CDs are read only media. The only way to remove copy protection from them is to use the 'marker method'. Though very few methods of copy protection for audio CDs can be removed, they can all be easily bypassed.

Macrovision Cactus Data Shield 100

"by Courtesy of Midbar Tech LTD, Tel-Aviv, Israel"
This is the earliest known method of copy protection for audio CDs. It works by creating a fake Table Of Contents near the end of the CD. While most CD players start from the inside, and work outwards, using the TOC to assist in finding the 'start of track' subcodes (cheaper CD players ignore the TOC entirely, and simply scan the subcodes for track markings), most CD-ROM drives start from the outside, working inwards until they find a TOC, and cache it, relying entirely on the data in the TOC to describe the CD. When such a CD is placed in a CD-ROM drive, the drive finds the fake TOC, which describes no audio tracks. CD players find the real TOC, and play the CD normally. It was this copy protection scheme that caused early iMacs to fail to eject the disk, and then fail to boot1

This copy protection method may be removed by drawing over the extra fake TOC and fake data with a magic marker. Any mistakes can be rectified by using nail varnish remover to wipe off the ink. A CD doctored in this way appears to the drive to have unrecoverable errors at the end, and only the first, correct, TOC.

It can also be bypassed, using a cd ripper that builds its own TOC, scanning each sector of the drive to find out what is in it, and reading the subcodes to find the beginning of each track.

SunnComm MediaCloQ

"This audio CD is protected by SunnComm(tm) MediaCloQ(tm)"
This is similar to Cactus Data Shield. It creates a multisession TOC as the first TOC, which instructs CD-ROM drives to go searching for additional TOCs further outwards from the center. The later-on, the CD appears to contain fake, damaged TOCs between audio tracks, which CD-ROM drives attempt to read and become confused, and CD players ignore.

The only way to bypass this copy protection method is to use a ripper that can re-create a TOC based on data present on the CD. It is unlikely that the 'marker trick' will work, as the fake TOCs and audio data are interleaved.

SONY Key2Audio

"Will not play on MAC/PC"
A variation on the Cactus Data Shield scheme, this method does not use any kind of data corruption. It simply creates a disk with a single audio session, a data session, and another, unclosed, data session. Such a CD is similar to what would be created by a burn failure of a multisession disk - CD players see only the first, audio, session; CD-ROM drives see all three sessions, but cannot read the disk as the third session is not closed. Some CD writers may be able to ignore the damaged session, while others will refuse to read the disk until the session is closed. This is not possible, as the disk is read-only.

This method can probably be bypassed using a ripper that can reconstruct TOCs. Drawing over the fake sessions with a marker is also reported to work.

Macrovision SAFEAUDIO, TTR MusicGuard, Cactus Data Shield 200, 400

CDs incorporating SAFEAUDIO make no mention of it on their cover.
SAFEAUDIO is a later, more advanced (and more controversial) method of copy protection. It works by deliberately corrupting the audio data on the CD, such that a player will have to use C2 (software error hiding) to play the CD properly. C2 is normally used when the CD is too badly scratched for C1 error correction to be able to read perfect data off the CD. CD players (including CD-ROM drives asked to 'play' the CD) carry out C2 automatically, while CD-ROM drives 'ripping' the CD will extract a bit-perfect copy of the damaged data, which will contain the deliberately introduced errors. This method has met with widespread criticism, amidst fears that it may lead to lesser audio quality, and earlier failure of the disk. Macrovision bought MusicGuard from TTR to create SAFEAUDIO. MusicGuard is likely to be identical to SAFEAUDIO in effect, though there may be some differences in the mastering process, and the type of noise introduced. It is not known if any CDs in the wild incorporate MusicGuard.

"by Courtesy of Midbar Tech LTD, Tel-Aviv, Israel"

Cactus Data Shield 200 and 300 add C2 errors to the CDS 100's fake TOC. It combines the problems of CDS with the problems of SAFEAUDIO. CDS 300 adds to CDS 200 a data session containing DRMed WMA files of the CD's contents, allowing Windows PCs to play back a lower-quality version of the CD.

Both Cactus Data Shield and SAFEAUDIO/MusicGuard can be bypassed by using a ripper that performs C2 on the extracted audio data (either by asking the drive to perform C2 while reading, or by applying C2 in software whenever the drive reports a read error).

Sunncomm MediaMax CD3

This method deserves an honorable mention, as it is truely the most misguided and ineffective copy control scheme ever devised. The audio data and track/TOC structure of the CD is entirely unaltered, and the CD can be extracted by any computer capable of extracting a normal audio CD. The copy control element of the CD is a data track containing an autoplay script, intended to replace the computer's CD driver with one incapable of ripping audio data of 'protected' CDs. Also on the data track are a set of WMA encoded audio files, with Digital Restrictions Management. Users are intended to install the driver, notice that they can't rip the CD, and then use the DRMed files instead. MediaMax CD3 has drivers for Windows 9x, Windows 2000/XP, and Mac OS X. It does not appear to have drivers for Windows NT, Mac OS 9, or linux. Should the user be unwilling or unable to install the driver, this scheme does absolutely nothing.

"In practice, many users who try to copy the disc will succeed without even noticing that it's protected" - John A. Halderman, "Analysis of the MediaMax CD3 Copy-Prevention System"
The best way to defeat this copy control is not to let it install its driver in the first place. Do not allow the CD to autorun - the autorun program will load the protection driver into memory, though rebooting will remove it and allow ripping of the CD. Under no circumstances agree to the license agreement - clicking 'I agree' installs the driver on the machine permanantly.

To remove the driver from NTs, open device manager, and select view --> "show hidden devices", view --> "devices by connection". Find the driver "SbcpHid", and if it is running, stop it. Set its startup type to disabled. I welcome information on how to remove the driver from 9x and Mac OS X.

In Windows, autorun can by bypassed by holding down the shift key while inserting the CD. Microsoft knowledge base article 155217 describes how to disable autoplay on NT-based windows; article 126025 describes how to disable autoplay on windows 9x. It is possible to disable autostart on Mac OS X, however Apple's knowledge base does not describe how to do so. In my opinion, leaving autoplay enabled opens up a huge hole for malicious code to exploit, for little or no benefit to the user. If you haven't disabled autoplay yet, I strongly urge you to do so.


Rippers that can work on copy-controlled CDs include Exact Audio Copy for Windows (can regenerate TOC, perform C2). cdparanoia for linux can reportedly perform C2 and regenerate TOCs, but I have no experience using it (and for that matter, no linux machines with a CD drive), so I'd welcome input from anyone who has.

1 - the BIOS hangs on startup trying to determine if the CD was bootable or not. iMacs do not have an eject button (or even an eject hole), though for some models it is possible to do an interactive open-firmware boot in order to get the drive ejected. See for how to remove a Cactus Data Shield disk from your iMac.

Obviously enough, copy protection methods depend on the secrecy of the algorithm used. Information on these copy protection methods is aquired though reverse-engineering, and misinformation is rife. I welcome corrections on this writeup.
I cite: