Ingenieria Inversa » Blog Archive » Understanding WII/Gamecube Optical Disks

Understanding WII/Gamecube Optical Disks

Cat.: herramientas, proyectos, consolas
21. December 2006

In order to understand how is a Gamecube or WII Optical Disk, is a must to know how is standard DVD-ROM.

The complete standard is explained here: http://www.ecma-international.org/publications/standards/Ecma-267.htm

Here is an overview of how is a standard DVD-ROM (at logical level only):

User Data Frame:
Is the 2048 bytes block available for been read by the user.

Data Frame:
Is a 2064 bytes block which contains, among others, an ID, the “User Data Frame”, and error detection data.

the “Data Frame” structure is as follow:

   4bytes   2bytes      6bytes                 2048bytes             4bytes
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
|     ID    | IED |     CPR_MAI     |        User Data Frame      |    EDC    |
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

ID: contains the PSN (Physical Sector Number), info about the sector itself, like the layer, reflectivity, zone, etc.

CPR_MAI: its use is application specific, for instances are used to store a “sector key” in videos that use CSS, used to store a “scrambling key” in the XBOX and XBOX360 “Security Sectors”.

User Data: Is the data available for the end user.

EDC (Error Detection Code): is the checksum data for all the fields above, its polinomial is x^32 + x^31 + x^4 + 1.

Scrambled Frame:
The “Data Frame” is XORed with a stream cipher generated by an 15bits LFSR (Linear Feedback Shift Register), with bits 10 and 14 used as taps.
The seeds are obtained from a table of the ECMA-267 standard, the index of the seed is the 4 MSB of the last byte of the field ID of the “Data Frame”.
The same stream cipher is used by 16 consecutive “Data Frames”.

ECC Block:
This block have the “Scrambled Frames” and its “Parity Outer” and “Parity Inner” (PIPO) data, its intention is being used for error correction.

Recording Frame:
Here is the info grouped in 16 frames, this info is interleave, that is the cause why you can only read data in 16 frames groups.

Gamecube/WII Optical Disk:

These disks only differs from standard DVD-ROM at the “Scrambling Frame” layer, here is the difference between a GOD/WOD and a DVD-ROM:

DVD-ROM:

   4bytes   2bytes      6bytes                 2048bytes             4bytes
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
|     ID    | IED |     CPR_MAI     |             User Data Frame             |    EDC    |
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
          ^                         |         2048bytes cipher stream         |
          ^                          -  -  -  -  -  -  -  -  -  -  -  -  -  -
       scrambling
       seed index

Gamecube/WII Optical Disc:

   4bytes   2bytes                  2048bytes                     6bytes         4bytes
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
|     ID    | IED |             User Data Frame             |     unknown     |    EDC    |
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
                                    |         2048bytes cipher stream         |
                                     -  -  -  -  -  -  -  -  -  -  -  -  -  -

The way to get the seeds used by the GOD/WOD is not figured yet, but the first 16 frames of all GOD and WOD -what I’ve seen- uses the seed 0101h, after that, the seed change for each 16 frames group and cycle like a standard DVD-ROM.

Due that the way to calculate the seeds is unknown -at least for me-, the better way I think of unscramble a frame, was bruteforcing the seeds, and because there are only 15bits to try (and commonly only 17 seeds per GOD/WOD), this process only takes about 30 seconds, which is really fast.

The bruteforce process is very simple, the LFSR is seeded from 0 to 7FFFh, then get a stream cipher, XOR with the part shown in the above diagram, and check the EDC, if the EDC is the same that the one in the EDC field then we have the correct seed.

Below you have available for download the program used for unscramble any GOD/WOD. To use this program you need to have a image in raw format (2064 bytes per frame), this program works either with a image that don’t have been unscrambled before or a image unscrambled with standard DVD-ROM seeds.

its usage is very simple: “unscrambler raw_image iso_image”, ex:

unscrambler.exe RZDE01.WOD “Twilight Princess.ISO”
GOD/WOD unscrambler 0.4 (xt5@ingenieria-inversa.cl)

This program is distributed under GPL license,
see the LICENSE file for more info.

caching seed 0100
caching seed 401c
caching seed 02c0
caching seed 6006
caching seed 03e0
caching seed 3012
caching seed 04f0
caching seed 182b
caching seed 0879
caching seed 0c51
caching seed 103e
caching seed 06a0
caching seed 201a
caching seed 0240
caching seed 4007
caching seed 0300
caching seed 0700
image successfully unscrambled.
time elapsed: 481.00 seconds.

thanks to patx, tmbinc and loser.