Topic: Presentation: C64 vs. Xbox360 Copy Protection Scheme (Read 62 times)

Xbox-Scene · « **on:** February 10, 2007, 09:46:00 PM »

Presentation: C64 vs. Xbox360 Copy Protection Scheme
Posted by XanTium | February 10 23:46 EST

Nate Lawson (co-designer of the Blu-Ray content protection layer) published a presentation at the RSA 2007 Conference comparing the content protection schemes used on the Commodore64 vs. the Xbox360 ... showing things aren't all that different today:

Quote

History and future of copy protection. Builds on the property of asymmetry as a way of analyzing copy protection features. Defenders only need to increase cost to attackers, not build an impenetrable wall. Included a live demo of reading a C64 game and cracking its protection, as well as an intro to the Xbox 360 drive hacks. Ended with some simple recommendations for repairing the 360 hacks.

Download the slides of the presentation from root.org

MaximusX15 · « **Reply #1 on:** February 10, 2007, 09:15:00 PM »

Very cool! I enjoyed reading the .pdf file!

Ray2Kay · « **Reply #2 on:** February 10, 2007, 10:36:00 PM »

man give them a idea..........thats a nice right out.

SpiderX1016 · « **Reply #3 on:** February 10, 2007, 11:20:00 PM »

heh, C4Es name is in there. thats cool

steveju · « **Reply #4 on:** February 11, 2007, 12:12:00 AM »

QUOTE(Ray2Kay @ Feb 11 2007, 05:43 AM)

man give them a idea..........thats a nice right out.

1. check that responses vary appropriately between challenges of the same type == Let's hope that the DVD drive in the box is in it's theoretical best working condition. Even if the drive isn't hacked, some drives are extremely slow to pull out data off a disc, so should those drives be banned? --> Unhacked & hacked drives are affected

2. use same debug commands to load disc-specific hashing code into drive, check for patched firmware == Let's send some commands to the drive and see what happens; a. The cheap drive isn't working like it should and sends some error code or hangs the system b. The drive is hacked and prevents this from happening --> Unhacked & hacked drives are affected, they could even brick some drives with this.

3. look for SS.bin file via host or code loading into drive == Rename SS.BIN

. I doubt they can spy on the SS -data that is loaded from the disc (where it's located). Is the SS.BIN even stored as SS.BIN in the media when burned? Or is it just plain data. I really don't get how "looking for a file" would help if it's plain data to begin with.

I think that "effort/$" is not in m$'s favor.

Nicroma · « **Reply #5 on:** February 11, 2007, 12:22:00 AM »

oh no

IntestineMan · « **Reply #6 on:** February 11, 2007, 03:14:00 AM »

I remember "Frantic Freddie" as one of the first C64 games that used error protection. If I remember, it had a 21-read error on one of the first few tracks which it checked for. We used to duplicate it by starting a disk format (initialize disk) and pulling the disk out after hearing the drive head move up a couple tracks.

Then there was Sammy Lightfoot that put a 23-read error on the last sector of track 18! Kevin's Pirate Pack to the rescue! Anyone ever remember a program called "Error Maker", written by Kevin Pickell? It was a utility that made errors on the disk using a 1541 drive. I remember the 27 error maker didn't work and I learned eventually how to code the 1541 and examined his code and disassemblies of the 1541 and as a result was able to make a 27-read error. I was able to program my own utilities and learned quite a bit about it. I also remember GCR (Group Coded Recording) and the reason for it was so would not write many on-bits (FF's) in a row since 1541 was soft-sectored. It converted a sector of 256 8-bit bytes to 256 10-bit bytes. Since it was an 8-bit CPU, it stored these 10-bit bytes as 320 8-bit bytes. A characteristic of GCR was that there would be no more than 2 or 3 (can't remember exactly) consecutive on-bits. The drive It used a stream of FF's, or on-bits, to sync up to the sectors - basically the drive would read data off the disk until it found a whole bunch of FF's and then as soon as it found data it would read until it found a sector header, then use that to read in the 320 bytes of GCR and translate it to 256 real bytes. One protections was to change the gap length and time it, or could rewrite the entire track layout and the whole disk would look like errors. Once could also squeeze an extra sector on certain tracks, and even add extra tracks (track 40).

ConteZero76 · « **Reply #7 on:** February 11, 2007, 03:37:00 AM »

At the end it's clear that the "final solution" is a modified reader (CD/DVD/HD/BD) capaible of carrying out pit & lands instead of cooked sectors (so every "hack" could be found/replicated).
As for "fooling" something "the easy way" is just a programmed interface capaible of emulating the "real thing", either "some part" or "the whole".
Having a fast digital programmable interface that could be programmed to give certain responses and feeding certain data it's possible to emulate an XBox/XBox360/... DVD, too bad no one followed this way (that's not so comfortable) and there's no such interface on a standard PC (mean you'll need a custom PCI card or some USB2.0 thingie).

Alkane · « **Reply #8 on:** February 11, 2007, 07:40:00 AM »

QUOTE(ConteZero76 @ Feb 11 2007, 05:44 AM)

At the end it's clear that the "final solution" is a modified reader (CD/DVD/HD/BD) capaible of carrying out pit & lands instead of cooked sectors (so every "hack" could be found/replicated).
As for "fooling" something "the easy way" is just a programmed interface capaible of emulating the "real thing", either "some part" or "the whole".
Having a fast digital programmable interface that could be programmed to give certain responses and feeding certain data it's possible to emulate an XBox/XBox360/... DVD, too bad no one followed this way (that's not so comfortable) and there's no such interface on a standard PC (mean you'll need a custom PCI card or some USB2.0 thingie).

That idea is brought up often. Its simple an issue of cost. Drive emulators and similar hardware are extremely expensive.

rrg · « **Reply #9 on:** February 11, 2007, 07:47:00 AM »

Alkane, you read my mind.

Or you never know, there is always a chance that keeping cost down will prevail and continue to make it easier for everyone.

This post has been edited by rrg: Feb 11 2007, 03:49 PM

ConteZero76 · « **Reply #10 on:** February 11, 2007, 07:57:00 AM »

If you're talking about a specialized unit, sure.
But programming an ARM to deal with commands (with the proper software) isn't that expensive.
General purpose processors with a good speed are actually used on most home appliances, even an AP is just $50 or so (think about some Texas Instuments IC into most DSL / AP, 150MHz is quite enough to run a program that send repiles to specified commands and "query" the host system (I.E. a PC) when needed).
The difficoult part is making the logic to drive the BUS electronically as it could require an ASIC, and the software to use the whole kit (ARM and host interface).
Anyway, once done the kit is almost universal because if you've used an ASIC to manage the bus you can make adapters for a wide range of "appliances", from ATA to SATA to (most) custom electronics.

What I'm telling is that a SATA host controller is into every $40 hard disk and a powerful enough CPU is into every $50 AP/DSL router... so there's surely a way to obtain an easy (non professional) device emulator with a decent price.
It's probably some sort of industry agreement or the developement cost that keeps people from trying.

This post has been edited by ConteZero76: Feb 11 2007, 04:09 PM

kneehighspy · « **Reply #11 on:** February 11, 2007, 08:40:00 AM »

i remember the late 70's and early 80's, days when me and my friends 'the charlatan (c64)' 'snakeman (apple 2)' and myself 'kneehighspy (apple 2)', would just go out an purchase games (even cheap ones) just to crack them. it was just the challenge, some people did crosswords, we did copy protection removal. we released titles under the group '(TCW) The CracWriters. Man those were the days of spiral sector protection and many others. Then we all moved on to the Amiga 1000 and just somehow everyone slowly drifted apart..

ahh, the memories......sniff.

QUOTE(IntestineMan @ Feb 11 2007, 10:21 AM)

I remember "Frantic Freddie" as one of the first C64 games that used error protection. If I remember, it had a 21-read error on one of the first few tracks which it checked for. We used to duplicate it by starting a disk format (initialize disk) and pulling the disk out after hearing the drive head move up a couple tracks.

Then there was Sammy Lightfoot that put a 23-read error on the last sector of track 18! Kevin's Pirate Pack to the rescue! Anyone ever remember a program called "Error Maker", written by Kevin Pickell? It was a utility that made errors on the disk using a 1541 drive. I remember the 27 error maker didn't work and I learned eventually how to code the 1541 and examined his code and disassemblies of the 1541 and as a result was able to make a 27-read error. I was able to program my own utilities and learned quite a bit about it. I also remember GCR (Group Coded Recording) and the reason for it was so would not write many on-bits (FF's) in a row since 1541 was soft-sectored. It converted a sector of 256 8-bit bytes to 256 10-bit bytes. Since it was an 8-bit CPU, it stored these 10-bit bytes as 320 8-bit bytes. A characteristic of GCR was that there would be no more than 2 or 3 (can't remember exactly) consecutive on-bits. The drive It used a stream of FF's, or on-bits, to sync up to the sectors - basically the drive would read data off the disk until it found a whole bunch of FF's and then as soon as it found data it would read until it found a sector header, then use that to read in the 320 bytes of GCR and translate it to 256 real bytes. One protections was to change the gap length and time it, or could rewrite the entire track layout and the whole disk would look like errors. Once could also squeeze an extra sector on certain tracks, and even add extra tracks (track 40).

kungpaomaster · « **Reply #12 on:** February 11, 2007, 10:00:00 AM »

It's funny how the C-64 thing keeps coming up. I understand where folks come from when they say they owned a C-64, from a computer perspective anyways. That was the biggest hacking scene of that day. You didn't hear much about people hacking Apples or Trash 80's. It did give a solid hacking foundation if you were into that scene back then. I think I still have my Commodore stuff somewhere. That 1541 with the parallel interface brought back some memories. I had a setup like that to use Burst Nibble. One of the best things I had to backup games. Good stuff!

Load "$",8

bucko · « **Reply #13 on:** February 11, 2007, 12:00:00 PM »

My Commodore 64 (still got it) was the easiest way to backup games because it had the tape deck. As long as you had a Hi-Fi with two tape decks you could make a backup of your game.

Ah old school rocks.

CODE

LOAD

Press Play on Tape.

kungpaomaster · « **Reply #14 on:** February 11, 2007, 12:54:00 PM »

Eagle Soft rocked!

I would bet money at least 1/2 of those guys are in the xbox hacking scene.

It's amazing what was able to be done on such meager resources.

64K? This webpage (just this page) is probably more than 64K. Sheeeesh!

664 Blocks free! Oh yeah!

Author Topic: Presentation: C64 vs. Xbox360 Copy Protection Scheme (Read 62 times)