DRM-protection game console Sega Saturn hacked after 20 years

Games are now loaded around CD-ROM drive.

Experienced gamers will surely remember Sega Saturn - a 32-bit game console from the Sega company. It began selling on November 22, 1994, two weeks earlier than its main rival, the first Sony Playstation. It was a real bomb. On the very first day, fans bought 170,000 copies of the new “Shogi”. In 1995, the prefix went on sale in Europe and the USA, where it was also waiting for success: Quake, C & C, Tomb Raider, Duke Nukem 3D and other games were ported to it.

At the time of release, the Sega Saturn architecture was much more advanced than any other gaming console. Saturn was a very powerful system for its time: two central RISC processors (Hitachi SuperH-2 7604), two video processors (own design), 32-bit sound (Yamaha FH1 sound DSP processor), a double-speed CD drive.

However, pretty quickly Sega Saturn lost the position of Sony Playstation.
')
It's funny that the Saturn architecture was much more advanced than the competitor. Unlike Playstation, which operates in triangles as basic geometric primitives, Saturn draws quadrilaterals. When used properly, such rendering gave less distortion of textures than in Playstation games. The hardware aimed at the quadrilaterals, and 50% more video memory also gave Saturn an advantage in 2D games. But in the end, the more “advanced” architecture of Saturn became an obstacle to porting many games, because the main developer tools were based on triangles, as well as multiplatform games. Therefore, won the Playstation.


Sega Saturn motherboard

To date, both these consoles - and Sega Saturn, and the first Sony Playstation - can be found except on the shelves of collectors. But the most interesting thing is that DRM-protection of games for Saturn was not able to crack. The problem is that it was difficult to create a normal environment for reverse engineering. For example, in old game consoles, flash memory cartridges were used, and in later consoles it is possible to flash flash memory directly on the board. In the case of the Sega Saturn, the problem is that it is almost impossible to find an ancient console with a working CD drive. The operating system is wired to the world of the CD drive controller on the motherboard, and the copy protection is made in the form of physical marks on the edge of the compact discs - it has proved very difficult to make copies of the discs with such protection.


CD copy protection

How to carry out reverse engineering and crack the disks in such a super-closed system?

Exit found. The jhl (Dr Abrasive) enthusiast from the hacker community Assembler Games has done an almost incredible thing - the Sega Saturn optical drive emulator ! This job took him about two years.


Dr Abrasive in his laboratory, where in two years he managed to develop an emulator of the optical drive Sega Saturn. On the table is a disassembled console

According to jhl , the Japanese game console is very intricate. He calls it "over-engineering", speaking of so many processors, among them two central, two graphic, one sound and so on.

The CD-ROM drive is controlled by a separate controller: a 32-bit SH-1 RISC processor. Hacker had to work hard to deal with the chip of this controller.



Microcircuit in the CD-ROM controller

The game console has an internal expansion port where the MPEG decoding card is inserted in order to view the video CDs.




Saturn internal expansion port

This expansion port connects to the CD controller and passes the data through it, using encryption.

For a start, the hacker thought of a way to get to the controller firmware. He removed the board with the controller from the game console and connected it to the Game Boy re-flashed cartridge. In this cartridge, the ROM was re-flashed in such a way that read the ROM from the controller via NVRAM and then via USB. Thus, jhl managed to dump the ROM from the controller.



The board with the controller from the Saturn console is connected to the Game Boy re-flashed cartridge

64 kilobytes of memory of this processor are tightly packed with instructions that took a long time to figure out. Dr Abrasive says that studying this code reveals a lot of information about the history of the development of Sega Saturn, but in general he was very impressed with the picture that opened up.



Having studied the contents of the ROM, it was possible to understand how the code for SH-1 is loaded from the MPEG decoder card. Dr Abrasive says that he found a kind of “backdoor” in the embedded operating system, which allows you to load disks without copy protection.



So it turned out to make a USB interface to load the contents of the YGR022 chip (via the MPEG card connector). This was the first and most important step towards creating a full-fledged Saturn optical drive emulator.

As a result of this work, Dr. Abrasive managed to make an adapter through which data is loaded into the console bypassing the standard CD-drive, that is, through the internal expansion port ! That is, the console game can now be loaded even from a regular USB flash drive, no need for original CDs.

The titanic amount of work that Dr. has done Abrasive for two years, can not but command respect. The author tells in detail about the whole process of reverse engineering in an amateur documentary film. This is really a great movie.



The code for hacking Saturn and the drive emulator will be posted by the author in the near future.

Firstly, the emulator is needed by enthusiasts who are engaged in copying disks for Saturn and porting games for this console. Secondly, the game console owners can now use them again even if the regular CD-drive has failed, and this is the most common Saturn breakdown. In addition, the presence of an emulator will allow you to make copies of multiple disks for Saturn and save them for history.