Back in the '90s, the Sega Saturn was the most powerful video games console on the market. If the Sony PlayStation was a car, the Saturn was a military tank. But it was an expensive over-engineered machine and it failed to make an impact in the gaming market. So complex was the Saturn that some of its internal functions remained a mystery 20 years on, particularly its elusive digital rights management (DRM) system.
In July, hacker and academic Dr James Laird-Wah managed to crack the DRM and uncover its inner workings. He went through the painstaking process in excruciating detail at hacker conference Ruxcon 2016. Laird-Wah's findings could potentially save the rising number of Sega Saturn consoles with dying CD readers.
The Sega Saturn packed some impressive hardware for its time. It was one of the first gaming consoles to use a dual-core processor (one of which was a Hitachi SuperH CPU), a programmable digital signal processor (DSP), a custom sound processor made by Yamaha and, not one, but two graphics chips. It also had a Motorola 64k processor, which was the core of Sega's previous console, just to run the sound chip. There was a Video CD (VCD) port which, as the name suggests, lets you plug in a card that allows the Saturn to play VCDs. That format of media died off long ago.
It was difficult to understand how the Saturn operated and how all of the bits worked together, which deterred developers from making games on the console. PlayStation was comparatively easy to develop for and it was another nail in the coffin for the Sega Saturn. (On a side note, PlayStation games were also notoriously easy to pirate.)
But you have to give the Sega Saturn kudos for designing a DRM system that stood the test of time. 20 years after the console was launched, the DRM that prevented the machine from playing unofficial copied games was still a mystery. Many people have looked into how it worked but nobody could completely explain it.
Enter The Procrastinating PhD Student
Laird-Wah became interested in the Saturn's DRM in 2013 because of his love of chip music. He wanted to access the console's custom sound processor, which eventually sent him down a rabbit hole of trying to figure out how to bypass the DRM that prevented him from using it.
It was widely known that Saturn's DRM exists on the edge of its game discs. The CDs all had a visible ring on the very edge which was labelled with text that was something along the lines of "Sega Trademark". The CD controller in the console, logically known as the CD block, is the gatekeeper for the copy protection system. The block manages all the CD operation and can identify whether a disc that has been inserted is genuine; it won't read data off the disc if it isn't the real deal. The CD block is hooked up to a CD mechanism that has a microcontroller that manages the syncing back and forth on the disc and handles commands.
Laird-Wah knew the boot process involved the BIOS asking the CD block to authenticate a disc. The block will then ask the CD mechanism, it's faithful servant, to seek out to the copy protection ring and get some information with the laser reader on the console. If everything comes back A-okay, it will report back to the BIOS to give the disc the all clear. There's a short delay and the BIOS reads the initial program off the disc and starts to boot.
At first, Laird-Wah tried to straight-up make a copies of genuine game CDs with a conventional disc burner, but soon found out that the copy protection ring is something that can't be replicated at home. After looking at schematics for a Sega Saturn clone from Brazil, he noticed that one of the components in the CD block was also used in portable CD players to detect vibration.
The CD block will issue a command to send the laser tracker out to the edge of the disc, which would bounce back and forth on every sector of the copy protection ring and send a tracking error back to trigger the vibration detection system. The disc will then be unlocked. This is something that cannot be replicated on conventional CDs using a disc burner.
Laird-Wah then turned to the gatekeeper itself; he wanted to get the ROM off the CD block so he can look for another backdoor. Unfortunately, he hit another wall when he found that the Saturn CD block's CPU used implanted ROM which sat deep within the silicon of the chip and is invisible. This technique of loading a ROM was very unusual and finding a way of extracting it would have been a costly affair.
"I started coming up with various scenarios like reading the datasheet and going 'How can I gain control of execution so I can read out the ROM. Maybe If I send it this interrupt 50 times, maybe I'll get a stack overflow," Laird-Wah said.
Eventually, he found that a configuration pin in the CD block, also known as a strap, allows the console to boot ROM from the internal chip or through an external source, but it can't do both simultaneously. If the console was booting an external ROM, the internal ROM would be hidden. Laird-Wah saw this as an area that he could attack.
He used one of his other side projects, a USB cartridge that plugs into the Nintendo GameBoy to let you load and back up ROMs along with save data called Professor Abrasive's Drag 'n' Derp. This provided the source of an external ROM, which was then copied onto the internal RAM of the CD block CPU then reaches out to one of the I/O pins on the chip and toggles it from 1 to 0. Laird-Wah then connected that pins back to the strap that controls the internal and external ROM read.
"To my delight, what it actually did was it flipped over that base memory space from pointing to external ROM to pointing to the secret internal ROM while I was still executing from in-RAM," he said. "At this point, all I had to do was find a way to [extract the internal ROM]."
The 64 kilobytes of ROM was stored on the RAM that Professor Abrasive's Drag 'n' Derp used for saved games and was transferred to a computer through USB. Laird-Wah now had access to the copy protection code. But it was completely incomprehensible; yet another hurdle.
Lucky for him, the team that worked on Yabause, a Sega Saturn emulator software, had documented their work and detailed 200 commands you can send to the CD block.
"Once I found the dispatch table for these commands, I had a map into every sub system of that processor. I was able to find myself quite quickly to where it managed the copy protection and how that worked," Laird-Wah said.
What he found was that there was a string of code that was labelled the Hitachi Public Key Cipher. Laird-Wah found it curious that a gaming console made in the 90s would have a public key cipher and decided to dig deeper. Turned out he was right, it wasn't a public key cipher, but it did decrypt a bunch of random code on a Sega Saturn VCD card.
"If you decrypt it, what the system then does is it executes it. So it loads code from an external card and if it decrypts it and validates; then it will run the code," Laird-Wah. "So I go, 'There's a back door!'"
Laird-Wah then went on to reverse engineer the cipher to use it to encrypt code that can be decrypted from an attachment that goes into the VCD port. He has since developed a prototype card with a USB port that plugs into the VCD slot of the Saturn. That means you can run Sega Saturn ROMs saved onto USB thumb sticks or hard drives directly on the retro console.
How This Will Help Owners Of Dying Sega Saturns
During his multi-year journey to uncover the mysteries of the Sega Saturn, much to his horror, he discovered that the laser readers on the consoles are gradually dying. He noted that the Saturn he had ran tests on would often fail to load even genuine discs.
He sees his prototype card as a convenient way to overcome that by allowing players to run games through USB storage devices instead of through the CD drive.
"I built that, it's a card, and I will hopefully make it available early next year. It works quite well," Laird-Wah said. "I still haven't actually done any chip music through it though."