utopia reindeer is a modified teapot.bin lol

[SMiTH]

I wonder what the main way of playing DC pirate games would have been if MIL CD functionality didn't exist. Maybe it would be like gamecube, where one of the online games (Sega's PSO as a matter of fact, lol) could be exploited to load and run game rips through a broadband adapter. In that case, the DC broadband adapter would have been even more expensive on the used market

There is a way to do that on dc as well.
Ian probably knows the name of the software.
It allows you to stream data to the dc through bba.

as for the gamecube pso server exploit. (to run .dol files etc)
that might actually work on dc too.
some1 could probably make a similar program.

AFAIK the gamecube pso server exploit hangs at ship select.
So maybe if some1 changed the packet data for dc.
It would work the same?
idk?

[Ian Micheal]

I know of the kit to rip a gdrom and some of them where using a serial cable to do it would taken forever lol.. BBA has always cost a lot brandnew or other wise.. They sent they game to a dude that had one he ripped it sent the files to who ever was going to make the game fit.. Using again official sdk tools to do so..

Bleem retail release yes 2001.. But the leaked beta was in hands long before it was cracked.. Simple bit of code you can added to katana from japanese cake to make it read open up mil cd reading it's very simple .. You know kos cant boot katana bin unless you mod kos to do so even on mil cd..

Mil cd format your talking about it's still a sdk mode bin like any other that reads the video files.. So not exploiting some video format to load a game it was loading a bin like we do with homebrew..

Unlike ps2 format causing and overflow.. This is using a bios function to load a bin it always could load ..

[SMiTH]

I think |darc| posted a video of the software running sonic adventure over bba.
I could be wrong it might have been some1 else.
Marcus Comstedt might have created the software?

[Ian Micheal]

I think |darc| posted a video of the software running sonic adventure over bba.
I could be wrong it might have been some1 else.
Marcus Comstedt might have created the software?

Yeah this was not at the time only few years back..

[SMiTH]

Unlike ps2 format causing and overflow.. This is using a bios function to load a bin it always could load ..

great point.

[Ian Micheal]

Unlike ps2 format causing and overflow.. This is using a bios function to load a bin it always could load ..

great point.

When they took out that function the so called exploit no longer worked.. It's sega's fault to allow cdrom audio reading and mil-cd they call it just a cdrom or cdr file system pretty much..

If they had of never included it someone would of had to develope a save exploit on the vmu that overflows it.. This has never been done..

In a lot of ways the dc is not cracked cant even take out the 2 bits of copyright sega code from the sdk in the ip.bin that boots homebrew..
Where all still including rand was using copyright sega code to make anything boot.. If you have to use sega code to make it boot how is it cracked..

If you had to make a homebrew from new ip.bin you need those 2 bits of code you cant remove to make anything boot there is no full homebrew replacement to make anything boot..

this is the one we use
This IP.BIN is intended to replace the one from Sega and make it closer to being legal, there are 3 bootstraps in IP.BIN, the Sega one, boostrap #1, and bootstrap #2. The Sega one CANT be replaced, and is the only one remaining in the latest release.

closer to legal is like half up the duff..

Copyright (C) 2001 Jacob Alberty <[email protected]> made this
IP.BIN replacement
Released: 15-Jan-2002
By: LiENUS = above..

Direct in the katana sdk is the ip.bin maker under the same law as anything else in the kit if used..

above is a sega sdk tool..

IP Maker outputs initial programs for single and high density for gdr lol little work you can hack this to boot selfboot on cdr..
Not even a good file hacker but if you gave me the katana sdk in 1999 heartbreak d mil cd even i could of cobbled it together.. I dont see the smart hacking needed..
Progression shows me they started with the bootdisk because there is an example that shows how to swap disk which reactvates the file system hence boot disk works .. and then boots the game.. anyways..

[dark]

I found an old thread of mine on Assembler regarding the utopia boot disc. It seems the consensus is that Datel's Action Replay from 1999 might have been the first popular example for people in the West of a self booting MIL CD, and allegedly might have influenced Utopia.

https://web.archive.org/web/20190601233 ... -do.35289/


And here's a description from that thread from user Familyguy about MIL CD piracy protections, and the "crack", which I guess Ian Micheal is saying is actually demonstrated in the SDK so no special hacker reverse engineering is needed

Mil-CD is an official cd-rom format made by SEGA that is nothing else than a music cd specially crafted to have some bonus when put inside a dreamcast. Some (around 10 IIRC) jap mil-cd discs have been released commercially.

In fact it's a 2session audio/data cd with it's 2de session first 32kb (user data) being a modified ip.bin. When the DC detects a cd-rom, it checks if there's a ip.bin in 2de session first bytes, and if yes it boots the executable accordingly.

However SEGA had put a protection in those discs to avoid easy piracy. The executables on the disc were scrambled (as opposed to gd-rom ones) and the gd-rom drive was completely locked up after the main binary was loaded. This was supossed to make it impossible to load a game without knowing the scrambling algorithm, and also impossible to launch game with more than one file; which isn't really practical for games. An unscrambled binary is directly loadable in memory, the "regular" way of booting gd-rom skips the scrambling thing.

If the inserted disc is a CD-ROM, it follows the Mil-CD bootstrap, if it's a GD-ROM it follows the regular one.

But somehow, some smartass figured out the scrambling algorithm and also figured out how to tell the Dreamcast to unlock the GD-Rom. This smartass implemented both routines in the ip.bin file that's the first thing to execute code from disc in the bootstrap.

Utopia is a simple game loader that unlock the gd-rom and then loads a game from a 2de CD.

In short, SEGA designed MilCD *roughly* this way:
0) Mil-CD inserted
1) Bootbin scrambled on disc
2) Loading it into memory. Unscrambling it.
3) Locking the gd-rom
4) Executing

And the Mil-CD exploit goes *roughly* this way (exploit steps are indicated by **)
0) Mil-CD inserted
1) Bootbin unscrambled on disc
2) Loading it into memory. Unscrambling it. (This create non-working un-unscrambled code)
**) Scrambling it. (back to unscrambled working code!)
3) Locking the gd-rom
**) Unlocking the gd-rom (GD hardware reset)
4) Executing

IIRC this explanation is correct, but it's been a while since I've worked into ip.bin stuff.

I hope this clarifies this topic!

Cheers,

FG

[Ian Micheal]

I found an old thread of mine on Assembler regarding the utopia boot disc. It seems the consensus is that Datel's Action Replay from 1999 might have been the first popular example for people in the West of a self booting MIL CD, and allegedly might have influenced Utopia.

https://web.archive.org/web/20190601233 ... -do.35289/


And here's a description from that thread from user Familyguy about MIL CD piracy protections, and the "crack", which I guess Ian Micheal is saying is actually demonstrated in the SDK so no special hacker reverse engineering is needed

Mil-CD is an official cd-rom format made by SEGA that is nothing else than a music cd specially crafted to have some bonus when put inside a dreamcast. Some (around 10 IIRC) jap mil-cd discs have been released commercially.

In fact it's a 2session audio/data cd with it's 2de session first 32kb (user data) being a modified ip.bin. When the DC detects a cd-rom, it checks if there's a ip.bin in 2de session first bytes, and if yes it boots the executable accordingly.

However SEGA had put a protection in those discs to avoid easy piracy. The executables on the disc were scrambled (as opposed to gd-rom ones) and the gd-rom drive was completely locked up after the main binary was loaded. This was supossed to make it impossible to load a game without knowing the scrambling algorithm, and also impossible to launch game with more than one file; which isn't really practical for games. An unscrambled binary is directly loadable in memory, the "regular" way of booting gd-rom skips the scrambling thing.

If the inserted disc is a CD-ROM, it follows the Mil-CD bootstrap, if it's a GD-ROM it follows the regular one.

