Console Hacking History #2: SEGA Dreamcast

Hello everyone!

and welcome to the second entry of my console hacking history blog, where i infodump like crazy about my biggest special interest ever

so today´s entry is a bit of a challenge compared to the previous one. you see, my first entry focused on the Nintendo 3DS, which is my favorite console of all time, and since i have memory for the stupidest shit ever, i knew pretty much all i wrote about it from memory. but for this entry i had to do a bunch of research! honestly it was really fun to learn so much new info, especially about a console that i really didn´t know that much about.

so here it is: let´s talk about the hacking history of the last SEGA console: the Dreamcast!

A bit of context

as i mentioned before, this was SEGA´s last console. but why?

Sega was in a complicated situation by the time of the Dreamcast´s launch (1998). they went from being the #1 console company to getting third place, and they had previously been in a price war with Sony´s Playstation, which forced them to lower the price of the Saturn significantly, considering the console had much more expensive components than the competition. things were rough with the Saturn and Sega had to do something to get back up quickly. that´s where the Dreamcast comes in!

surprisingly enough, even tho everything i wrote up to this point seems to demonstrate the opposite... the sales weren´t all that bad at launch. but here´s the thing: SEGA couldn´t catch up with the market. Sony annoucing the PS2, Nintendo promothing their next console, Microsoft joining the market... it wasn´t looking good. by 2001, SEGA announced they were now a software-only company and completely retired themselves entirely from the console market.

SO knowing that very very summarized historical context, let´s begin with the hacking!!!!

The Dreamcast´s security

there has been this rumor going around for ages in the community that says the Dreamcast didn´t have any security meassures. i can see where it comes from, but it´s insanely incorrect. it did come with security meassures! just maybe not the best. this doesn´t mean it was defeated easily or quickly like other consoles, in reality the process was quite complicated and might get a bit confusing, but the confusion stems from the fact it´s known nowadays as one of the easiest consoles to hack in history

so let´s talk about how exactly the security worked on it!

GD-Roms

Sega created a new special disc Format for the Dreamcast called “GD-Rom”. these discs were almost the exact same as a normal CD, but instead of the usual 700mb of data a CD has, GD-Roms were able to have around 1GB, which is where their name comes from (Gigabyte Disc). aside from that, the layout was slightly different; the tracks of the disc were closer to each other, making the important info of the GD-Rom (that being the actual game) totally unreadable by PCs, which made it impossible to dump the games in a computer by normal means

this part might get a little bit technical, but in order to understand exactly how the Dreamcast was hacked we need to understand the boot sequence (basically, what exactly does the console do when you boot up a game)

first of all, the console looks for a specfic file in the disc that´s named "ip.bin". this file contains some basic information about the game, but most importantly it contains the name of the game executable, which is usually titled "1ST_READ.bin". so, to put it in simple terms:

the console reads the disc > ip.bin > 1ST_READ.bin > the game launches!

aside from the GD-Roms, the Dreamcast was also able to read a second type of disc format: the Mil CD.

so like what the fuck is that right. Mil CDs are... well. a CD format created by Sega specifically for the console. the purpose of this format was to add multimedia functions to music CDs in order to be able to use them in the Dreamcast. to put it in simple terms, you were able to fool the console into booting up a pirated game by tricking it into believing it was booting up a Mil CD. what´s curious about this is that there were only 8 Mil CDs released EVER so it was a total flop, yet this feature is exactly what hacked the Dreamcast.

but you couldn´t just burn a game into a Mil-CD and make it work. i´ve already explained how the GD-Roms booted up, but what about this format?

SEGA already knew that Mil-CDs would inevitably be used as a hacking method so they added some security to the booting up of the format. when the console detected a Mil CD, it loaded ip.bin normally BUT scrambled 1ST_READ.bin at random. so, if the GD-Rom boot ups like this:

the console reads the disc > ip.bin > 1ST_READ.bin > the game launches

then the Mil-CD boot up goes like this:

the console reads the disc > ip.bin > 1ST_READ.bin > the console unscrambles the file > the CD is played

 and what does this mean exactly? that if you were to burn a game executable into a Mil-CD, the 1ST_READ.bin file wouldn´t be encripted and the console would be able to detect the file belongs to a pirated copy of a game and it wouldn´t launch

The hacking

Katana SDK

 the problem was solved when a group of hackers known as "Utopia" supposedly stole a Katana SDK in late 1999. how exactly they managed to do so is unknown, but the point is that they somehow got ahold of it.

so let me define some concepts: the Katana SDK was the official SEGA SDK used specifically for the Dreamcast. a Software Development Kit (SDK)  is a set of tools used for game developing. this is usually given to third-party companies so they´re able to develop games for a specific console.

i´ve seen people have different retellings of this specific part of the story, but here´s what i personally think makes more sense and has most likely happened:

this DEVKIT had a GD-Rom reading unit that could connect to a PC to interchange data, which means the problem of the GD-Roms being completely unreadable by a computer was completely out of the way now

Utopia Boot CD

since the Utopia members were the only people with access to the Katana SDK, what they did was develop a Boot CD that let you run pirated games directly from a normal CD ROM. what this disc did was confuse the console into believing that the CD ROM you had just inserted was actually a Mil-CD and therefore let you run a pirated copy. 

you may be asking yourself how exactly could you burn a Dreamcast game into a CD if there was no conventional way to read GD-Roms on a PC... well Utopia also took care of that. they dumped a bunch of games using the reading unit that the SDK had provided, then lowered the game´s size so that it could fit in the 700mb that a CD had available, and then uploaded them to the internet for everyone to download.

unfortunately, this way of dumping games was insanely slow, so some other methods were later discovered: 

- The Phantasy Star Online exploit, which let you stream the GD-Roms data to a computer via an ethernet cable

- Disc swapping, that consisted on introducing a CD filled with data in your computer, and then swapping it with a GD-Rom

some months later however, the Utopia Boot CD became pretty much obsolote since people found a way to combine both the boot program necessary to run a pirated game AND the actual game itself in a single disk image, which meant you no longer needed to buy an additional CD and you could just use any that you had lying around in your house LOL

SEGA did try to patch this vulnerability in later hardware revisions, but the damage was already done. all of the millions of consoles that had already been sold were able to run pirated games without the need for a modchip

Conclusion

this console´s hacking history is definitely not as extensive as others, but hopefully that makes this blog post a bit easier to read compared to my previous one :) it was super fun to research about it so i hope you enjoy reading this as much as i enjoyed writing it!! 

having said all of that, i´m leaving all of my sources below. goodbye guys!! see u in the next entry :D

Sources

Sega Dreamcast: how its security works and how it was hacked.

How the Dreamcast copy protection was defeated

the following sources are in spanish:

Seguridad en videojuegos - Vol. V: Sega Dreamcast

La Dreamcast venia HACKEADA de fabrica

any corrections and suggestions are greatly appreciated! and thank you to everyone that left kudos in the previous post. you can check out the first entry of this series here! see you soon :)