Chapter 6: Anti-Copying Mechanisms
Protection Mechanisms Based on Non-Standard Disc Formats
Incorrect TOC and its Consequences
TOC invalidation is a cruel , ugly, but strangely widespread technique in protection mechanisms. End- user copiers (Easy CD Creator, Stomp Record Now!, Ahead Nero) actually go a little nuts when encountering discs of this type. Copiers of protected disks (Clone CD, Alcohol 120%) are much more loyal to an incorrect TOC. However, in order to obtain a usable copy, they require a specific combination of reading and burning devices. Even given this, successful copying of these discs is not guaranteed .
The burning device must support the RAW DAO (Disc At Once) mode, i.e., the mode by which the entire disk is written at a single pass. The RAW SAO (Session At Once) mode isn t suitable for this purpose, since it orders the drive to write the session contents before writing the TOC. Consequently, the drive has to analyze the TOC on its own in order to determine the session length and its starting address. An attempt to write an incorrect TOC in SAO mode generally results in unpredictable drive behavior. Consequently, it is pointless to hope for the generation of a usable copy of a protected disc! As a rule, the first session with an incorrect TOC encountered by the drive proves to be the last. This is because there is no room to write all of the other sessions (TOC invalidation is usually aimed at increasing the session size to several gigabytes).
The CD-reading device, besides reading in a Raw mode (which is supported by practically all drives ), must be able to recognize an incorrect TOC. When it encounters such a case, it must automatically switch to a reserved addressing resource, namely, to the Q subcode channel. Otherwise , the session containing the incorrect TOC will be unavailable for reading even at the sector level.
Thus, not all equipment is appropriate for copying discs with incorrect TOCs. About one third of all available copier models are unsuitable for this purpose. In order to find out if the model that you have chosen supports the RAW DAO mode, refer to the online Help system of Clone CD, which provides a long list of various drives ( unfortunately , the ones that I have chosen are not listed here), along with their characteristics. Another approach is to issue the 46h ( GET CONFIGURATION ) SCSI/AT API command and check the drive s response. Of my two copiers, only NEC supports the RAW DAO mode. The situation is even more complicated with regard to determining the ability of reading incorrect sessions, since this ability represents exclusively internal drive logic. As a rule, even if the drive is capable of working with an incorrect TOC, the drive itself does not indicate this, and drive manufacturers usually do not advertise this feature. This information has to be found experimentally. For instance, take a disk with an intentionally invalidated TOC (later in this chapter, I ll explain how to create one), insert it into the drive, and try to read sectors from an incorrect session. Different drives might react very differently. For instance, PHILIPS, depending on the mood of its circuitry , might either report a read error or return a stream of unintelligible gibberish, where even a SYNC in the raw header isn t recognizable.
The main drawback of protection mechanisms based on TOC invalidation is that some drives refuse to recognize these disks, and, therefore, make playback impossible . A legal user, who has suffered inconveniences due to the incompatibility of his or her hardware with the protection mechanism, will, in the best case, complain and return the disk to the manufacturer. Naturally, this can be only done if he or she is able to eject this trash from the drive. This question is problematic , since the embedded microprocessors of some drives simply hang when they attempt to analyze an incorrect TOC. In these cases, the drive, literally speaking, retreats into its shell. It becomes fully abstracted from all of the irritants of the outside world, including the user s attempts to eject the disk. Of course, the hole for ejecting disks in emergency cases [i] hasn t been removed entirely, but, according to some rumors, it isn t present on all drives (although myself have never encountered a drive lacking this feature). On the other hand, this hole in many cases is concealed behind the decorative panel. Cases where the user isn t aware of the existence of this feature or how to use it, are even more frequent. Macintosh systems lack these holes (or Mac users never suspected that they might exist). Anyway, the number of law suits that they have filed is virtually uncountable. The most interesting fact here is that the courts have ruled in favor of an overwhelming majority of these suits . As a result, the developers have had to pay for the repair of equipment, moral injury , and, finally, the legal costs for the cases. (By the way, removing protection from disks written with crude violations of the standard, and in particular, those with an incorrect TOC, is not considered to be cracking. Consequently, it can t be prosecuted by Law. Therefore, if you encounter discs of this type, crack them without any qualms).