But somehow, some smartass figured out the scrambling algorithm and also figured out how to tell the Dreamcast to unlock the GD-Rom. This smartass implemented both routines in the ip.bin file that's the first thing to execute code from disc in the bootstrap.

Utopia is a simple game loader that unlock the gd-rom and then loads a game from a 2de CD.

In short, SEGA designed MilCD *roughly* this way:
0) Mil-CD inserted
1) Bootbin scrambled on disc
2) Loading it into memory. Unscrambling it.
3) Locking the gd-rom
4) Executing

And the Mil-CD exploit goes *roughly* this way (exploit steps are indicated by **)
0) Mil-CD inserted
1) Bootbin unscrambled on disc
2) Loading it into memory. Unscrambling it. (This create non-working un-unscrambled code)
**) Scrambling it. (back to unscrambled working code!)
3) Locking the gd-rom
**) Unlocking the gd-rom (GD hardware reset)
4) Executing

IIRC this explanation is correct, but it's been a while since I've worked into ip.bin stuff.

I hope this clarifies this topic!

Cheers,

FG

You need to do the above dont know how smart ass it is when you got the sdk that shows you if you look hard enff lol.. Scramble unscramble routine etc there was a mil-cd creator sdk for making those video disks.... Winx.. That routine was leaked on dc dev forums 2000 something .. I say it came from that sdk that allowed you to create the mil cd video cd's.. If some smart ass really reversed the bios routines how come they still could not replace the sega boot strap with there own..

action replay is the first games where release none selfboot after it so i say they copied it .. The smartasses still released a boot disk to do it first..

[Ian Micheal]

Bit i love from the above is But somehow, some smartass figured out the scrambling algorithm Course the give no detail how they did it lol..

lmao

smartasses released a bunch of boot disk only games first..

btw
DemuMenu (DC Demoloader)
Released: 07-Feb-2001

it can boot non scrambled and scrambled bins.. source is there to show you how and also unlock and lock the gdrom ..

WinCE Selfbooting Tool
Released: 23-Sep-2000
By: Chossy
Info: This allows you to selfboot your wince apps, saving both time and the need for the illegal utopia bootcd!
Download: selfbootv1-0.zip

scramble.c
Released: ??-??-2000
Info: bin file scrambler/descrambler. Author unknown -- just found it floating around.
Download (scramble.c)

unknown smart ass above who says it was just floating about lmao

Code: Select all

#include <stdio.h>
#include <stdlib.h>

#define MAXCHUNK (2048*1024)

static unsigned int seed;

void my_srand(unsigned int n)
{
  seed = n & 0xffff;
}

unsigned int my_rand()
{
  seed = (seed * 2109 + 9273) & 0x7fff;
  return (seed + 0xc000) & 0xffff;
}

void load(FILE *fh, unsigned char *ptr, unsigned long sz)
{
  if(fread(ptr, 1, sz, fh) != sz)
    {
      fprintf(stderr, "Read error!\n");
      exit(1);
    }
}

void load_chunk(FILE *fh, unsigned char *ptr, unsigned long sz)
{
  static int idx[MAXCHUNK/32];
  int i;

  /* Convert chunk size to number of slices */
  sz /= 32;

  /* Initialize index table with unity,
     so that each slice gets loaded exactly once */
  for(i = 0; i < sz; i++)
    idx[i] = i;

  for(i = sz-1; i >= 0; --i)
    {
      /* Select a replacement index */
      int x = (my_rand() * i) >> 16;

      /* Swap */
      int tmp = idx[i];
      idx[i] = idx[x];
      idx[x] = tmp;

      /* Load resulting slice */
      load(fh, ptr+32*idx[i], 32);
    }
}

void load_file(FILE *fh, unsigned char *ptr, unsigned long filesz)
{
  unsigned long chunksz;

  my_srand(filesz);

  /* Descramble 2 meg blocks for as long as possible, then
     gradually reduce the window down to 32 bytes (1 slice) */
  for(chunksz = MAXCHUNK; chunksz >= 32; chunksz >>= 1)
    while(filesz >= chunksz)
      {
	load_chunk(fh, ptr, chunksz);
	filesz -= chunksz;
	ptr += chunksz;
      }

