PC Floppy Copy Protection: XEMAG Xelok
This is part 5 of a series of articles investigating various floppy copy-protection schemes seen on the IBM PC platform. You may wish to read the previous entries in this series:
- Part 1, covering Formaster Copy-Lock
- Part 2, covering Softguard Superlok
- Part 3, covering Electronic Arts Interlock
- Part 4, covering Vault Prolok
XEMAG was a commercial disk duplicator that provided services to companies such as Electronic Arts, Activision, IBM, Ashton-Tate, and Oracle.
XEMAG traces its origins to the disk duplication department of Peripheral Marketing, Inc., from which it was spun-off in 1983. By 1983 they were duplicating a million floppies a month.
 |
| Reproduction of a design appearing on some XEMAG swag |
For some background into what working at XEMAG was like, you may wish to read this interview with Peter Brown, a former XEMAG employee.
XEMAG was acquired by the Xidex Magnetics Corporation in February of 1983, for $3.78 million. Xidex would then acquire disk manufacturer Dysan in early 1985. Dysan had its own line of disk duplication equipment, which XEMAG would begin using along with Formaster and Trace devices. The end of 1988 would mark the production of their 1 billionth floppy disk.
XEMAG developed their own protection technology in-house which they offered to clients. There is even some indication that XEMAG developed the Interlock protection for Electronic Arts.
In 1984, XEMAG relocated their headquarters to the Silicon Valley city of Menlo Park.
This is going to be a bit of a short article, as there's no real significant drama surrounding XEMAG, other than a series of corporate acquisitions and restructuring over its history. The protection methods discussed here are not extreme.
XELOK
XEMAG used the trade name XELOK for several versions of their in-house copy protection, which appeared as different schemes depending on platform.
On the Apple II and Commodore 64, the Xelok protection scheme involved the use of "fat tracks," which you could think of a single track that was twice as wide as normal, or somehow two tracks of data duplicated perfectly with no gap in between. A copy-protected title could check it was running from the original disk by seeking between the logical tracks contained within this wide track while reading, and ensuring no data errors resulted.
This would have been near-impossible to duplicate on standard floppy drive. Creating this track required use of a special disk drive.
Luckily for us, you cannot step the drive head while reading on the PC, thanks to the limitations of the standard NEC floppy controller command set. XEMAG's Xelok protection had to take a different form on the IBM platform.
There were at least two versions of Xelok on the PC, which I will call Xelok v1 and Xelok v2.
I can't help but note that according to this dictionary, the word 'Xelok' in the Mayan language means to split or crack. I'm sure this is just some sort of cosmic coincidence.
Xelok v1
One game protected by Xelok v1 is the 1984 PC Booter release of SARGON III, the third edition of the famous computer chess engine. We can tell due to the contents of the disk's FM-encoded protection mark sector on Track 40, which contains:
NO VERSION #....XELOK IBM-PC (DUP) 5" 48/40 1S DD 8-SS.
Let's take a look at the disk surface:
 |
| Sargon III (PC Booter) (1984) |
Right off the bat we start each track with an unusual ID of 27, which overlaps Sector 1, and has a bad data CRC as a result. What's more interesting is at the end of each track - we have 16 sector IDAMs without any DAMs to match!
A bit of a refresher if you need it. Each sector on a floppy disk usually consists of two parts - a sector header, which contains an ID Address Mark, which is the specially-encoded sequence 0xA1, 0xA1, 0xA1, 0xFE. Following the address mark are IDs for that sector's cylinder, head, sector, and finally a value representing the size of the sector and a CRC to validate the entire sector header.
Once a disk drive has located the sector header it was looking for, it must get ready to actually read or write the sector data. To accommodate the timings involved, there is a a gap (GAP2) of several bytes between the header and the actual sector data. The data then follows, starting with a Data Address Mark (DAM).
Nothing actually forces you to write any data after a sector header, though, and since a sector header by itself is quite small, we can cluster a bunch of them together back-to-back. Naturally, it would be hard to trick a PC's floppy controller to reproduce this.
This scheme might be a bit of a problem for MartyPC, as I currently only notate a sector when I find a DAM - and I populate the sector metadata with the values from the last IDAM seen. We will need to modify our approach a bit. We can add a 'data_missing' flag to our sector metadata, and push a sector with that flag set if we encounter another IDAM instead of the DAM we expected.
Without such a fix, we get stuck here:
 |
| Failing the protection check |
When we attempt to read a sector without a DAM, we need to return the right controller status codes. Specifically, we must return abnormal termination and the 'NDAM' bit in the ST2 status byte should be set when valid DAM cannot be found.
With that accomplished, how about a nice game of chess?
 |
| Sargon III in MartyPC |
All those extra IDAMs take up a lot of space at the end of the track. This scheme was likely not feasible once 9-sectored disks became commonplace and needed the room that they occupied. That means we needed a new version of Xelok...
Xelok v2
One title protected by Xelok 2 is the classic strategy title from Brøderbund, The Ancient Art of War.
As confirmation, the duplication mark on track 40 contains the following:
NO VERSION #....-XELOK2-IBM PC PRT (DUP) - 5" 48/40 2S DD 9SS
Here's what the disk surface of side 0 looks like:
 |
| The Ancient Art of War (1985) |
The only thing notable here is Track 10, which contains 18 sectors in overlapped pairs. Despite being overlapped, both sectors in each pair have a valid CRC, which would have been difficult to duplicate.
Nothing here requires any new capabilities from our floppy disk code, so it works straight away:
 |
| The Ancient Art of War in MartyPC |
XELOK2.SYS
If you look closely at line 0050, you can see the tell-tale sequence of a Sector ID Address Mark (IDAM) - 0xA1, 0xA1, 0xA1, 0xFE. This file is mapped onto the protection track, so what we are seeing is an "inner" sector in this overlapped sector scheme.
An Easy Bypass?
 |
| Fooling Xelok 2 with a 1.44MB floppy |
XEMAG Cloaking Device
Curiously, a modest advertisement appears in PC magazines around 1987 describing a "Cloaking Device" protection scheme:
Comments
Post a Comment