I've always wondered if the Sega Dreamcast had any copy protection. I remember, after the first few weeks of owning one, I was reading stories about how you could burn Dreamcast games and play them with something called a "Utopia Disc", and how Sega completely forgot to enable any security in the Dreamcast at all. But Sega was in the home console market for many years before the release of the Dreamcast. And its predecessor, the Sega Saturn, was very well secured. It had a modchip device released for it. But compared to the PlayStation 1, the Sega Saturn was a very complex machine to defeat. So, what never made sense to me that the Sega Dreamcast had no copy protection at all? And as it turns out, I was right. The Sega Dreamcast actually had a very complicated multi-layered protection scheme, at least for the time. But as we will find out, hackers quickly found a method to play backups without any hardware modification at all. When it comes to console hardware, there's been some spectacular exploits that have been found. The original Xbox, and, more recently, the Nintendo Switch come to mind. But for me, the Dreamcast is the most fascinating story of cracked game copy protection in history. So, before we talk about the Sega Dreamcast copy protection and deep dive into that, it's important to discuss the technical hardware of the Sega Dreamcast. The Sega Dreamcast was a part of the sixth generation of home console and the second Sega console to use an optical drive. The Dreamcast was designed to take advantage of fast 3D arcade hardware to bring the arcade experience to the home. The Dreamcast hardware was also used in its arcade counterpart, the Sega NAOMI which I've covered in a previous episode of the show. The Dreamcast comes with four controller ports, and there was a selection of different peripherals you could connect up, including keyboards, mice, dedicated joysticks, light guns and other custom controllers. It was also the first console to come standard with a built-in modem for online play. Games came on GD-ROMs, as opposed to regular CDs. Sega partnered with the Yamaha and came up with the GD-ROM format in 1998. GD-ROMs, short for Gigabyte Discs, were 1 GB in size and unreadable by general CD or DVD drives that you'd find on a PC beyond the first track which was the audio track. Attempting to play a GD-ROM Dreamcast disc in a PC, or CD player, usually results in this message. Sometimes, this message vary, depending on the game you play, but the result was always the same. GD-ROMs were only made by Sega, and you couldn't just go out to the store and buy a ten-pack of blank GD-ROMs. Incidentally, I covered the arcade counterpart, the Sega NAOMI, on the channel last year. They also use the same GD-ROM format discs as the Dreamcast, but with a slightly different file structure. And the Dreamcast won't read these discs, either. But let's go back to the Sega Dreamcast and take a closer look at a game disc. The inner, or dark, area is the Lower Density Area that's readable by a standard PC or DVD drive that will read the audio track that we talked about before, and this is typically 35 MB in size. The other remaining 984 MB makes up the lighter area of the disc which contains the game data itself. GD-ROMs are very sophisticated copy protection. Not only can DVD and CD players only read the first 35 MB as an audio track. There is no way of reading the contents of the disc. So how was this protection defeated? To answer that, we need to understand the boot process of the Dreamcast. When you insert a standard GD-ROM into the Dreamcast, it looks for two files. The first is called "IP.BIN", and it contains metadata about the game itself, the name of the game, the region, the peripherals. And if it supports things like VGA or light guns, it will also display the Sega license screen. The metadata information also contains the game executable name, and this is the second file that gets accessed after IP.BIN has finished loading. It's usually called a "1ST_READ.BIN", and this will begin the boot up of the game proper Why are these files, then, so important? Because with both of these files, you can boot and run any Dreamcast game and defeat the GD-ROM security. So how was this accomplished? The Dreamcast not only could boot from GD-ROMs, it could also boot regular CDs with a format known as "MIL-CD". Like most consoles at the time, the Sega Dreamcast wanted to include multimedia features. MIL-CDs were multimedia discs used for karaoke on the Dreamcast. There's a total of 7 titles that were ever made, with the most popular being an add-on to Space Channel 5. They added multimedia functions to audio discs, like karaoke and other features. But they never really took off outside of Japan. But Sega knew if a user attempted to insert a MIL-CD in the drive, it would look for IP.BIN, like it did before. And if it located it, it would attempt to boot 1ST_BOOT.BIN, like before. And because these were regular CDs, it meant that a user could then make a copy of the MIL-CD and boot from it. But this process did not work. Sega knew a thing or two about copy protection and their solution was to scramble 1ST_BOOT.BIN into different parts of memory, essentially corrupting the game executable. This meant that the Dreamcast would know that the disc was pirated and effectively stopped it dead in its tracks. So, to summarise, what we know we have the GD-ROM which is the custom 1 GB format that was