Protection Mechanisms Based on Weak Sectors

Previous page
Table of content
Next page

Restoring Cleared CD-RW Discs

There are two principally different methods of clearing CD-RW discs: quick and full . When carrying out quick erasing, only the TOC area is actually removed from the disc. As a result, the disc appears to be a blank one, even though its main contents remain intact. When carrying out full erasing, conversely, the laser burns the entire disc surface, from the first pit to the last. Naturally, this process takes time, with the full erasing of a disc taking about 10 minutes, while quick erasing can be done in just a couple.

The recovery of fully erased discs is possible only using special equipment that is capable of detecting even the slightest changes in the reflective character of the reflecting layer. Naturally, this kind of equipment is not available to most users. On the other hand, discs that have been erased using quick methods can be restored on a standard recorder, although not every model is suitable for this purpose.

We won t concentrate here on the ethical aspects of this problem. For simplicity, let us suppose that you need to recover your own CD-RW disc that you have accidentally erased. Or, suppose that this will be a perfectly legal operation requested by your employer. Bear in mind, however, that restoring confidential information from erased CD-RW discs belonging to someone else can be classified as unauthorized access to that information and can bring with it legal consequences. To carry out experiments related to the recovery of information from cleared CD-RW discs, you ll need the following:

  • A CD-RW drive that doesn t keep the correctness of TOC contents too carefully , supporting the RAW DAO mode and capable of reading the Pre-gap content of the first track. Bear in mind that not every CD-RW drive is suitable for this purpose, therefore, be prepared to test a lot of different devices. For example, of the two devices that I have at my disposal, only the NEC drive is suitable for this purpose, while PHILIPS is unable to do this.

  • Recording software characterized by advanced capabilities, allowing for the manipulation of the service areas of the disc as necessary. For instance, you can use Clone CD, CDRWin, Alcohol 120%, or any other similar utility of your choice. However, all of the material that follows is oriented exclusively towards use of Clone CD. Thus, if you choose another utility, you might encounter some problems. If you are not sure that you ll be able to solve these problems on your own, use Clone CD, and later on, as you acquire the required experience and professional skills, you ll become able to restore discs using other similar program.

  • Some tool for working with the disc at the sector level. This must be a utility allowing you to read any specified sector (provided, of course, that this sector can be read by the drive equipment), which doesn t attempt to skip sectors that, according to its own reading, do not contain anything of interest. The copiers of protected discs listed above are not suitable for this purpose, since they refuse to read sectors that are useless from the program s point of view. There may be some copiers that behave differently, but I am unaware of any. Instead of testing one copier after another, I have written the required utility myself .

Before starting our experiments, let us try to understand why the disc becomes unreadable after being cleared. This question isn t as silly as it seems. After all, the information required for positioning the head and searching for the required sectors remains intact after fast disc clearing! Control information is distributed along the entire spiral track. Thus, for reading the disc at the sector level, TOC is not, generally speaking, required at all. While, admittedly, missing TOC significantly complicates the analysis of the disc geometry, and, in the general case, the drive has to read the entire disc in order to determine the number of disc tracks/sessions. However, when recovering the lost information, the time factor isn t the thing of primary importance, and can be neglected.

Nevertheless, after any attempt at reading any sector of the cleared disc, the drive persistently returns an error. Why is this? The answer is straightforward and easy. This is simply to protect against reading information that is certain to be incorrect. Not a single one of the drives with which I am familiar could read a single sector outside the Lead-out area (in fact, at the software level, the contents of Lead-in/Lead-out areas also is unavailable). Nevertheless, this isn t a principal or conceptual limitation. Removing extra checks from the drive firmware will allow us to read such disks easily. I m not suggesting that you disassemble the firmware code. This is a difficult, labor-consuming task, that is, most of all, particularly safe. If you hack the firmware incorrectly, you ll ruin the entire drive, without hope of repairing it. We ll go about this another way!