Incorrect Starting Address for the Track
To create a protected disk with a incorrect TOC, we will need: Any burner capable of creating multi-session disks (Roxio Easy CD Creator, for example); a copier of protected disks that stores the TOC contents in a text file that can be edited (we will work with Clone CD); and, finally, a burning drive that supports the RAW DAO writing mode. Although I don t like this style of presenting materials, for the sake of simplicity, all actions will be described in the form of step-by-step instructions.
Step One: Creating an Original Disk. Take a virgin CD-R disk from the pack, or, better still, an old stager CD-RW. Insert it into the drive and write a couple of sessions in standard mode. It would be even better (or, to be more precise, more obvious) if the second session includes all of the files from the first session ”the one, the TOC of which we are going to disfigure. The most interesting question is whether or not the drive will be able to read its contents.
Step two: Obtaining the image of the original disk. Start Clone CD and instruct it to create an image of the original disk (at this stage, the chosen profile for settings is not critical. Because the disk isn t protected yet, we can use both the Data CD and Protected PC Game options with the same level of success. Note that it isn t necessary to click the Create Cue-Sheet checkbox, because this option is available only for single-session CDs).
Step three: Invalidating the starting address of the first track in the CD image. If everything has been done correctly and both the software and the hardware operate normally, the following three files will be created on your hard disk: IMAGE.CCD ” containing the contents of the Q subcode channel of the Lead-in area or, simply speaking, the TOC; IMAGE.IMG ”the raw disk image containing all sectors starting from 00:00:02 and including the total number of available sectors; and IMAGE.SUB ”the contents of the subcode fields of the Program Memory Area. In principle, the latter file might not be present (it is created only if the Read subchannels from data tracks checkbox is set). This circumstance is not critical, however, because, at this point, we are mainly interested in the TOC itself and not the subcode channels! Open the IMAGE.CCD file using any plain-text editor and try to translate the language of the disk geometry into normal, human-friendly language. The contents of a valid TOC in RAW format are shown in Listing 6.1.
| |
[CloneCD] ; Information on the Clone CD product Version=3 ; Clone CD version. Of little importance [Disc] ; Disk information TocEntries=12 ; Number of TOC entries Sessions=2 ; Number of sessions = 2 DataTracksScrambled=0 ; DVD field (see inf-8090), for CDs this info is pointless CDTextLength=0 ; No CD-Text in subcode fields of the Lead-in area [Session 1] ; Session 1 information PreGapMode=1 ; Track type Mode 1 (data track, 2048 bytes of data) PreGapSubC=0 ; No subchannel data [Session 2] ; Session 2 information PreGapMode=1 ; Track type Mode 1 (data track, 2048 bytes of data) PreGapSubC=0 ; No subchannel data [Entry 0] ; Information of the TOC entrySession=1 ; Entry of session 1 Point=0xao ; 1st track of session 1 number in PMin/disk type in PSec ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; The track we are currently reading ; this is the Lead-in track (i.e., the TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA=-150 ; LBA-address of the current track Zero=0 ; This field must be set to zero, which is the case AMin=1 ; Number of the first track of session 1 ASec=0 ; Disk type CD-DA or CD-ROM in Mode 1 PFrame=0 ; No useful information PLBA=4350 ; Track number presented by CloneCD as the LBA-address, ; i.e., trash [Entry 1] ; Information of TOC entry
Session=1 ; Entry of session 1 Point=0xa1 ; Number of the last track of session 1 in PMin ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently readingLead-in track ; (i.e., the TOC) PMin=1 ; Number of the last track of session 1 ; (only one track in the session) PSec=0 ; No useful information PFrame=0 ; No useful information PLBA=4350 ; Track number presented by CloneCD as LBA-address, ; i.e., trash [Entry 2] ; Information of the TOC entry
