Pondering. Vast majority of the CD/DVD "protection" methods is based on various deviations from the standards, or more accurately, how such deviations are (or aren't) handled by the drive firmware.

However, we can sidestep the firmware.

The drive contains the moving part with the head assembly. There is an important output signal there: the raw analog signal bounced from the disk and amplified.

We can tap it and connect it to a highspeed digital oscilloscope card. And sample obscene amount of data from it. In comparison with fast-enough ADCs, disk space is cheap. The problem can be in bandwidth, but for the drive speed set up to possible minimum (or for "normal" players) the contemporary machines should be sufficient. Real-time operating system (maybe RTOS-Linux) may be necessary.

We get the record of the signal captured from the drive's head - raw, with everything - dirt, drop-outs, sector headers, ECC bits. The low-level format is fairly well documented; now we have to postprocess the signal. Conversion from analog to digital data and then from the CD representation to 8-bit-per-byte should be fairly straightforward (at least for someone skilled with digital signal processing). Now we can identify the individual sectors on the disc and extract them to a disc image file that we can handle later by normal means.

We can push the idea a step further, making a stripped-down CD/DVD drive that would be able basically just to follow the spiral track with its head in constant linear velocity (easier to analyze than CAV) mode, with the ability to control the speed in accordance with how fast (and expensive) ADC, bus, and disks we have, and the possibility to interrupt/resume scanning anytimes in accordance with how much disk space we have (or to scan just a small area of the disc).

As a welcomed side effect, not only we'd get a device for circumvention of just about any contemporary (and possibly a good deal of the future ones) optical media "protections", but we would also get a powerful tool for retrieving data from even very grossly damaged discs, for audit of behavior of CD/DVD writers and CD vendors, and for access to all areas of the discs - including the ones unreachable through the drive's own firmware.

There could be more applications than this; there is a method for doing chemical and genetical tests using measurement of read errors of a CD, which is proportional to the darkness of the given reagent spot; see http://www.wired.com/news/medtech/0,1286,60138,00.html.

---

Based on this report:

Date: Thu, 22 May 2003 23:32:02 +0200 (CEST)
Subject: Recorder Identification Code - tracking back CD writers?

Seems there is a danger hidden in distributing officially unsanctioned data on CDs. There is a technical measure that allow tracking the CDs back to the writer they were created with. We should be aware about this for any scheme that relies on distribution of physical CD-R/RW media.

According to Orange Book Part2 Ver 3.1, the CD recorders are supposed to write RID (Recorder IDentification Code), a 97-bit number identifying brand, type, and serial number of the recorder, every 100 frames in the Q-channel to all CD-R and CD-RW disks.

There was something principially similar discussed in 1999, related to Xerox using steganography for embedding serial number of the copier in color copies.

Never trust a device whose firmware you can't audit...

See:
http://www.cdrinfo.com/Sections/Glossary/Details.asp?RelatedID=630 http://www.disctronics.co.uk/technology/glossary/glossary_qr.htm http://www.feurio.com/English/faq/faq_writer_snr.shtml http://www.licensing.philips.com/information/sid/

CD-disassembler - crude utility for Linux for decoding subchannel data from CD image
discussion at abclinux.cz (in Czech)

Implementation

See here (ref).