The method for recovering information that I suggest is, generally, writing a fictitious TOC to the disc. The Lead-in and Lead-out addresses of this TOC must point to the first and the last sectors of the disc, respectively, and the starting address of the first track must coincide exactly with the end of the Pre-gap area, which, according to the standard, must occupy no less than 150 sectors (or 2 seconds, if converted to absolute addresses). After this easy operation, the drive will obediently read the original content of the cleared disc, provided, of course, that we manage to tune the CD burning software in such a way as to make no attempts at interpreting the pointers to Lead-in/ Lead-Out areas supplied to it as an instruction to burn the entire disc surface after writing a fictitious TOC.

Experience has shown that Clone CD refuses to write such a TOC, complaining about the mismatched sizes of the disc and image file. Alcohol 120% carries out this task without any complaint, but does so in a manner that is not what we desire ! Having stuffed the entire disc with unimaginable garbage, it informs us that write errors have occurred, and that, possibly, we must check the equipment usability.

Well, let s try another approach. Let s write one real track to the disc, taking up the maximum possible number of sectors (300, according to standards, although some drives are quite content with smaller values), but also extend the Pre-gap from two seconds to the entire drive! As a result, we ll lose only 300 trailing sectors, but, in exchange, we ll gain access to the entire remainder of the contents. Taking into account that that there are slightly above 300,000 such sectors on the disc, it isn t difficult to determine that the percentage of successfully recovered information will be about 99.999 percent of the total disc capacity, provided that the entire disc was filled with useful info (which is a rarity in itself). If you are not satisfied with this, it makes sense to develop a custom program that can correctly write a fictitious TOC. The TOC area is written by the drive itself on any occasion, however, it is possible to do without Lead-out if you carefully treat the disc. The main goal in this case is an attempt to correctly read the sectors that fall beyond the disc limits. Otherwise, the drive s behavior will become unpredictable. I should point out, however, that I have never encountered a situation where it was necessary to recover a completely filled disc.

The recovery procedure comprises three parts : Preparing the source image of the track with a normal Pre-gap; increasing the Pre-gap to the size of entire disc; and then, writing the corrected image to the disc that needs to be restored. The first two steps can be carried out in one operation, since the resulting image (we will call it the correcting image later on) can be used for all discs (or, to be more precise, for all discs of the same capacity; for obvious reasons, it will be impossible to recover a 23-minute disc correctly using an image intended for 80-minute disc, and vice versa).

To begin with, let us take a blank CD-RW disc. (Blank in this case doesn t mean one that has been never written, but, on the contrary, one that has been cleared by means of quick or full erasing. CD-R discs are also suitable.) Use any standard utility for CD burning and write to it a file of a size not exceeding 500 K (larger files won t fit within the planned 300 sectors). It isn t necessary to finalize the disc.

Start Clone CD (or Alcohol 120%) and grab the disc image. After a couple of minutes, two files will appear on the hard disk: the file name.img and the file name .ccd (if you instruct Clone CD also to save subchannel information, there will be a third file ” file name.sub. However, in this case subchannel information will be more of a bore than a help. Therefore, it is advisable either to disable the read subchannel info from data tracks or delete the file name.sub file from the disk. The Cue-Sheet that Clone CD proposes you to create for compatibility with other programs, specifically with CDRWin, is also unnecessary.

Open the file name.ccd file with any text editor (Notepad, for example), find the following strings (use the Point=0xa2 and Point=0x01 keywords for searching).

Listing 10.6: The original starting address of Lead-out (left) and starting address of the first track of the disc (left)
image from book 
 [Entry 2]     [Entry 3]  ; TOC entry  Session=1     Session=1  ; Session number  Point=0xa2    Point=0x01 ; point (A2h:leadout/01h:iconid="pn" track)  ADR=0x01      ADR=0x01   ; data in q-subchannel positioned  Control=0x04      Control=0x04   ; data track  TrackNo=0     TrackNo=0  ; Lead-in track  AMin=0        AMin=0     ; \  ASec=0        ASec=0     ;  +   absolute address in M:S:F  AFrame=0      AFrame=0   ; /  ALBA=-150     ALBA=      ; -150  Absolute address in LBA [no corrupt  Zero=0        Zero=0     ; Reserved   PMin=0        PMin=0     ; \     PSec=29       PSec=1     ;  +  Relative address in M:S:F     PFrame=33     PFrame=0   ; /   PLBA=2058     PLBA=0     ;  Relative address in LBA
image from book
 

