Fairly recently, Sony came up with an elaborate way of preventing consumers from being able to copy the audio from popular CD releases to a computer. Included on each copy protected CD is a nonsensical data track that throws the computer off, and will not let it read the audio files from the CD. The recent release of Radiohead's Hail to the Thief left a lot of non-American or non-UK people wondering how they could rip their new CD to mp3 format (from what I've heard, countries like Canada and Australia have copy protection on their CDs. I have).

All you really need is a marker. Preferrably not a permanent one.

Data tracks are typically the last track on a compact disc. They are, nine times out of ten, on the thin little rim that's not quite translucent on the shiny side of the CD. All you need to do is black that part out with a magic marker. Carefully go around the edge with the marker, and try not to slip onto the rest of the CD. That's why it's good to use a non-permanent marker, so you can just wipe away any mistake you have made.

You can also use masking tape, but that's trickier and often messier. I'm told that masking tape can also be somewhat weighted, and result in a wobbly CD that does not get read properly. Using a marker is just easier.

I recently bought a CD, Hallucinations, by David Usher, a minor Canadian star receiving heavy promotion from his label, EMI/Capitol Records. It comes with a label that states:

Copy Controlled - Playback problems may be encountered on some equipment

It has become normal for me to rip a new cd and play it on my iPod or my mp3 player, never listening to the CD. I tried putting the CD in my Win2k computer at work; the program tried to install some random software of unknown stability that would create deliberate restrictions on what I can do with my computer. No thanks.

I had also heard about this marker trick; it's a bit too permanent for my tastes. I slipped the noncompliant CD into the DVD drive on my Linux computer and typed the following command:

cdparanoia -vB

Now I had a complete set of perfect wav files; I burned these to a blank CD and put that CD in my Macintosh PowerBook and ripped that CD to my hard drive. Now I can play this album on my iPod. No marker necessary.

CDs are read only media. The only way to remove copy protection from them is to use the 'marker method'. Though very few methods of copy protection for audio CDs can be removed, they can all be easily bypassed.

Macrovision Cactus Data Shield 100

"by Courtesy of Midbar Tech LTD, Tel-Aviv, Israel"
This is the earliest known method of copy protection for audio CDs. It works by creating a fake Table Of Contents near the end of the CD. While most CD players start from the inside, and work outwards, using the TOC to assist in finding the 'start of track' subcodes (cheaper CD players ignore the TOC entirely, and simply scan the subcodes for track markings), most CD-ROM drives start from the outside, working inwards until they find a TOC, and cache it, relying entirely on the data in the TOC to describe the CD. When such a CD is placed in a CD-ROM drive, the drive finds the fake TOC, which describes no audio tracks. CD players find the real TOC, and play the CD normally. It was this copy protection scheme that caused early iMacs to fail to eject the disk, and then fail to boot1

This copy protection method may be removed by drawing over the extra fake TOC and fake data with a magic marker. Any mistakes can be rectified by using nail varnish remover to wipe off the ink. A CD doctored in this way appears to the drive to have unrecoverable errors at the end, and only the first, correct, TOC.

It can also be bypassed, using a cd ripper that builds its own TOC, scanning each sector of the drive to find out what is in it, and reading the subcodes to find the beginning of each track.

SunnComm MediaCloQ

"This audio CD is protected by SunnComm(tm) MediaCloQ(tm)"
This is similar to Cactus Data Shield. It creates a multisession TOC as the first TOC, which instructs CD-ROM drives to go searching for additional TOCs further outwards from the center. The later-on, the CD appears to contain fake, damaged TOCs between audio tracks, which CD-ROM drives attempt to read and become confused, and CD players ignore.

The only way to bypass this copy protection method is to use a ripper that can re-create a TOC based on data present on the CD. It is unlikely that the 'marker trick' will work, as the fake TOCs and audio data are interleaved.

SONY Key2Audio

"Will not play on MAC/PC"
A variation on the Cactus Data Shield scheme, this method does not use any kind of data corruption. It simply creates a disk with a single audio session, a data session, and another, unclosed, data session. Such a CD is similar to what would be created by a burn failure of a multisession disk - CD players see only the first, audio, session; CD-ROM drives see all three sessions, but cannot read the disk as the third session is not closed. Some CD writers may be able to ignore the damaged session, while others will refuse to read the disk until the session is closed. This is not possible, as the disk is read-only.

This method can probably be bypassed using a ripper that can reconstruct TOCs. Drawing over the fake sessions with a marker is also reported to work.

Macrovision SAFEAUDIO, TTR MusicGuard, Cactus Data Shield 200, 400

CDs incorporating SAFEAUDIO make no mention of it on their cover.
SAFEAUDIO is a later, more advanced (and more controversial) method of copy protection. It works by deliberately corrupting the audio data on the CD, such that a player will have to use C2 (software error hiding) to play the CD properly. C2 is normally used when the CD is too badly scratched for C1 error correction to be able to read perfect data off the CD. CD players (including CD-ROM drives asked to 'play' the CD) carry out C2 automatically, while CD-ROM drives 'ripping' the CD will extract a bit-perfect copy of the damaged data, which will contain the deliberately introduced errors. This method has met with widespread criticism, amidst fears that it may lead to lesser audio quality, and earlier failure of the disk. Macrovision bought MusicGuard from TTR to create SAFEAUDIO. MusicGuard is likely to be identical to SAFEAUDIO in effect, though there may be some differences in the mastering process, and the type of noise introduced. It is not known if any CDs in the wild incorporate MusicGuard.

"by Courtesy of Midbar Tech LTD, Tel-Aviv, Israel"

Cactus Data Shield 200 and 300 add C2 errors to the CDS 100's fake TOC. It combines the problems of CDS with the problems of SAFEAUDIO. CDS 300 adds to CDS 200 a data session containing DRMed WMA files of the CD's contents, allowing Windows PCs to play back a lower-quality version of the CD.

Both Cactus Data Shield and SAFEAUDIO/MusicGuard can be bypassed by using a ripper that performs C2 on the extracted audio data (either by asking the drive to perform C2 while reading, or by applying C2 in software whenever the drive reports a read error).

Sunncomm MediaMax CD3

"THIS CD IS ENHANCED WITH MEDIAMAX SOFTWARE"
This method deserves an honorable mention, as it is truely the most misguided and ineffective copy control scheme ever devised. The audio data and track/TOC structure of the CD is entirely unaltered, and the CD can be extracted by any computer capable of extracting a normal audio CD. The copy control element of the CD is a data track containing an autoplay script, intended to replace the computer's CD driver with one incapable of ripping audio data of 'protected' CDs. Also on the data track are a set of WMA encoded audio files, with Digital Restrictions Management. Users are intended to install the driver, notice that they can't rip the CD, and then use the DRMed files instead. MediaMax CD3 has drivers for Windows 9x, Windows 2000/XP, and Mac OS X. It does not appear to have drivers for Windows NT, Mac OS 9, or linux. Should the user be unwilling or unable to install the driver, this scheme does absolutely nothing.

"In practice, many users who try to copy the disc will succeed without even noticing that it's protected" - John A. Halderman, "Analysis of the MediaMax CD3 Copy-Prevention System"
The best way to defeat this copy control is not to let it install its driver in the first place. Do not allow the CD to autorun - the autorun program will load the protection driver into memory, though rebooting will remove it and allow ripping of the CD. Under no circumstances agree to the license agreement - clicking 'I agree' installs the driver on the machine permanantly.

To remove the driver from NTs, open device manager, and select view --> "show hidden devices", view --> "devices by connection". Find the driver "SbcpHid", and if it is running, stop it. Set its startup type to disabled. I welcome information on how to remove the driver from 9x and Mac OS X.

In Windows, autorun can by bypassed by holding down the shift key while inserting the CD. Microsoft knowledge base article 155217 describes how to disable autoplay on NT-based windows; article 126025 describes how to disable autoplay on windows 9x. It is possible to disable autostart on Mac OS X, however Apple's knowledge base does not describe how to do so. In my opinion, leaving autoplay enabled opens up a huge hole for malicious code to exploit, for little or no benefit to the user. If you haven't disabled autoplay yet, I strongly urge you to do so.

Software

Rippers that can work on copy-controlled CDs include Exact Audio Copy for Windows (can regenerate TOC, perform C2). cdparanoia for linux can reportedly perform C2 and regenerate TOCs, but I have no experience using it (and for that matter, no linux machines with a CD drive), so I'd welcome input from anyone who has.


1 - the BIOS hangs on startup trying to determine if the CD was bootable or not. iMacs do not have an eject button (or even an eject hole), though for some models it is possible to do an interactive open-firmware boot in order to get the drive ejected. See http://docs.info.apple.com/article.html?artnum=106882 for how to remove a Cactus Data Shield disk from your iMac.

Obviously enough, copy protection methods depend on the secrecy of the algorithm used. Information on these copy protection methods is aquired though reverse-engineering, and misinformation is rife. I welcome corrections on this writeup.
I cite:
http://www.cdmediaworld.com/hardware/cdrom/cd_protections.shtml
http://www.cdfreaks.com/article/57
http://club.cdfreaks.com/showthread/t-44647.html
http://slashdot.org/article.pl?sid=02/05/22/1439253
http://slashdot.org/article.pl?sid=02/05/14/0040215
http://www.cs.princeton.edu/~jhalderm/cd3/

Log in or registerto write something here or to contact authors.