Session=1 ; Entry of session 1 Point=0xa2 ; Position of Lead-out area in PMin:PSec:PFrame ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently reading ; Lead-in track (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA=-150 ; LBA-address of the current track Zero=0 ; This field must be set to zero, which is the case PMin=0 ; \ PSec=29 ; + Absolute address of the Lead-out area of session 1 PFrame=33 ; / PLBA=2058 ; LBA-address of Lead-out area of session 1 [Entry 3] ; Information of the TOC entry
Session=1 ; Entry of session 1 Point=0x01 ; Information of track 1 of session 1 ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently readingLead-in track ; (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA= 150 ; LBA-address of the current track Zero=0 ; This field must be set to zero, which is the case PMin=0 ; \ PSec=2 ; + Absolute address of the starting point ; of track 1 of session 1 PFrame=0 ; / PLBA=0 ; LBA-address of the starting point of track 1 of session 1 [Entry 4] ; Information of the TOC entry
Session=1 ; Entry of session 1 Point=0xb0 ; Position of the next writable area in AMin:ASec:AFrame ADR=0x05 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently reading - Lead-in track (i.e., TOC) AMin=2 ; \ ASec=59 ; + Absolute address of the next writable area AFrame=33 ; / ALBA=13308 ; LBA-address of the next writable area Zero=3 ; Number of pointers in Mode 5 PMin=22 ; \ PSec=14 ; + Absolute address of the maximum writable area PFrame=34 ; / PLBA=99934 ; LBA-address of the maximum writable area [Entry 5] ; Information of TOC entry
Session=1 ; Entry of session 1 Point=0xc0 ; Starting address of the Lead-in area of Hybrid disk ; (if there is any) ADR=0x05 ; Mode 5 (Orange book) Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently reading ; this is the Lead-in track (i.e., TOC) AMin=162 ; Recommended laser power for burning ASec=128 ; Application code AFrame=140 ; Reserved ALBA=288590 ; LBA-address of three preceding fields Zero=0 ; Reserved PMin=97 ; \ PSec=27 ; + Absolute Lead-in address of the disk hybrid area PFrame=21 ; /(Address is beyond the limits of the disk, ; i.e., there is no Hybrid disk) PLBA= 11604 ; LBA-address of Lead-in area of Hybrid ; (computed with overflow) [Entry 6] ; Information of the TOC entry
Session=1 ; Entry of session 1 Point=0xc1 ; Copy of ATIP information ADR=0x05 ; + Control=0x04 ; + TrackNo=0 ; + AMin=4 ; + ASec=120 ; + AFrame=96 ; + ALBA=26946 ; +ATIP information Zero=0 ; + PMin=0 ; + PSec=0 ; + PFrame=0 ; + PLBA= 150 ; + [Entry 7] ; Information of TOC entry
Session=2 ; Entry of session 2 (here we have finally got to session 2!) Point=0xa0 ; Number of first track of session 2 in PMin/disk type in PSec ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited;-) TrackNo=0 ; Track that we are currently readingLead-in track ; (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA= 150 ; LBA-address of the current track Zero=0 ; This field must be set to zero, which is the case PMin=2 ; Number of the first track of session 2 ; (track numbering is pass-through!) PSec=0 ; Disk type CD-DA and CD-ROM disk in Mode 1 PFrame=0 ; No useful information PLBA=8850 ; Track number presented by CloneCD as LBA-address, ; i.e., trash [Entry 8] ; Information of TOC entry
Session=2 ; Entry of session 2 Point=0xa1 ; Number of the last track of session 2 in PMin ADR=0x01 ; q-Mode==1 Control=0x04 ; Digital copy prohibited;-) TrackNo=0 ; Track that we are currently readingLead-in track (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA=150 ; LBA-address of the current track Zero=0 ; This field must be set to zero, which is the case PMin=2 ; Number of the last track of session 2 ; (the session has only one track) PSec=0 ; No useful information PFrame=0 ; No useful information PLBA=8850 ; Track number presented by CloneCD as LBA-address, ; i.e., trash [Entry 9] ; Information of TOC entry
Session=2 ; Entry of session 2 Point=0xa2 ; Position of the Lead-out area in PMin:PSec:PFrame ADR=0x01 ; q-Mode==1 Control=0x04 ; Digital copy prohibited;-) TrackNo=0 ; Track that we are currently readingLead-in track (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA=150 ; LBA-address of the current track Zero=0 ; This field must be equal to zero, which is true PMin=3 ; \ PSec=24 ; + Absolute address of the Lead-out area of session 2 PFrame=23 ; / PLBA=15173 ; LBA-address of the Lead-out area of session 2 [Entry 10] ; Information of TOC entry
Session=2 ; Entry of session 2 Point=0x02 ; Information of track 2 of session 2 ADR=0x01 ; q-Mode==1 Control=0x04 ; Digital copy prohibited;-) TrackNo=0 ; Track that we are currently readingLead-in track (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA= 150 ; LBA-address of the current track Zero=0 ; This field must be equal to zero, which is the case PMin=3 ; \ PSec=1 ; + Absolute address of the starting point ; of track 2 of session 2 PFrame=33 ; / PLBA=13458 ; LBA-address of the starting point of track 2 of session 2 [Entry 11] ; Information of TOC entry
Session=2 ; Entry of session 2 Point=0xb0 ; Address of the next writable area in AMin:ASec:AFrame ADR=0x05 ; Mode 5 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently readingLead-in track ; (i.e., TOC) AMin=4 ; \ ASec=54 ; + Absolute address of the next writable area AFrame=23 ; / ALBA=21923 ; LBA-address of the next writable area Zero=1 ; Number of Mode 5 pointers PMin=22 ; \ PSec=14 ; + Absolute address of the last possible Lead-out area PFrame=34 ; / (in fact, the disk contains 23 minutes. ; Just look at the rounding error 22:14:34) PLBA=99934 ; LBA-address of the last possible Lead-out area [TRACK 1] ; Information of track 1 MODE=1 ; Mode 1 INDEX 1=0 ; Post-gap? [TRACK 2] ; Information of track 2 MODE=1 ; Mode 1 INDEX 1=0 ; Post-gap?
| |
Generally speaking, the disk contains two sessions, with one track in each. The absolute address of the starting point of the first track is 00:00:02 , while the absolute address of the Lead-out area of the first session is 00:29:33 (the address of the track s last sector is shorter by two seconds). The absolute address of the starting point of the second track is 03:01:33 , while the absolute Lead-out address of the second session is 03:24:33 . The maximum achievable disk capacity is 22:14:34 (although it is labeled as a 23-minute disk).
Now let s corrupt the TOC by increasing the starting address of the first track so that it exceeds the limits of the first session. For the moment, it doesn t matter where it points. It will point somewhere. To find the entry that corresponds to it quickly, use the context search. Press <F7> and enter point=0x1:
| |
[Entry 3] ; Information of TOC entry No3 Session=1 ; Entry of session 1 Point=0x01 ; Information of track 1 of session 1 ADR=0x01 ; q-Mode == 1 Control=0x04 ; Digital copy prohibited ;-) TrackNo=0 ; Track that we are currently readingLead-in track ; (i.e., TOC) AMin=0 ; \ ASec=0 ; + Absolute address of the current track AFrame=0 ; / ALBA= 150 ; LBA-address of the current track Zero=0 ; This field must be equal to zero, which is the case PMin=0 ; \ PSec=2 ; + Absolute address of the starting point ; of track 1 of session 1 PFrame=0 ; / PLBA=0 ; LBA-address of the starting point of track 1 of session 1 | |
As we can see, here we have both the absolute track address, measured in minutes : seconds : frames , and the LBA address of the track. The LBA address is nothing more than the logical number of the sector, starting from zero. In practice, the LBA-address field is lacking in the TOC. Here (in the Clone.ccd file) it was added by Clone CD on its own initiative. Actually, the TOC doesn t contain an entry for the LBA-address. Presumably, Clone CD computes the LBA-address for the sake of convenience (and, in fact, it is much more comfortable to work with LBA-addressing). However, when you introduce any modifications into CCD-files, you have to track the correspondence between both types of addresses on your own. In order to translate the absolute addresses into LBA format, it is possible to use the following formula:
Logical Sector Address = (((Minute * 60) + Seconds) * 75 +Frame) 150. The listing below shows the attributes of track 1 before and after the introduction of intentional errors.
Listing 6.3: The attributes of track 1 before distortion (left), and after distortion (right)| |
[Entry 3] [Entry 3] Session=1 Session=1 Point=0x01 Point=0x01 ADR=0x01c ADR=0x01 Control=0x04 Control=0x04 TrackNo=0 TrackNo=0 AMin=0 AMin=0 ASec=0 ASec=0 AFrame=0 AFrame=0 ALBA= 150 ALBA= 150 Zero=0 Zero=0 PMin=0
EAN: 2147483647
Pages: 60