Let s change the PMin:PSec:PFrame fields belonging to point A2h so that they point to the end of the disc ( A2h represents the Lead-out). The changed Lead-out may appear as follows: 74:30:00 . The Lead-out address must be chosen in such a way that a gap of at least 30 seconds remains between it and the external disc edge. It is even better if the width of Lead-out equals about 1 1/2 minutes. However, in this case the last tracks of the disc being restored will be lost.

The contents of the PMin:PSec:PFrame fields belonging to point 01h (the starting address of the first track) must be increased by the same value that was added to the corresponding Lead-out fields. For example, the modified variant might appear as follows: 74:01:42. (74:30:00 /* new Lead-out address */ - 00:29:33 /* old Lead-Out address*/ + 00:01:00 /* old starting address of the first track */ == 74:01:42 /* new starting address of the first track */ . Briefly speaking, the new version of the CCD file must appear as follows:

Listing 10.7: A key fragment of the reanimating file for 75-minute CD-RW discs
image from book 
 PMin=74        PMin=74  PSec=30        PSec=01  PFrame=00      PFrame=42
image from book
 

To be accurate, it would be desirable also to edit the PLBA fields (the LBA address is related to the absolute address by the following formula: LBA == ((Min*60) + + Sec) *75 + Frame) . However, current versions of CD-burning software use only absolute addresses, ignoring LBA addresses. Now, everything that is located between the end of the Lead-in area and the starting point of the first sector will become the Pre-gap. In the course of CD burning, the Pre-gap area will remain intact, and later it will be possible to read it at the sector level ”exactly what we need! Honestly speaking, an excessive increase in the size of the Pre-gap area of the first track is not the best idea, since not all drives are capable of reading a long Pre-gap. From the compatibility point of view, it would be better to increase the Pre-gap area of the second track. However, in this case we ll have to place the first track at the very beginning of the disc, in which case recoverable sectors will inevitably be lost from the body of the file. Although the fact that starting sectors are unlikely to contain anything valuable means that this doesn t present a big problem, it is still better to avoid using this approach unless absolutely necessary. In case of emergency, do the following: write two sessions to the disc, and instead of changing the point 01h address, change the starting address of point 02h (it will be located in the session=2 section).

Now, let s clear our test disc and fill it with files of any type to the full capacity (text files are preferable for this purpose, since they will allow you to see immediately what you are restoring from the disc ”garbage or some useful information). Having written these files to the disc, clear it immediately.

After making sure that the disc has actually been cleared and that its contents are no longer available, start Clone CD and write the reanimator image that we have just created. Writing should be carried out in the DAO mode. Otherwise, you ll fail to achieve anything useful. Therefore, before attempting to recover discs of any value on a drive, about which you have insufficient knowledge, first try to recover some test discs that hold nothing you are afraid of losing.

The moment will finally arrive when you are holding in your hands a newly recovered CD. But has it actually been restored? To find out, insert the CD recovered from ashes into the NEC drive and, with a sinking heart, arbitrarily pick any sector located somewhere in the middle of the disc to read (starting sectors are usually filled with zeroes and, furthermore, these sectors and the file system can easily appear to be useless garbage). Voila!!! The original content of the cleared disc is as readable as if it had never been erased!!! Still, when attempting to read the disc TOC using the standard tools in the operating system, your drive might go into a stupor very similar to the OS freezing (after all, the starting address of the first track is not located at the beginning of the disc, as might be expected, but in quite a different location). But this doesn t matter. The main thing is that the disc is still available at the sector level, although not on every drive. For instance, the ASUS drive simply refuses to read such a disc, returning an error message, while the PHILIPS drive reads only a garble (fortunately, this garble is easily clean up. All you need to do is carry out sector-level EFM reencoding from a more suitable position. Since there are only 14 possible positions , testing all of them won t take long. Still, the best approach is to purchase a better-quality drive than making all of this effort.

All that remains is to bring the disc to a state that will be accepted without any problems by the OS (what s the sense of analyzing the disc at the low level?). Now, we read all of the disc sectors sequentially, and combine them into one IMG file, which, for the sake of clarity, we ll assign the recover.img name. The sectors that, even after multiple attempts, we couldn t manage to read will be skipped . Let s copy the reanimator CCD file to the recover.ccd file and return the starting address of the first track to its initial position. We will write the newly formed disc image to the new disc, and, if everything has been done correctly, any drive will read it without any problems. The test session of demo reanimation has been successfully completed. Now, having acquired the necessary experience, we can embark on much more serious tasks . For instance, start our own small business, dealing with the recovery of accidentally cleared CDs. Just kidding.

What should we do if the cleared disc was a multisession disc? After all, the above-described techniques were intended for working only with one session! Actually, multisession discs can also be restored and this task is only slightly more difficult. To achieve this, however, we must first become acquainted with the other fields of the TOC. This topic will be covered in the next chapter.

But what if something was written to the disc after it was cleared? Is recovery possible in this case? It depends. Naturally, locations that were erased directly are lost. But the remaining information can still be restored. If it was a multisession disc before clearing, we won t even need to labor over the recovery of the file system, since the file system of each next session usually duplicates that of the previous one. Usually means in all cases other than that of erased files . At the same time, the last disc session proves to be located far from the beginning of the disc. Consequently, the risk of erasing it is minimum (provided, of course, that you worry about this in due time and don t remember it suddenly after having rewritten the entire disc). The recovery of single-session discs with an erased file system is a much more difficult task, although it is also possible. First, a typical disc has two types of file systems: ISO-9660 and Joliet. Unfortunately, because of their close geographical location, both of them are ruined in the course of erasing the disc. Second, these file systems do not support fragmentation, and any file written to a CD represents a contiguous information block. All you need to do to restore it is determine its entry point and length. The entry point of the file always coincides with the starting point of the sector, and the vast majority of file types allow for identifying their headers by a unique signature (in particular, the following sequence is characteristic for ZIP files: 50 4B 03 04 ). The end of a file cannot be detected so definitely, and the only hook here is the structure of the file being restored. Nevertheless, most applications tolerate a collection of assorted garbage at the file trailer, so, in practice, the precision of 1 sector when determining the file length is sufficient. Since files reside on the disc sequentially and without gaps, the terminating sector of any file can be recognized reliably by decreasing the starting address of the next file by one.

Generally speaking, the technique for recovering CDs is considerably easier than the art of recovering their relatives ”diskettes and hard disks. On the other hand, the proverb measure seven times before cutting once still applies. One of the most unpleasant specific features of working with CD-RW discs is that, in this case, you are unable to fully control the writing process in progress. Diskettes and hard disks are fully transparent in this respect ”you get what you actually write. CD-RW disks, on the contrary, represent a kind of black box. You can never be sure that a specific drive will correctly interpret the commands passed to it. The recovery of CD-RW discs is not a standard operation, and any non-standard manipulation can be interpreted differently by different drives. The only advice that can be given here, is as follows: Do not let things take their own course. Try, try, and try again. This will allow you to accumulate valuable experience that will sometimes be of inestimable help.


Previous page
Table of content
Next page
CD Cracking Uncovered. Protection against Unsanctioned CD Copying
CD Cracking Uncovered: Protection Against Unsanctioned CD Copying (Uncovered series)
ISBN: 1931769338
EAN: 2147483647
Year: 2003
Pages: 60
Authors: Kris Kaspersky
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
C & Data Structures (Charles River Media Computer Engineering)
Data Structures and Algorithms in Java
InDesign Type: Professional Typography with Adobe InDesign CS2
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy