game smaller, at the cost of quality. A similar method consisted of getting rid of audio/video data altogether.

- GD-R: some empty, writable GD-Rs exists, but they require a GD burner, both the GD-Rs and the burners are not that common.

With all this, not only I’ve demonstrated that the Dreamcast had security, but I’ve also summed up the history of Dreamcast hacking.

I hope you enjoyed the post, ’cause more posts like this one will be coming in the future.

Tweet this!Tweet this!


Previous post:

Next post: