I. Overview of Low-Level Floppy Disk Structure
A track's data starts with the Index Pulse which is sent when a disk's index hole passes over the index sensor. Then follow various kinds of fields on the disk which provide information about the disk's position, the location of the data and the data itself. There are three types of Fields found on a disk, the Index Field, the Sector ID Fields and the Sector Data Fields.
A. Gap & Sync Bytes
Gap Bytes precede and follow all three Fields and are first seen immediately following the Index Pulse. These Gap bytes, typically hex 4E, are used to compensate between slight differences between the drive that originally wrote the disk and the drive that is currently writing the disk. They separate the three types of Fields found a disk. Without some tolerance, the Fields may overwrite each other.
After the Gap bytes come the Sync bytes, which help tell the drive that there will be location information or data to follow. Sync bytes follow a typical pattern of twelve 00s followed by three A1s. These A1 bytes are missing the normal clocks bits and do not follow proper MFM encoding rules so the drive controller can figure out that this is not real data and the real data is coming up. The A1s are also called the Sync Mark or just "A1 Sync".
B. The Index Field
There is only one Index Field on a track and it is the first Field which is present after an Index Pulse. The Index Field is not normally used by PC compatible disks and IBM did not even define the area in its manuals. Many disks do not have a distinguishable Index Field but others do. The Index Field came from Shugart, which invented the floppy disk drive. There are protection schemes which rely on the presence of an Index Field.
The Index Field is a little different from other two Fields. Instead of having Sync bytes of twelve 00s followed by three A1s, the Index Field has twelve 00s followed by three C2 bytes. These C2 bytes also are not valid MFM bytes. Following the C2 bytes there is a single byte of FC, called the Index Address Mark (IAM).
C. Sector ID Fields
Each sector on the disk has a Sector ID Field and a corresponding Sector Data Field.
After the A1 Sync Bytes, a Sector ID Field begins with an FE byte as an ID Address Mark (IDAM). Then the Sector ID field continues with four bytes: the track/cylinder number (00-27), the side/head number (00-01), the sector number (01-09) and finally the sector size ID byte (00-06). Unlike everything else, sector numbers use a convention starting with 01, not 00. The size ID byte tells the system how large the following Sector Data field is and is interpreted as follows :
Size ID Byte Actual Size in Bytes
00 128
01 256
02 512
03 1024
04 2048
05 4096
06 8192
The only sector size the standard DOS FORMAT command will use is a 512 byte sector size. This applies to all standard 5.25" and 3.5" disks and drives, whether double density (160KB, 180KB, 320KB, 360KB & 720KB), high density (1.2MB and 1.44MB) or extra high density (2.88MB). You can use third party utilities to format disks with other sector sizes, but DOS will not read them. Note that a track on a 360KB disk cannot really fit 8192 data bytes. I have never come across a 5.25" double density disk that has had more than 10 x 512 byte sectors.
The next two bytes form a 16-bit Cyclic Redundancy Check (CRC) value. The CRC value verifies that the information contained in the Sector ID field is correct. The bytes calculated include the A1 Sync bytes and the IDAM byte with a Polynomial of 0x1021 and an Initial Value of 0xFFFF. The CRC value is given in big-endian on the disk.
D. Sector Data Fields
As stated above, after the next series of Sync bytes comes a Sector Data Field. The Sector Data Field begins with an FB byte as a Data Address Mark (DAM). Then comes the actual data, the bytes you see with a standard disk dump. Finally comes the 16-bit CRC value, calculated as with the Sector ID Field but with the whole 512 bytes of data.
A Sector ID Field, without the ID Address Mark and CRC Value, is 4 bytes large. A Sector Data Field without the Data Address Mark and CRC Value, is typically 512 bytes large, otherwise the size is whatever the Size ID Byte indicates.
For standard DOS compatible 160KB, 180KB, 320KB and 720KB disks, the only thing that changes is the track number, side number and sector number. 160KB and 180KB disks only use 1 side of the disk, 160KB and 320KB disks only use 8 sectors, and 720KB and larger disks use 80 tracks. High density disks use 15 (1.2MB), 18 (1.44MB) or 36 (2.88MB) sectors per track.
In a hex viewer, a full dump of the start of a disk's track plus its first sector might look like this :
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 00 00 00 00 00
00 00 00 00 00 00 00 C2 C2 C2 FC 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 00 00 00 00 00 00 00
00 00 00 00 00 A1 A1 A1 FE 01 00 01 02 E1 07 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 00 00 00 00 00 00 00 00 00 00 00 00 A1 A1
A1 FB 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54
41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41
55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55
53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53
45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45
52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52
44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44
41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41
54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54
41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41
55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55
53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53
45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45
52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52
44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44
41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41
54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54
41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41
55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55
53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53
45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45
52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52
44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44
41 54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41
54 41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54
41 55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41
55 53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55
53 45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53
45 52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45
52 44 41 54 41 55 53 45 52 44 41 54 41 55 53 45 52
44 41 54 41 71 12 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E
4E
Green = Gap Bytes
Red = Sync Bytes
Blue = Index, ID and Data Address Mark Bytes
Magenta = CRC Bytes
Black = ID and Data Fields
The hex values in the data field repeat the ASCII for USERDATA over 64 times.
E. Gap Length Conventions
The number of bytes for any given gap, and the value of the gap byte itself, are usually standardized. There are 80 Gap Bytes before the IAM (Post-Index Gap Bytes), 50 Gap Bytes after the IAM, 22 Gap Bytes between an ID Sector Field and a Data Sector Field and 80 Gap Bytes between a preceding Data Sector Field and the following ID Sector Field. There is also a variable number of Gap Bytes following the last Data Sector on the disk. Following the last data sector, there are Gap Bytes until the Index Pulse is sensed (Pre-Index Gap Bytes). These various Gap Byte areas have been given certain identifiers in historical data sheets and manuals:
Pre-Index Gap Bytes/GAP 4B = variable, normally 218 bytes (4E)
Index Pulse
Post-Index Gap Bytes/GAP 4A = 80 bytes (4E)
Index Field Sync = 12 bytes (00) + 3 bytes (C2)
Index Address Mark = 1 byte (FC)
Post Index Field Gap Byte/GAP 1 = 50 bytes (4E)
ID Field Sync = 12 bytes (00) + 3 bytes (A1)
ID Address Mark = 1 byte (FE)
ID Area = 4 bytes
CRC = 2 bytes
Post-ID Field Gap Bytes = GAP 2 (22 x 4E)
Data Field Sync = 12 bytes (00) + 3 bytes (A1)
Data Address Mark = 1 byte (FB)
Data Area = 512 bytes
CRC = 2 bytes
Post-Data Field Gap Bytes = GAP 3 (80 x 4E)
This article shows the layout in a visual format with remarkable clarity in Fig 4 with the exception of the position of GAP 4B. The box for GAP 4B should be at the other end of the image, just before the red dot identifying the index hole.
II. Floppy Disk Encoding
A floppy disk is a magnetic storage mechanism. Data is encoded through a flux reversal, the change in the polarity of a magnetic field from north to south and south to north. A flux reversal could signify a 0 or a 1 bit. We start with the proposition that a 0 is represented by no flux reversal and a 1 is represented by a flux reversal over a specified length of time. However, this scheme is not workable because it becomes too difficult to keep track of the bits when there is a prolonged period with no flux reversals.
There are typically 100,000 flux bits capable of being read on a double density disk. Half are data bits, half are clock bits. This leaves us a data capacity of 50,000 bits or 6,250 bytes.
Thus the Frequency Modulation (FM) method was first used. In this method, a 0 bit is encoded by a flux reversal followed by a no flux reversal, and a 1 bit is encoded by two flux reversals. In order to avoid desynchronization, a clock bit is inserted for every data bit, either 1 or 0. FM uses 4μs for timing to encode a single data bit.
This method is used in the earliest floppy disk controllers, but for home computers only the Atari 8-bit computer disk drives used it. These disk drives were called single density. The IBM PC floppy disk controllers that use an NEC uDP765 or 100% compatible like the Intel 8272 support FM encoding. Later floppy disk controllers lose that functionality.
This system was easy to implement, but not very efficient because half the time is devoted to clocking bits. The next improvement was the Modified Frequency Modulation (MFM) method, which is what PC disk drives use.
In this method, a 0 bit preceded by a 0 bit would be encoded by flux reversal then no flux reversal. A 0 bit preceded by a 1 bit would be two clocks of no flux reversal. A 1 bit would be no flux reversal followed by a flux reversal. No more than three periods of no flux reversals are permitted at a time with MFM encoding. On average this only requires half the flux reversals per bit as in the FM scheme. The effective timing rate for an MFM flux reversal is 2μs. The fewer flux reversals needed, the more data can be stored on a disk. The disks that supported this system were called double density. All IBM PC compatible floppy disk controllers use the MFM encoding scheme, as did the earliest hard disk drives.
To summarize how flux bits are encoded into FM and MFM bitcells:
FM = FLUX
0 = 10
1 = 11
MFM = FLUX
0 preceded by 0 = 10
0 preceded by 1 = 00
1 = 01
Let's try to describe the hex value AA, which is binary 1010 1010.
1 0 1 0 1 0 1 0 - Data Bits
1110111011101110 - FM Encoding
0100010001000100 - MFM Encoding
The inversion of AA is 55:
0 1 0 1 0 1 0 1 - Data Bits
1011101110111011 - FM Encoding
?001000100010001- MFM Encoding
Now consider 00:
0 0 0 0 0 0 0 0 - Data Bits
1010101010101010 - FM Encoding
?010101010101010 - MFM Encoding
And at the other extreme, FF:
1 1 1 1 1 1 1 1 - Data Bits
1111111111111111 - FM Encoding
0101010101010101 - MFM Encoding
The MFM first bit for hex 55 and 00 is unknown because its value depends on the last data bit of the previous byte.
The data lines of a floppy disk drive do not operate in a vacuum. An FM or MFM bitstream includes clocking bits instead of a separate clock line. Normally the two are in sync, meaning that the clock bits correspond exactly to the MFM data bits. But there is one time when they intentionally are not, the Sync bytes. How this happens is as follows :
In MFM encoding, there will never be more than three 0 bits between a 1 bit. However, with this limitation is more liberal than how the bits are actually represented in MFM. The A1 in the Sync bytes does not follow the appropriate clock and data bit pattern. A1 should be encoded as data bits 100010010101001 and clocking bits 0 0 0 1 1 1 0 and is encoded that way in a Sector Data Field (there is no reason for it to appear in a Sector ID Field). However, to put the A1 out of sync, the following pattern is produced by the clocking bits : 0 0 0 1 0 1 0. The resulting fifth bit is not as it should be, instead it appears as 100010010001001, with the fifth bit being different. This error signals to the disk controller that this is a Sync byte.
In MFM encoding, there will never be more than three 0 bits between a 1 bit. However, with this limitation is more liberal than how the bits are actually represented in MFM. The A1 in the Sync bytes does not follow the appropriate clock and data bit pattern. A1 should be encoded as data bits 100010010101001 and clocking bits 0 0 0 1 1 1 0 and is encoded that way in a Sector Data Field (there is no reason for it to appear in a Sector ID Field). However, to put the A1 out of sync, the following pattern is produced by the clocking bits : 0 0 0 1 0 1 0. The resulting fifth bit is not as it should be, instead it appears as 100010010001001, with the fifth bit being different. This error signals to the disk controller that this is a Sync byte.
III. Copy Protection
Copy protection methods on the IBM PC platform ultimately generally work within this scheme. Other systems like the Apple II, Commodore 64, Atari ST and Commodore Amiga have controller hardware that allows far more sophisticated protection methods to be used. The PC disk controller will not tolerate the more bizarre methods like half tracks, fat tracks, spiral streams, offset tracks or varying bitrate speeds.
The simplest methods are to use non-standard sector sizes, sector numbers or tracks. This is good enough to bypass DISKCOPY and FORMAT, but any utility that uses the PC BIOS can format a disk with a nonstandard number of tracks, sector sizes or sector numbers. Each track and sector within the track can have differing sector sizes.
Another simple method is to use the write protection tab/notch on a disk. If a program expects the disk to be write protected, it may try to write a destructive sequence of bytes to the disk. Of course, the original disk should have no tab or notch. Be wary if you see a disk notched roughly via scissors or with a hole punch.
A common method is to intentionally write a disk with erroneous CRC bytes. A standard IBM PC Diskette Adapter can read, but not write erroneous CRCs. Of course, sectors with data that cannot be reliably read will also return CRC errors. It is then up to the person de-protecting the diskette to figure out whether the error is intentional or unintentional.
Another method is to check that the exact number of Gap and Sync Bytes are on the disk. If the original disk was written with 16 of each and the copy only has 15, that is a way to detect the copy. The program could instead read data from the Gap bytes, like an encryption key. The PC disk controller's read track command would read the Gap bytes.
A method used the Sync bytes to let sectors overlap. The disk can play with the sector ID sizes to make no sense physically, like having sector 1 with an ID of 8192 bytes and then fitting the other sectors "within" sector 1. This protection can often be fooled by writing the image to a high density disk, which allows for 15 or 18 sectors per track. Of course, high density disk controllers were far from ubiquitous in the 1980s when most of these games were released.
A devious method used weak bits. In this case, the game would read an area on the disk insufficient flux transitions have been written, making the read coils increase the gain to try to find transitions. If there were sufficiently lengthy periods without a flux transition (greater than three 0 flux bits) the read head would send back random data on different track rotations as the head tried to guess where one bitcell began and the last one ended. The game would not expect the same result to be returned from multiple reads of a sector. If the same results were always read back, the game would fail to work, thinking it was being run on a copy. Unfortunately, if the disk was damaged unintentionally or the flux transitions have lost their force with age, a flux copier like an Option Board, Catweasel, Kryoflux, Super Card Pro or a Greaseweazle may misinterpret this and make a bad copy.
IV. Known Protection Schemes used in Games :
Cops Copylock II (HD Media Supported)
Legend of Mystic Zone, The
Rising Dynasty, The
Electronic Arts IBM Interlock
Used by Electronic Arts booters, involves 96 interleaved sector IDs, typically at track 15, side 0. They also use 200KB and 400KB disk sizes with 10 sectors per track.
Amnesia
Archon: The Light and the Dark
A method used the Sync bytes to let sectors overlap. The disk can play with the sector ID sizes to make no sense physically, like having sector 1 with an ID of 8192 bytes and then fitting the other sectors "within" sector 1. This protection can often be fooled by writing the image to a high density disk, which allows for 15 or 18 sectors per track. Of course, high density disk controllers were far from ubiquitous in the 1980s when most of these games were released.
A devious method used weak bits. In this case, the game would read an area on the disk insufficient flux transitions have been written, making the read coils increase the gain to try to find transitions. If there were sufficiently lengthy periods without a flux transition (greater than three 0 flux bits) the read head would send back random data on different track rotations as the head tried to guess where one bitcell began and the last one ended. The game would not expect the same result to be returned from multiple reads of a sector. If the same results were always read back, the game would fail to work, thinking it was being run on a copy. Unfortunately, if the disk was damaged unintentionally or the flux transitions have lost their force with age, a flux copier like an Option Board, Catweasel, Kryoflux, Super Card Pro or a Greaseweazle may misinterpret this and make a bad copy.
IV. Known Protection Schemes used in Games :
Cops Copylock II (HD Media Supported)
Legend of Mystic Zone, The
Rising Dynasty, The
Electronic Arts IBM Interlock
Used by Electronic Arts booters, involves 96 interleaved sector IDs, typically at track 15, side 0. They also use 200KB and 400KB disk sizes with 10 sectors per track.
Amnesia
Archon: The Light and the Dark
Chuck Yeager's Advanced Flight Trainer
Chuck Yeager's Advanced Flight Simulator
Hard Hat MackJulius Erving vs. Larry Bird Go One-on-One
Marble Madness
Murder on the Zinderneuf
Pinball Construction Set
Seven Cities of Gold, The
Super Boulder Dash
Timothy Leary's Mind Mirror
Will Harvey's Music Construction Set
Marble Madness
Murder on the Zinderneuf
Pinball Construction Set
Seven Cities of Gold, The
Super Boulder Dash
Timothy Leary's Mind Mirror
Will Harvey's Music Construction Set
World Tour Golf
Formaster Copylock
Contains a sector with errors, usually at at track 20, side 0, sector 5. The sector ID is marked as having 256 bytes, but actually has 512 bytes, fooling copiers like TeleDisk. Used mostly by Sierra. This protection will probably fail at speeds greater than an AT (8MHz 80286)
B.C.'s Quest for Tires (Sierra release)
Crossfire (IBM PCjr floppy disk versions)
Formaster Copylock
Contains a sector with errors, usually at at track 20, side 0, sector 5. The sector ID is marked as having 256 bytes, but actually has 512 bytes, fooling copiers like TeleDisk. Used mostly by Sierra. This protection will probably fail at speeds greater than an AT (8MHz 80286)
B.C.'s Quest for Tires (Sierra release)
Crossfire (IBM PCjr floppy disk versions)
Gato (versions 1.0-1.4)
Great Escape, The (Thunder Mountain)
Hardball (Disk 2/EGA Disk, & Tandy Release)
King's Quest (IBM PC-CGA booter rev0, rev1)
Mr. Cool
Pinball Wizard
Oil's Well
Quink (Thunder Mountain)
Sierra Championship Boxing (1984 version)
Top Gun (Thunder Mountain rev0)
Troll's Tale
Ultima II (rev0 & PCjr. version)
Ultima III (rev0, rev1, rev2)
Wizard and the Princess, The (IBM PCjr exclusive version)
Hardball (Disk 2/EGA Disk, & Tandy Release)
King's Quest (IBM PC-CGA booter rev0, rev1)
Mr. Cool
Pinball Wizard
Oil's Well
Quink (Thunder Mountain)
Sierra Championship Boxing (1984 version)
Top Gun (Thunder Mountain rev0)
Troll's Tale
Ultima II (rev0 & PCjr. version)
Ultima III (rev0, rev1, rev2)
Wizard and the Princess, The (IBM PCjr exclusive version)
H.L.S. Duplication
Accolade and Epyx used this type of protection. There is an additional sector ID field in one of the sectors.
Bad Dudes
Boot Camp
Accolade and Epyx used this type of protection. There is an additional sector ID field in one of the sectors.
Ancient Land of Ys
Apollo 18
AjaxBad Dudes
Boot Camp
Batman - The Caped Crusader
California Games
California Games
Crossword Magic
Destroyer
Final Assault
Gauntlet (rev1Grand Prix Circuit (early version only)
Hardball (Disk 1 only)
Jr. Pac-Man
Karateka
L.A. Crackdown
Mean 18
Mini-PuttRack'em
Rush 'n' Attack
Rush 'n' Attack
RoboCop (Data East)
Serve and Volley
Star Wars (Broderbund)
Street Sports Basketball
Sub Battle Simulator
Super Pac-Man (rev0)
Test DriveTest Drive II (including Expansion Disks
TKO
Microprose Protection 1
Microprose Protection 1
Protection is found on track 4, side 0. Uses overlapping sectors.
Gunship (certain versions)
Sid Meier's Pirates
Microprose Protection 2
Gunship (certain versions)
Sid Meier's Pirates
Microprose Protection 2
Protection is found on tracks 38-39, side 0. Uses overlapping sectors.
Airborne Ranger
The Amazing Spider-Man and Captain America in Dr. Doom's Revenge!
F-15 Strike Eagle II
F-19 Stealth Fighter
M1 Tank Platoon
Airborne Ranger
The Amazing Spider-Man and Captain America in Dr. Doom's Revenge!
F-15 Strike Eagle II
F-19 Stealth Fighter
M1 Tank Platoon
Megatraveller
Microprose Pro Soccer
Sid Meier's Pirates (432.02 and above)
Red Storm Rising
Rick Dangerous
Savage
Stunt Track Racer
Sword of the Samurai
X-Men - Madness in Murderworld
Sid Meier's Pirates (432.02 and above)
Red Storm Rising
Rick Dangerous
Savage
Stunt Track Racer
Sword of the Samurai
X-Men - Madness in Murderworld
Mindscape DEM
This protection uses weak bits and will probably fail at 386 speeds (16MHz and above)
Blockbuster!
Blockbuster!
Captain Blood
Contra
Defender of the Crown (rev0)
Forgotten Worlds
Gauntlet (rev0)
Italy 1990
Jackal
Moonwalker
Outrun
Paperboy (Elite)
Paperboy (Elite)
Paperboy (Mindscape)
Road Runner
Shadowgate
Space Harrier
Street Fighter
Strider
Super Pac-Man (rev1)
Top Gun (Thunder Mountain rev1)
Minder03
Used by Prism Software
Pipe Dream (European version, U.S. version by LucasFilm Games used a Codewheel)
On-Line Systems Protection #1
This protection will fail in a PCjr. or DMA-less Tandy 1000 and does not work with the 2nd and 3rd IBM PC/XT BIOS.
Crossfire (PC)
Frogger
Ulysses and the Golden Fleece
Origin Systems OSI-1
Used by all Origin Systems games with an EXE executable.
Crossfire (PC)
Frogger
Ulysses and the Golden Fleece
Origin Systems OSI-1
Used by all Origin Systems games with an EXE executable.
2400 A.D.
Bionic Commando
Ultima I (rev1)
Ultima II (Origin Ultima Trilogy Release)
Ultima IV
Ultima V
Sector ID Duplication
Ultima II (Origin Ultima Trilogy Release)
Ultima IV
Ultima V
Atarisoft
Battlezone
Defender
Ms. Pac-Man (Atarisoft & Thunder Mountain)
Stargate
Datasoft
Uses weak bit protection
Bruce Lee
Dallas Quest, The
Dig Dug (Datasoft)
Juno First
Lost Tomb
Rob Northern Copylock
Uses "strong bits" and calculates the entropy expected. Encrypts the actual executable and stores a 32-bit decryption number on a bad sector.
Uses "strong bits" and calculates the entropy expected. Encrypts the actual executable and stores a 32-bit decryption number on a bad sector.
Back to the Future Part III
Blade Warrior
Blasteroids
Blood Money
Borodino
Carrier Command
Castle Master
Cisco Heat
Frank Bruno's Boxing (Finale)
Kick Off 2
Klax
Lemmings (1991-07-19)
Oh No! More Lemmings (comes in disk-based and document-based versions)
Lemmings 2: The Tribes (uses High Density disks)
Midwinter
Mighty Bomb Jack
Nebulus
Onslaught
Paperboy (Finale)
Pit Fighter (Domark)
Predator 2
Pro Tennis Tour
Resolution 101
The Sentinel
Stormlord
Thunderstrike
Toobin'
Weird Dreams
Xenomorph
Xenon II
Sector ID Duplication
Sierra used this for the versions of their games distributed under Tandy's label prior to 1985. In this scheme, there are multiple sectors with identical Sector IDs, but different data. Subsequent read sector commands will read the later sectors.
BC's Quest for Tires (Tandy release)
King's Quest (Tandy version & PCjr./Tandy version)
BC's Quest for Tires (Tandy release)
King's Quest (Tandy version & PCjr./Tandy version)
Wizard of Ids WizType (Tandy release)
Softguard Superlok v3.0 with original loaderFound mostly in Taito games. Works like Sierra's version, but with a different loader that is harder to decrypt. The file CMLxxxx.FCL will be present.
Arkanoid
Arkanoid II: Revenge of DOH
Bubble Bobble
Operation Wolf
Puzznic
QIX
Rambo III
Rastan
Renegade
Sky Shark
Softguard Superlok v2.3 with Sierra's Loader
This protection was used in Sierra's games. It relied on a track with non-standard sector sizes, overlapping sectors, CRC errors in the sector data field There is a hidden file called CPC.COM on the first disk that checks for the protection. All these games could be installed to a hard drive, but required the first disk, the key disk, to be inserted in a floppy drive. Police Quest: In Pursuit of the Death Angel and Mixed Up Mother Goose, were the only AGI version 2 games that never seemed to be protected. This protection was applied to both booter and DOS games but was no found on AGI version 3 games.
3-D Helicopter Simulator (versions 1.00 & 1.10)
Black Cauldron, The (AGI versions 1.1J, 1.1K, Tandy & 2.00)
Donald Duck's Playground
King's Quest I: Quest for the Crown (AGI versions 1.0U & 2.0F)
King's Quest II: Romancing the Throne (AGI versions 1.0W, 1.1H, Tandy, 2.1 & 2.2)
King's Quest III: To Heir is Human
Leisure Suit Larry in the Land of the Lounge Lizards (AGI version)
Mickey's Space Adventure (3.5" disks only)
Sierra Championship Boxing (1985 version)
Space Quest: The Sarien Encounter (AGI version)
Space Quest II: Vohaul's Revenge
Thexder
Sierra Championship Boxing (1985 version)
Space Quest: The Sarien Encounter (AGI version)
Space Quest II: Vohaul's Revenge
Thexder
Ultima II (rev1)
Weak Bits Generic Implementation
Weak Bits Generic Implementation
Typically done by using more than three 0 bits following a 1 bit in violation of MFM encoding rules.
Green Beret
RoboCop (Ocean)
Starglider II
After Burner
Bop'N' Wresting
Harrier Combat
Horror Zombies From The Crypt
Rick Dangerous II
Shinobi
Harrier Combat
Horror Zombies From The Crypt
Rick Dangerous II
Shinobi
POLA106
Uses weak bits
Ghosts 'n Goblins (rev1)
U.S. Gold
Uses weak bits
Solomon's Key
This protection will probably fail at greater than IBM AT (8MHz 286) speeds. Most games protected by this protection use weak bits
4 Soccer Simulators
AM, FM Trivia Vol. 2
Arac
AM, FM Trivia Vol. 2
Arac
Boulder Dash (Prism Leisure, no weak bit)
Boulder Dash 2 (Prism Leisure Release)
Boulder Dash 2 (Prism Leisure Release)
Circus Games
Football Manager
Football Manager 2
Football Manager
Football Manager 2
Frank Bruno's Boxing
Hotshot
Ninja Rabbits
The King of Chicago
Mayday Squad Heroes
Speedball
Super Sunday
World Championship Soccer
Xidex Magnetics XEMAG / XELOK
Used mainly by Broderbund. Has 16 sectors instead of 8 on track 9, side 0.
Bank Street Writer
Championship Lode Runner
F-15 Strike Eagle
Friendlyware PC Arcade (v3.0)
GFL Championship Football
Inca
The Last Ninja
Lode Runner (rev0, rev1, Tandy)
Quink (CBS Software)
Rampage
Sargon 3
Spitfire Ace
Super Hang-On
Transylvania
Trivia Fever
Ultima I (rev0)
Ultima III (rev3)
Word ChallengeTitus
Baby Jo in ''Going Home'
The Blues Brothers
Crazy Cars 2
Dick Tracy
Les Aventures de Moktar (rev1)
Fire and Forget (Titus Gap Count v1)
Fire and Forget II
Fire and Forget II
Highway Patrol II
Knight Force
Off Shore Warrior
Panza Kick Boxing
Pinball Magic
Prehistorik (Titus Gap Count v1)
RKO
Agent U.S.A
Data Encore
Crime and Punishment
Sector overlap
Commando (rev0)
Ghostbusters
Ikari Warriors
Might and Magic (rev1)
Might and Magic II
Oo-Topos
Sherlock Holmes - Another Bow
World Games
Sonopress
Grand Monster Slam
RPL
Ken Uston's Professional Blackjack
MicroLeague Baseball
Infogrames
Safari Guns
Insoft
Wordtrix
Miscellaneous Protections
These disks contain unusual but valid MFM Data. Most use simple methods like non-standard sector seizes, which are probably the earliest method of copy protection and can easily be copied with TeleDisk.
Adventure in Serenia
Algebra Arcade
Alpine Tram Ride
Alleycat
Arkanoid (Imagine)+Super Tennis
Below the Root
Bivouac
Centipede
Changes
Crypto Cube
Cyrus
Czorian Siege (requires DMA controller)
Dig Dug (Atarisoft)
Electric Crayon Deluxe - TMNT - World Tour (v3.0)
Facemaker (Gold Edition)
Galaxian
Gremlins
Gryzor
IDSI's Rack 'em Up
In Search of the Most Amazing Thing (v2.0)
Jumpman
Jungle Hunt
King's Quest (128k IBM)
Microsoft Flight Simulator (v1.x)
Microsoft Flight Simulator (v2.x)
Moon Patrol
Pitstop II
Planetfall
Sid Meiers' Pirates! v432.03
Sorcerer (r4)
Touchdown Football (IBM)
Trains (DOS version)
Trap-A-Zoid
Wizardry
Wizardry II
Wizardry III
Wizardry IV
Wizardry V
ZorkQuest II
There are several programs that rely purely on the floppy disk controller to try to make a working backup, including Teledisk, ImageDisk, CopyIIPC & Snatchit. None of them is a perfect solution. TeleDisk did not take every PC protection method into account, but its great to write images with non-standard sector sizes. ImageDisk is a newer program and doesn't have that many disk images available for it, but it too is bound by the limitations of the PC disk controller. CopyIIPC and Snatchit only work on 100% compatible IBM PCs (no Tandy 1000s or PCjr.s), do not work at high 386 speeds or faster and potentially will modify the data on the disk image to crack the program.
The closest thing that was available back in the 1980s that could copy anything was Central Point Software's Deluxe Option Board. This was a hardware ISA card that intercepted the signals between the disk drive and disk controller. Because it operated on the flux transition level, it could theoretically copy anything from a double density disk. It could write bad CRCs, overlapping sectors, interleaved sectors and data in the gap bytes. This board used a program called TransCopy. TransCopy could save an image of a disk for future rewriting. 360KB disks would have an image that would be 1,088KB in size.
TransCopy was not without its flaws. The non-Deluxe Option Board could only work with TransCopy versions 4.x or earlier. TransCopy versions below 5.x would not copy 80 track disks, inlcuding 720KB disks. TransCopy images made with version 5.x would not work with earlier TransCopy versions. TransCopy would also be crippled so that it would not work with certain protections, depending on which company was threatening CPS with litigation at the time. You would need to hope that an earlier version of TransCopy would work. Copy Copylock II will not be able to written back with an Option Board or Deluxe Option Board.
The modern equivalent of the TransCopy board are the Kryoflux and SuperCard Pro. In the PC context, KryoFlux will create raw stream files of each track. There are utilities that can convert these raw stream files to TransCopy or TeleDisk formats. It can now write back raw stream files, so you no longer need to send your disk to the SPS and get an IPF file. However, writing back raw stream files is not fully reliable because it does not account for fluctuations in drive rotation speed and imperfections in the signal, possibly leading to signal loss similar to copying analog tapes. There are unsupported utilities to make your own IPF files, but it appears that unless you know the stream format well, you may not be able to write back a working disk. SuperCard Pro does the same thing but contains everything in one file. The two formats require conversion.
Very good article, maybe you want to mention super card pro
ReplyDeleteit's a very good alternative for modern raw dumps, some people thinks is better than kryoflux,
url: http://www.cbmstuff.com/proddetail.php?prod=SCP
I forgot to mention the SuperCard Pro. I am not sure how friendly it is to IBM PC disks, but Kyroflux is not exactly known for being super friendly to PC formats either.
ReplyDeleteExcellent article it was 25 years ago when I was young :-(
ReplyDeleteI used a software called copywrite from Quaid Software. I thinks it worked better tha CopyIIPC
I still have my old Amstrad 1512 and 1640 with deluxe option board also
nostalgie...
"A devious method used weak bits." This is incorrect.
ReplyDeleteThe correct term is "Marching Bits" where the recording is actually recorded using a much shorter time window to record then the read device. When mass producing floppy discs the bits needed to be exactly centered so the real-world playback was possible on drive with various speed variation and flutter. "Window Margin" is a measure on how small the time span can be narrowed and still have the disc read correctly. 25% window was standard passing quality during production when discs were verified - yes every bit recorded was verified or the disc rejected even "4E" bytes.
Protection was achieved by placing "1" bits progressive closer to the beginning or end a the recording time window. The bits were NOT recorded weakly. Due to very slight variation in drive speed (Flutter) would result in inconsistent reading of the data. Thus "00100" is recorded near the beginning of the window, some read backs resulted as "01000". The verification software confirmed the "Marching Bits" as required and not as a read error. When a copy-protected disc was copied the bit is no longer off-centered and therefore reads without variation each time. Quality standards required 3 reads to produced 2 variations. The "Marching Bit" records a series of data bits with a single bit progressively off center thereby assuring a stable misread. Embedded software read this hidden sector to confirm variation before executing the program. The disc must remain in the drive for full features.
Unfortunately, Marching Bits resulted in distribution copies that had true COPY PROTECTION. Game software often had "marching bits" without the ability to make copies. Furturemore, Boot-leg discs had variation in the game that annoyed the users. Such variation included tasks that could never be completed. Business software consumers wanted an ability to make an archive copy. When asked how to make a backup copy the answer was "you cannot copy because the copy would be unprotected."
This will help me to develop my own hardware floppy emulator. Thanks you!
ReplyDelete