  /* Load final incomplete slice */
  if(filesz)
    load(fh, ptr, filesz);
}

void read_file(char *filename, unsigned char **ptr, unsigned long *sz)
{
  FILE *fh = fopen(filename, "rb");
  if(fh == NULL)
    {
      fprintf(stderr, "Can't open \"%s\".\n", filename);
      exit(1);
    }
  if(fseek(fh, 0, SEEK_END)<0)
    {
      fprintf(stderr, "Seek error.\n");
      exit(1);
    }
  *sz = ftell(fh);
  *ptr = malloc(*sz);
  if( *ptr == NULL )
    {
      fprintf(stderr, "Out of memory.\n");
      exit(1);
    }
  if(fseek(fh, 0, SEEK_SET)<0)
    {
      fprintf(stderr, "Seek error.\n");
      exit(1);
    }
  load_file(fh, *ptr, *sz);
  fclose(fh);
}

void save(FILE *fh, unsigned char *ptr, unsigned long sz)
{
  if(fwrite(ptr, 1, sz, fh) != sz)
    {
      fprintf(stderr, "Write error!\n");
      exit(1);
    }
}

void save_chunk(FILE *fh, unsigned char *ptr, unsigned long sz)
{
  static int idx[MAXCHUNK/32];
  int i;

  /* Convert chunk size to number of slices */
  sz /= 32;

  /* Initialize index table with unity,
     so that each slice gets saved exactly once */
  for(i = 0; i < sz; i++)
    idx[i] = i;

  for(i = sz-1; i >= 0; --i)
    {
      /* Select a replacement index */
      int x = (my_rand() * i) >> 16;

      /* Swap */
      int tmp = idx[i];
      idx[i] = idx[x];
      idx[x] = tmp;

      /* Save resulting slice */
      save(fh, ptr+32*idx[i], 32);
    }
}

void save_file(FILE *fh, unsigned char *ptr, unsigned long filesz)
{
  unsigned long chunksz;

  my_srand(filesz);

  /* Descramble 2 meg blocks for as long as possible, then
     gradually reduce the window down to 32 bytes (1 slice) */
  for(chunksz = MAXCHUNK; chunksz >= 32; chunksz >>= 1)
    while(filesz >= chunksz)
      {
	save_chunk(fh, ptr, chunksz);
	filesz -= chunksz;
	ptr += chunksz;
      }

  /* Save final incomplete slice */
  if(filesz)
    save(fh, ptr, filesz);
}

void write_file(char *filename, unsigned char *ptr, unsigned long sz)
{
  FILE *fh = fopen(filename, "wb");
  if(fh == NULL)
    {
      fprintf(stderr, "Can't open \"%s\".\n", filename);
      exit(1);
    }
  save_file(fh, ptr, sz);
  fclose(fh);
}

void descramble(char *src, char *dst)
{
  unsigned char *ptr = NULL;
  unsigned long sz = 0;
  FILE *fh;

  read_file(src, &ptr, &sz);

  fh = fopen(dst, "wb");
  if(fh == NULL)
    {
      fprintf(stderr, "Can't open \"%s\".\n", dst);
      exit(1);
    }
  if( fwrite(ptr, 1, sz, fh) != sz )
    {
      fprintf(stderr, "Write error.\n");
      exit(1);
    }
  fclose(fh);
  free(ptr);
}

void scramble(char *src, char *dst)
{
  unsigned char *ptr = NULL;
  unsigned long sz = 0;
  FILE *fh;

  fh = fopen(src, "rb");
  if(fh == NULL)
    {
      fprintf(stderr, "Can't open \"%s\".\n", src);
      exit(1);
    }
  if(fseek(fh, 0, SEEK_END)<0)
    {
      fprintf(stderr, "Seek error.\n");
      exit(1);
    }
  sz = ftell(fh);
  ptr = malloc(sz);
  if( ptr == NULL )
    {
      fprintf(stderr, "Out of memory.\n");
      exit(1);
    }
  if(fseek(fh, 0, SEEK_SET)<0)
    {
      fprintf(stderr, "Seek error.\n");
      exit(1);
    }
  if( fread(ptr, 1, sz, fh) != sz )
    {
      fprintf(stderr, "Read error.\n");
      exit(1);
    }
  fclose(fh);