developed by Sega and Yamaha. And GD-ROMs are unreadable by PC and DVD drives. And then we have the CD and MIL-CDs. Now, even if we were able to extract the contents of a GD-ROM and burn it onto a CD which is readable by the Dreamcast, it would still not boot because the executable would get corrupted or scrambled. Therefore, rendering the copy of the game useless. But unfortunately, for Sega, unfortunately, for hackers, depending on which way you look at it, there was a quick workaround for this that was discovered by use of a Sega Katana which is the development kit for the Sega Dreamcast. The story goes, that well-known cracking and release group Utopia found a discovery on the Sega Katana SDK which is commercial software used to develop Dreamcast games. They identified by replicating the MIL-CD format that there was a simple way to reverse scrambled the 1ST_BOOT.BIN executable file onto the CD They essentially took the corrupted and scrambled 1ST_BOOT.BIN that was in memory after booting into a copied CD and applied that to the CD image itself. Therefore, when the game booted, it would unscramble the executable into memory as a single complete file and boot into the game. Security Lesson 101: don't make any type of encryption reversible. Incidentally, I've looked through much of the Sega documentation on the Katana SDK, and I can't find any mention of any type of unscrambler or API call that does this. I suspect that this was more of a word-of-mouth thing from someone internal at Sega or undocumented feature. And while I'm added if anyone here is familiar with how Utopia made this discovery, hit me up in the comments below, or send me an E-mail. But in the end, the MIL-CD exploit was the root cause of the failure of the copy protection. And once Utopia exploited the MIL-CD, then they came out with their popular Utopia Disc, a CD that booted in MIL-CD format and then would be able to launch any 1ST_BOOT.BIN executable from a copied CD, ultimately defeating the copy protection without a modchip. So, we've learned how the copy protection was ultimately defeated on the Sega Dreamcast. But there's still one question that needs to be answered: "How did these release groups extract the contents of game GD-ROMs and ultimately package them up to be able to be burnt on to a 700 MB CD?" Because the Katana SDK was available and Utopia had access to the development hardware. They quickly developed an application to dump the contents of a GD-ROM. The Dreamcast had serial communications, and by using a simple cable called a "Coders Cable", with an app on the PC, could transfer the contents of the GD-ROM image over to the PC. This process took many hours. But over the lifespan of the Dreamcast, other methods of ripping GD-ROMs were identified and this process was streamlined, including using the broadband adapter to significantly speed up the process. The release groups also had to figure out how to squeeze a 1 GB rip of a GD-ROM game onto 700 MB of a CD-ROM. They would compress a video and audio files to lower the file sizes, but in some instances, completely removed them. Then, they repack the games with the MIL-CD bootloader that could be then burnt on to a regular CD. Sega removed the MIL-CD functionality in the second revision of the Dreamcast. Incidentally, in order to know if your Dreamcast supports MIL-CD, simply turn it over and look for a number in the circle. If it's a "0" or "1", it's supported. If it's a "2", it means you're out of luck, and MIL-CD has been removed. These days, there are PC DVD drives with a custom firmware can rip a GD-ROM drive without requiring a Dreamcast. One such drive is the Plextor PX-708UF, and with the custom firmware, can rip the entire GD-ROM disc. I was hoping to show this up in this video, as I ordered one from eBay recently. But sadly, it did not arrive in time. But still, I may make a follow-up video on how this works. One thing that I do use, however, is the Dreamcast SD Rip. Simply plug in this device into the serial port of the Dreamcast. And with this boot CD, allows you to play and rip GD-ROMs onto the SD card. Now, before I go, I do want to say that this copy protection on the Sega Dreamcast is not new. This has been very well-documented over many many years and I'm going to leave links to all the sources below. But I will say that this is a topic that's very near and dear to my heart. And, in fact, there's going to be a future video on the original Xbox, and I'm going to talk about how release groups utilized tools that not many people are familiar with in order to rip games that didn't require an Xbox at all, in order to get their games released a faster than the competition. And some of the stuff you've never really seen before, and only a handful of people around the world are familiar with what I'm going to talk about. So stick around for that, if this is a topic that you're interested in. Copy protection on old consoles is definitely something that I'm very interested in covering on the channel. So, guys, I hope you enjoyed this look at the Sega Dreamcast copy protection. And there will be more discussions about copy protection for different consoles in future videos. Well, guys, thank you so much for watching this video. I really hope you enjoyed it. Leave a comment below and let me know what you thought about it. As always, don't forget to Like and subscribe, and I'll catch you, guys, in the next video. Bye for now. [Outro song]