  write_file(dst, ptr, sz);

  free(ptr);
}

int main(int argc, char *argv[])
{
  int opt = 0;

  if(argc > 1 && !strcmp(argv[1], "-d"))
    opt ++;

  if(argc != 3+opt)
    {
      fprintf(stderr, "Usage: %s [-d] from to\n", argv[0]);
      exit(1);
    }
  
  if(opt)
    descramble(argv[2], argv[3]);
  else
    scramble(argv[1], argv[2]);

  return 0;
}

code above to make selfboot bin..

IP.BIN maker
Released: ??-??-2000
Size: 10k
Info: Seems useful
DOWNLOAD
SDK TOOL ABOVE

BOOB - Utopia BootCD image
Released: 21-Jul-2000
Current Version: 1.1
Size: 723k zipped
REMOVED due to possible legality issues

Because it used sdk samples and not reversed at all..

Thursday, July 20, 2000
Posted by CyRUS64 @ 9:54
I got sent this email today from [email protected]

Dear friends,

As a dreamcast gamer, how many times have you thought
that you have scratched that original game that you
have, when you accidentally hit on the console or
something like that..

What we offer is backup CD for your originals, so that
you can play with the backups, and thus safeguard
your gaming investments....

Our prices are just 7.50 per CD backup games.

once you have bought 10 games from us, you then only
pay 5.00 per CD backup game!!!

There is however a fixed shipping charge of 5.00 for
the first 10 games, and 2.50 per additional 5 games.

Thursday, July 20, 2000
WinCE DevKit Posted by CyRUS64 @ 0:31
Although we don't believe in "warez", it is worth mentioning that the WinCE Devkit 2.1 has been leaked. We will NOT provide you with links to download this, but it could become an extremely important part of the dc development scene.
Various people (we might be aswell, but i dont mean us!) will soon undoubtedly be working on emulators ports. Mame for DC is obviously one of the most hotly anticipated - imagine being able to insert a cdr with mame and lots of roms on it, and being able to play the old arcade classics sitting in front of your tv...

So there is the first public i know of person saying wince dev kit was leaked..

Keep in mind the Dreamcast was not dead yet not until March 31, 2001

[Ian Micheal]

It was later discovered that the Utopia Boot Disc was created using an unlicensed Katana SDK. Therefore, Sega has every right to not allow its distribution -- and they have explicitly stated that they do hold the rights to the libraries within the Utopia Boot Disc and that it cannot be used or distributed legally.

Now this is old like end of 1999
I wish I could tell
you the whole sordid story about the booter code, but I can't.
I've been warned, so I'm not talking. All you need to know
is that Sega can close the door on the booter code any time
they want, forcing the pirates to actually "crack" such titles

Yes, as a matter of fact they are. That's why the DC warez
scene came up with the CD-ROM format conversion. It bypasses
all of the GD-ROM format's built-in protection completely.
Oh, by the way, three or four actual Sega developers who
contacted me recently (and who are going to remain anonymous,
thank you very much) have made mention of some kind of a
special protection track similar to what late-generation
PlayStation games use that their official Sega GD-ROM burners
can't (or won't) duplicate - hence the need for the CD-ROM
format conversion by the software pirates. Interesting!

Q: Is it legal to backup a Dreamcast GD-ROM, and if so, how?
A: Yes, but there's no way to do it at this time. That's
because current copyright law requires you to make an EXACT
copy unless otherwise authorized, and that includes the
duplication of the title in its original GD-ROM format. As
of this date, there are NO commercially available CD burners
for common folks that can do that. There's one or two that
can READ GD-ROMs

pretty much the story..